Network Audit Presentation to Caregroup Healthcare System - PowerPoint PPT Presentation

1 / 16
About This Presentation
Title:

Network Audit Presentation to Caregroup Healthcare System

Description:

Excel documents: VLAN details and hardware inventories. Callisma project book ... configurations are properly archived, limiting device recovery capabilities ... – PowerPoint PPT presentation

Number of Views:1093
Avg rating:3.0/5.0
Slides: 17
Provided by: Call83
Category:

less

Transcript and Presenter's Notes

Title: Network Audit Presentation to Caregroup Healthcare System


1
Network Audit Presentation to Caregroup
Healthcare System
  • October 2002
  • Callisma

2
Agenda
  • Project Scope
  • Summary of Findings
  • Current Architecture
  • Recommendations

3
Project Scope
  • To include but not be limited to
  • Network Configuration
  • Configuration Management
  • Backup Strategies
  • Redundant Sites, Servers and tools
  • Security

4
Deliverables
  • MSWord document network audit findings and
    recommendations
  • Visio document network diagrams
  • Excel documents VLAN details and hardware
    inventories
  • Callisma project book
  • Engagement definition
  • Project plan
  • Status reports
  • Customer documentation
  • Design documentation
  • Copies of presentations

5
Current Network
6
Environment Overview
  • Network
  • 90 Routers (Core, and Access Layers)
  • 500 Routes in most tables on core routers
  • 140 Virtual LANs (VLANs)
  • 15 VLANs spanning cross campus
  • 22,000 Nodes (Desktops, printers, other devices)
  • Security
  • Access-list based security solution only
    (including Internet Security)
  • Network Management
  • Currently 375 devices managed by a combination
    of InterMapper, CiscoWorks, and VitalSuite
  • Up-down status ping/polling only

7
Key Findings
  • Network Infrastructure
  • Existing Network Routing/Switching infrastructure
    is aging, under-powered, and near end-of-life.
  • There are several key single points of failure in
    the network infrastructure.
  • Existing Network makes extensive use of Bridging
    and VLAN Trunking. Spanning Tree Protocol (STP),
    a layer 2 protocol (non-routed) is configured on
    a per VLAN basis. Spanning Tree reconvergence has
    been known to create instability in large,
    complex networks. This may be the primary cause
    of the ongoing network issues Caregroup is
    experiencing.
  • OSPF (Open Shortest Path First) Routing
    architecture not optimized. Remote sites are
    configured as an extended core. Local events may
    trigger network wide reconvergence.
  • Remote sites contain large routing tables due to
    inconsistent configurations. These configurations
    may also trigger network reconvergence
  • Due to inconsistent configurations and a lack of
    network segmentation troubleshooting is extremely
    difficult!!

8
Key Findings (Continued)
  • Network Management
  • Not all device configurations are properly
    archived, limiting device recovery capabilities
  • Events are not isolated or detected most
    effectively. There are too many false positive
    fault notifications.
  • Capacity planning capabilities are limited due to
    a lack of analysis of performance metrics such as
    buffer failures, peak utilizations and errors.
  • Inventory databases are not consistent across the
    different management tools (InterMapper,
    CiscoWorks and VitalSuite).
  • DHCP is not being used throughout a large portion
    of the organization.
  • Current tools will need to be augmented/replaced,
    to provide the functionality required by a fully
    functional network management architecture.

9
Key Findings (Continued)
  • Security
  • There currently is not a comprehensive, globally
    enforced Security Policy addressing the use of
    Caregroup data resources.
  • The current Internet access-list is over 1300
    lines containing many obsolete entries. This is
    difficult to manage, and may create unknown
    vulnerabilities.
  • Core network devices are configured with public
    IP addresses that are not blocked with any access
    list. 11 devices on the Core 4 VLAN alone are
    accessible from the Internet via telnet.
  • Clear text passwords are used on core devices,
    many of which are Internet accessible.
  • There are a combination of managed and unmanaged
    Intrusion Detection Systems (IDS) in use today to
    monitor Internet based traffic. IDS are not
    deployed to monitor traffic coming from Caregroup
    affiliate institutions.

10
Renaissance Park to East Campus Utilization
11
Renaissance Park to West Campus Utilization
12
Key Recommendations
  • Network
  • Remediation Effort (Currently Underway)
  • Reduce the number of Virtual Local Area Networks
    (VLANs), paying special attention to the number
    of VLANs spanning the core.
  • Move to a Routed Core to improve traffic flows
    and reconvergence times.
  • Segment the Spanning Tree domains to further
    contain any future layer two issues.
  • Configure Spanning Tree to take advantage of all
    redundant links with advanced load balancing
    techniques, manually set root bridges and
    associated costs.
  • Load balance the utilization between Renaissance
    Park and the campuses.

13
Key Recommendations
  • Network
  • Future Design
  • Replace Core Network switches with newer
    switch/routers
  • Institute a current best-practices based design
    leveraging advanced (Gigabit) LAN/WAN transport
    options
  • Implement a core/distribution/access design with
    inherent redundancy
  • Migrate to routed IP protocol wherever possible
  • Implement a plan to reduce/eliminate legacy
    protocols such as IPX, Appletalk, and other
    protocols being bridged.
  • Implement a hierarchical OSPF Routing Design with
    a smaller core (Area 0).

14
Key Recommendations
  • Security
  • Full featured redundant firewalls should be
    installed to protect the Caregroup infrastructure
  • Create DMZ (De-Militarized Zone) segments for
    Remote Access and Internet service servers
  • Strategic deployment and configuration of IDS
    (Intrusion Detection System) devices should be
    completed
  • Vulnerable systems/network devices should be
    hardened
  • Network Management Recommendations
  • Implement basic change and configuration
    management process
  • Select and deploy fully functional DNS/DHCP
    software
  • Develop an operations architecture (tools,
    process, people)

15
Questions?
16
www.callisma.com
Write a Comment
User Comments (0)
About PowerShow.com