Network Architecture for

New Look Medical Center

Technology Solution Partners (TSP) conducted a needs analysis for the New Look Medical Center. TSP’s goal is to understand the current and future network needs of the all the users, departments and applications. TSP’s main objective is to define the scope of this network project, while taking geographic scope, applications systems, users, and network needs into consideration.

The geographic scope of the project includes the Medical campus and several facilities in the outlying community. In the outlying community there are seven MedCenters and several rural hospitals. There is also the possibility for future use of tele-radiology so the capacity to reach radiologists' homes and offices must be included. The application systems utilized on campus consist of financial, administrative, resource and inventory software. The inventory application is the only one that will be affected by the network redesign, which will be changed into a just-in-time inventory system. The number and type of users that will be generating and receiving the network traffic has been assessed. Finally, the network needs were assessed and it was determined that the Medical Administration Building and the Main Hospital will produce the largest amount of network traffic. The following is a detailed description of each of the facilities needs:

• Establish connectivity between all campus buildings -- create a campus backbone.
• Campus backbone must have redundancy.
• Create a main database with standard data entry applications for all areas.
• Design network with future projects in mind.

• Conduct a site visit.
• Provide adequate network security.
• Replace current Token Ring network with an Ethernet network.
• Provide connections for future installation of image viewing capability to outlying Radiologists homes and offices.
• Address security issues by installing a firewall that utilizes a screening router.

• Decide on which topology to use for firewall architecture.
• Research security requirements.
• Decide what information services are to be supported.
• Analyze expected traffic levels.

• Conduct a site visit.
• Connect network to campus backbone.
• Provide adequate network security.
• Provide an imaging system between the Radiology Department and the seven MedCare Centers.
• Replace stand-alone Token Ring Network with an Ethernet network.
• Connect existing VAX's from the Laboratory and Pharmacy to the network.
• Develop or purchase middleware to connect VAX's with campus network.
• Replace all 3270 terminals with PC's.
• Purchase 3270 Emulation software.

• Conduct a site visit.
• Connect network to campus backbone.
• Provide adequate network security.
• Budget for future replacement of 3270 terminals with PC's.
• Replace existing LAN with Ethernet network.
• Connect all stand alone PC's.

• Conduct a site visit.
• Connect network to campus backbone.
• Provide adequate network security.
• Budget for future replacement of 3270 terminals with PC's.
• Connect existing VAX 4000 to campus backbone.

• Conduct a site visit.
• Connect network to campus backbone.
• Provide adequate network security.
• Budget for future replacement of 3270 terminals with PC's.

• Conduct a site visit.
• Connect network to campus backbone.
• Provide adequate network security.
• Budget for future replacement of 3270 terminals with PC's.
• Implement just-in-time inventory control.

• Conduct a site visit.
• Connect to campus network via T-1 or T-3 line.
• Provide adequate network security.
• Address cabling issues for VAX connection.
• Budget for future replacement of 3270 terminals with PC's.
• Develop or purchase middleware to connect VAX's with campus network.

In addition to figuring out what the future needs may be for the network, we need to have a clear idea of how the current network functions. Since the customer is not available, some assumptions had to be made about the network. Following is a set of assumptions we made for each facility to assist in developing the map (See Figure 1), which depicts the design of the current network.

• Network map on page 5 of the case study shows a single token-ring network attached to front-end processor (FEP), yet narrative description on page 3 says "stand-alone token ring LANs." Technology Solution Partners (TSP) assumes that the narrative is correct... i.e. there are at least two token-ring networks and each one stands alone.
• TSP assumes the usage of modems in racks as the entry point before data communications link into the FEPs.

• TSP assumes the LAN is token-ring.
• TSP assumes that the dial-in circuits used by the LAN attached PCs (page 3) are the same in type as the three 9.6k analog private lines used by the other campus buildings (missing from network map).
• TSP assumes that each of the three VAX machines with their associated terminals, are stand-alone.
• TSP assumes that the device used to print radiology and laboratory orders from the host system (page 4) is located in the Main Hospital.

• TSP assumes the LAN is token-ring.

• No assumptions needed.

• TSP assumes the usage of public lines to access the outside databases mentioned on page 4.

• TSP assumes that there are no 3270 terminals residing at this location since none are specifically mentioned in the narrative or the diagram... neither are any 3174 controllers alluded to. However, since there is a 4.8k modem connection to the FEP, we assume that connectivity to the host is indicated. Therefore, the workstations that are connected to the SYS/36 must have 3270 terminal emulation software on them.

MedCare Centers (7 of these)

• No assumptions needed.

• TSP assumes that no data communications link is currently in place.

• TSP assumes that the dial-in connections to the FEP shown on page 5 belong to the radiologists' homes and offices who are requesting that CAT and MRI images be made available to their locations. However, since they are using public telephone lines, they do not currently have the bandwidth available to transfer the images in a timely manner.

Using all of the pieces of information gathered about the current situation: the assessment of the geographic, application, user, and network needs; the map of the current network; and the assumptions about the design and layout of the current network, it is possible to complete a future network map (See Figure 2) and design for the New Look Medical Center.

New Look’s medical campus consists of the following buildings:

Main Hospital

R/N Doctor Teaching Facility

Cancer Research Center

Medical Administration Building

New Look Clinic

Warehouse

The first requirement will be to connect all the campus buildings together using a Fiber Optic cable backbone. It is assumed that the campus is a 2 to 3 square block area. This will allow a path for all campus-based computers to communicate with each other. Fiber will also allow New Look to expand their network down the road without redoing the backbone. Since the Medical Center deals with life and death issues, the campus backbone need to have redundancy. This means there are two ways for network traffic to get to each building on the network. If one network line is down due to physical or technical problems, all network traffic is automatically rerouted to the other network path.

Routers should be installed in each of the campus buildings to allow connection of the building backbones to the campus backbone. The routers will also add a security layer to the network by allowing only certain devices to access the devices in that building.

The protocol of the New Look network will be TCP/IP. Host protocol will remain as SNA.

TCP/IP will be managed via DHCP.

The data center for New Look is located in this building. It is assumed that New Look will continue to use their existing IBM ES/9000 computers for their mission critical processing.

Since this building has a mix of PC’s and 3270 terminals using two separate networks, these networks should be combined into one. The existing Token Ring network and coaxial cables used for the 3270 terminals should be removed and replaced with an Ethernet network. The existing 3270 terminals in the building should be replaced with PC workstations and 3270 emulation software purchased to allow connection to the mainframe. The existing IBM 3174 controllers should be replaced with a PC Gateway to allow SNA traffic to get to the host.

This configuration will allow one network in the building, combine the 2 existing networks together and eliminate several pieces of obsolete IBM equipment.

A majority of the users of the mainframe are located in this building.

We assume that the Main Hospital is a multi-story building. A fiber optic backbone should be installed between all floors of the Main Hospital. The Hospital Backbone is then connected to the Campus Backbone via a Router. Each floor of the Main Hospital will have a unique wire closet for termination of the network cabling for that floor. Ethernet Hubs will be located in these closets.

Each floor should be wired with CAT5 twisted pair wire. This wiring allows the greatest flexibility.

The 300+ 3270 Terminals should be replaced with PC Workstations. The Coaxial cabling for those terminals should be replaced with a new Ethernet network. Since the lease for 50% of the 3270 terminals that New Look uses expires in a few months, whole buildings should be converted from 3270 terminals to PC Workstations. It is best not to mix terminals and workstations in the same building as it may lead to support issues.

The stand-alone Token Ring network should be replaced with Ethernet. This will allow use of a single network throughout the New Look campus. 3270 Emulation software should be purchased for all PC’s, thus allowing the PC to connection to the mainframe via the new Ethernet and Fiber network. The dial-in modem for host communications can be removed.

Local Office Automation (assuming Word Processing) can still be performed on the PC’s. Network Servers should be placed in the main Data Center to allow users to share files and provide a safe area to store their data. Since there was no network operating system mentions, I will assume its OS/2 (since New Look is an IBM shop). The OS/2 NOS should be replaced with NT 4.0.

Access to medical databases can still be accomplished using the new network.

All stand-alone PC’s should also be connected to the new Ethernet network. Ethernet NIC’s will need to be purchased for these devices.

All printers for the PC’s and 3270 terminals should be converted to allow connection to the new Ethernet network.

The existing VAX’s in the Laboratory and Pharmacy should be connected to the Main Hospital Backbone via a Bridge. This will allow access to these computers from any workstation in the hospital. Users can gain access to the VAX if they have a software emulation program and have the rights to access the computer. Software developers can also create middleware to allow the VAX’s to communication between other computers on the campus network to share data automatically.

Since the VAX in Radiology is used to control their CAT and MRI equipment, this VAX should not be placed on the hospital network. There is not enough information to make a good decision on this one.

The SunSparc in Radiology should be connected to the hospital network to allow other users access to the image files. Since SUN uses TCP/IP as its main protocol, the SPARC just needs to be connected to the network. Not knowing exacting how the CAT & MRI images get into the SPARC, I assume that the SPARC is somehow connected to the Radiology VAX. This connection will have to remain.

If the Teaching Facility is a multi-story building, a Fiber Optic backbone should be installed to connect all floors of the building together. The building backbone will be connected to the campus network via a Router. Each floor of the building will have a unique wire closet for termination of the network cabling for that floor. Ethernet Hubs will be located in these closets. Each floor should be wired with CAT5 twisted pair wire. This wiring allows the greatest flexibility.

The existing LAN should be converted to Ethernet and all stand-alone PC’s connected to this network. Ethernet NIC’s will need to be purchased to connect these PC’s.

The exact number of 3270 terminals is unknown but since 50% of the total number campus-wide are going to be replaced due to the lease expiring, these terminals may have to stay in use for a certain amount of time. We believe the IBM 3174 can still be connection to the new fiber backbone.

The modem link between the teaching facility and the host can be removed. All connected to the Host will now be performed via the fiber backbone.

Office automation will be stored on the NT network servers located in the main data center.

If the Cancer Research Center is a multi-story building, a Fiber Optic backbone should be installed to connect all floors of the building together. The building backbone will be connected to the campus network via a Router. Each floor of the building will have a unique wire closet for termination of the network cabling for that floor. Ethernet Hubs will be located in these closets.

Since there is already an Ethernet Network installed in this building, no updating to the physical network will be required.

The existing VAX 4000 should be connected to the new campus network via a bridge. This will allow any user on the campus network access to the data.

Since exact number of 3270 terminals in use in the Cancer Research Center is unknown, it will be hard to determine if the 3270 terminals should be removed with PC or not. These 3270 terminals may have to stay in operation. I believe that the IBM 3174 can still be connection to the new fiber backbone.

If the New Look Clinic is a multi-story building, a Fiber Optic backbone should be installed to connect all floors of the building together. The building backbone will be connected to the campus network via a Router. Each floor of the building will have a unique wire closet for termination of the network cabling for that floor. Ethernet Hubs will be located in these closets.

Since there is already an Ethernet Network installed in this building, no updating to the physical network will be required.

Since exact number of 3270 terminals in use in the Cancer Research Center is unknown, it will be hard to determine if the 3270 terminals should be removed with PC or not. These 3270 terminals may have to stay in operation. We believe that the IBM 3174 can still be connection to the new fiber backbone.

The new AS/400 will replace the existing SYS/36 in the warehouse. The AS/400 will be connected to the campus network via a bridge. This will allow the AS/400 connection to the host and other users on the campus network.

Since it appears that the only 3270 terminals are used in the warehouse and no other application is needed, we can still continue to use the 3270 terminals. Money should be set aside in the upcoming year in order to replace the 3270 terminals with PC workstations.

Since the MedCare Centers are remote sites for the Main Hospital, these seven sites will need to be connected to the main campus network. I would recommend a T-1 data line be setup for each site. The T-1 would connect each MedCare Center with the main data center on the New Look campus. The T-1’s should have a multiplexer on their end of the line.

The T-1 data line will serve two purposes:

Allow all the MedCare Center VAX 4000’s to be connected together. A third

party vendor will have to be hired to hard the software programming to allow the

VAX’s to share patient databases.

The T-1 will also allow staff members at the MedCare Center to retrieve and view

Medical Images from the Radiology SPARC server.

Each MedCare site should have a Router. The VAX 4000 will be connected to the network via a Bridge.

Since the MedCare Centers currently use Ethernet to connect to the VAX, these data lines should be checked to make sure that lines are CAT5 cables. If the cabling is not CAT5, plans should be developed to replace the cabling.

Again, since we don’t know the current number of 3270 terminals at each MedCare Center site, it is best to leave that terminal at the sites and connect them to the host via the T-1 line. Future plans also call for the replacement of the 3270 terminals with PC workstations.

1.) The SYS/36 used in the warehouse is being replaced by an AS/400. The new system will operate peer-to-peer within the inventory control program running on the IBM host system.

2). A study is underway to evaluate the impact of providing CAT and MRI images to all campus facilities and the MedCare Centers. The services could also be made available to affiliated radiologists homes and offices.

3.) A committee is studying the possibility of providing video-consultation services to outlying hospitals.

1.) Records stored on a variety of LANs are not available to the general Medical Center population. For example, patient records in the MedCare Centers aren’t accessible from other areas of the Medical Center. If a patient visits a different MedCare Center, their patient information must be reentered.

2.) Patients using services like radiology or the laboratory have orders printed from the host system. When they reach radiology, that information is entered in a different system.

3.) The lease for 50% of the 3270 terminals is up in five months. It has been suggested they be replaced by LAN-based PCs.

In addition to the preceding hardware and software being used in the new network, TSP has decided to implement a firewall to protect the network because outside databases will be accessed via the Internet and network security is important. The following is a description of three possible types of firewalls and the factors we must consider when choosing a firewall.

1. Screening Routers – Network Layer

Screening routers block or pass traffic based on some combination of information within the packet (usually IP address, port number, TCP flags). Screening router are cheap protection and a useful level of security and usually comes free with router, they also require the administrator to make a list of acceptable hosts and services. Some routers filter on input, some on output and some allow both. Filtering on the output has several disadvantages, it doesn’t protect the router itself from attack and some information is discarded.

2. Circuit-level Gateways – Transport Layer

Circuit-level gateway relays TCP connections; the call connects to a TCP port on the gateway (the gateway connects to some destination on the other side). The gateway authenticates the call before relaying it. Some circuit-level gateways require to be told the destination.

3. Application Gateways – Application Layer

An application proxy is a simple program that examines packets (a proxy exists for each application supported). Proxy application makes pass/block decisions, which are based on a set of access rules or the content of the message. The proxy may also use strong authentication techniques.

The best firewall architecture for the MedCare Centers depends on:

• Security requirements (high level of security, due to sensitive patient information)
• Information services to support (patient updates, inquires, new patients)
• Expected traffic levels (high)

Designing a new network for the New Look Medical Center involves many hardware and software changes, and upgrades. TSP has decided to implement the process using a phased cutover method. This means the changes will take place in phases, beginning with setting up a priority list for each of the facilities. The priority list will include a ranking of the facilities as well as which part of the facility will be phased into the network at what time. For example, the Medical Administration Building is an integral part of the backbone. The priority to get this facility set up and running will be high, whereas the rural hospitals do not play a critical role in the Medical Centers business, so the Video Conferencing system will be implemented at a later time.

In addition to priorities, cost (See Figure 3) is a major factor in the implementation phase. By using a phased approach, the Medical Center will be able to spread the cost over many fiscal periods instead of being hit with one large expense. For example, the LANs within each building can be constructed independently of the campus network beginning with the Main Hospital and proceeding through the other facilities. This can be done in a time frame established by an executive decision, so the cost is in minor peak and valleys. Once the facilities are up and running internally and the backbone has been established, the connections can then be made and the network will become integrated.