Cisco PCI Solution for Healthcare Design and Implementation Guide - Solution Framework [Design Zone for Healthcare]

Table Of Contents

Solution Framework

Applications and Partner Services

Infrastructure Services

Network Systems Layer

Network Designs

Doctor's Office

Advantages

Limitations

Medical Clinic

Advantages

Limitations

Hospital

Advantages

Limitations

Data Center

Primary Design Requirements

WAN Aggregation

Core

Services (Edge) Aggregation

Server Access Layer

Storage

Advantages

Limitations

Internet Edge

Primary Design Requirements

Solution Framework

The PCI Solution for Healthcare architecture is based on Cisco 's Medical-Grade Network (MGN), a Service-Oriented Network Architecture (SONA). For more information on SONA and the MGN, refer to the following URL:

http://www.cisco.com/go/healthcare

The Cisco MGN provides the framework required to meet healthcare's unique needs for interoperability, security, availability and productivity. As shown in Figure 2-1, different reference designs serve as the foundation of the network systems layer, such as clinics and hospitals.

Figure 2-1 PCI Solution for Healthcare SONA Framework

Applications and Partner Services

The top layer of the SONA framework includes the applications and services that are part of the PCI solution, such as point-of-sale, payment, and encryption applications. Some of these applications use popular middleware services based on J2EE, .NET, or other systems. The shared network services approach allow these various Service-Oriented Architecture (SOA) environments to share the same infrastructure services across multiple network topologies. Annual audits, network scans, and remediation services are necessary services required to be compliant with PCI requirements.

Infrastructure Services

Process control is simplified by using common infrastructure services for security, mobility and identity, and management. These are key advantages that aid in operational reporting and the policy requirements of achieving PCI compliance. Fewer services that are shared across more intelligent devices increases the operational efficiency of the whole system.

•Application networking services are the connection from the business applications to the shared services of the infrastructure services layer. This is where filtering, caching, load balancing and protocol optimization interact with applications or application middleware services to optimize the performance from the source of data to the end user. Application delivery services include server load-balancing and content filtering features performed by Cisco IOS routers or Cisco Application Control Engines (ACEs) .

•Security services are used extensively in the PCI Solution for Healthcare architectures. These services are a combination of security features shared across multiple physical devices, central management in the data center, and virtual access to the security control plane from anywhere in the network.

•Firewall services are used by the Cisco ISR Routers, Firewall Service Modules (FWSM) and Adaptive Security Appliances (ASA) in order to protect credit card transactions.

•Intrusion Detection and Prevention systems (IDS/IPS) are used across the Cisco ISR, ASA, Intrusion Detection System Services Module 2 (IDSM2), Unified Wireless Network (UWN), and Cisco Security Agent (CSA) at the point-of-sale (POS) host and server levels. The combination of these systems is centrally managed through the Cisco management applications in the data center.

•Monitoring, Analysis and Remediation data is correlated by the centralized event correlation applications in the data center. The Cisco Security Monitoring, Analysis, and Response System (CS-MARS) provides correlation and monitoring services, in addition to remediation of network attacks dynamically or through reactive alarm notifications. The CiscoWorks Network Compliance Manager (NCM) is dedicated to enforce PCI policy on the monitored devices.

•Mobility services are very critical in healthcare facilities and provide support for Biomedical devices and handheld POS applications or mobile kiosks. The Cisco Unified Wireless Network supports a very scalable set of wireless LAN (WLAN) systems ranging from single access points to systems connecting thousands of access points as a single, centrally managed domain.

•Identity services are used to help ensure that authenticated and authorized users are allowed access to the healthcare network systems. The Cisco Secure Access Control Server (CS-ACS) provides the central management of the RADIUS and TACACS+ systems configured on each network device throughout the architecture. The use of a distributed network time service helps to ensure consistent synchronization of network and application events, and allows better correlation of events.

•Several Management Systems are used to manage and monitor the devices and services in the architecture. The CiscoWorks LAN Management solution simplifies the configuration, performance monitoring and troubleshooting of Cisco network devices. The Cisco Security Manager (CS-M) is dedicated to manage the security policies of Cisco security devices. The CiscoWorks Network Compliance Manager (NCM) provides visibility into network changes and tracks compliance with technology best practices. This information helps identify and correct trends that could lead to network instability or service disruption.

Wireless systems are managed with the Cisco Wireless Control System (WCS). These systems include configurations, administrative elements, and security services.

RSA data security applications use specific management tools in this architecture. RSA file security manager manages file encryption services on hosts and servers with payment data.

Network Systems Layer

The network systems layer is where all resources are interconnected across a converged network transport infrastructure designed and tested with a set of modular architectural blueprints.

Path isolation is a key component of network virtualization. The PCI Solution for Healthcare isolates point-of-sale and network control traffic from other types of network traffic using VLANs, multiple WLAN SSID domains, and a private connectivity to the data center, where network management is centralized. The Enterprise Network Virtualization design guides cover additional techniques to isolate and protect sensitive traffic These design guides may be found at:

http://www.cisco.com/go/cvd

Network Designs

The following three designs are intended to address the deployment of a network infrastructure in different health facilities in order to achieve PCI compliance. These designs should also allow for future expansion and support for new applications in the Cisco Medical Grade Network.

Doctor's Office

The purpose of a typical doctor's office is to provide outpatient healthcare services and typically includes treatment rooms and laboratories. A doctor's office facility typically has less than eight physicians. The doctor's office reference architecture presented in this design guide provides the security required to transmit cardholder data while offering a compact form factor and the flexibility to expand the system if additional devices or services are required.

The scenario shown in Figure 2-2 meets the following requirements:

•Supports up to 25 devices requiring network connectivity.

•A single router is required to connect to a central data center for management and data storage purposes.

•Based on the port density, a single Cisco Catalyst switch is sufficient to connect all devices and provide path isolation via Virtual LANs (VLANs).

•Wireless connectivity is available at the facility.

Figure 2-2 PCI Solution for Healthcare—Doctor's Office

This network architecture is widely used and consolidates many services into a few networking components. The Cisco ISR router provides security and can be expanded to support other services, such as an integrated Ethernet switch and an integrated content engine to support centralized application optimization and other application velocity services.

Advantages

•Lower cost per facility.

•Fewer parts to spare.

•Fewer software images to maintain.

•Lower equipment maintenance costs.

Limitations

•Decreased levels of network resilience.

•Dependence on the Wide Area connectivity.

•Greater potential downtime because of single points of failure.

Medical Clinic

A medical clinic also focuses on providing outpatient healthcare services and typically has between 8 to 20 physicians. As more mission-critical applications and services rely on the IP infrastructure, network availability becomes more important. The reference architecture presented in this design guide offers an increased level of application availability and network resilience.

The medical clinic scenario in Figure 2-3 meets the following design requirements:

•Supports up to 100 devices requiring network connectivity.

•Provides redundant routers to connect to the central data center.

•Redundant Catalyst switches to increase network availability.

•Extends the wireless connectivity to wireless guests.

Figure 2-3 PCI Solution for Healthcare-Medical Clinic Network Design

The redundant Catalyst switches and Cisco ISR routers increase the availability of the medical clinic design. Each of the ISR routers is able to run IOS security services and other communication services simultaneously and is connected to a dedicated WAN connection. The Hot-Standby Routing Protocol (HSRP) is used to ensure network resilience in the event of a network failure.

Up to 12 wireless access points can be installed in the clinic (supported by the WCS controller as tested and without adding more controllers).

Advantages

•More adaptive access layer with support for a greater number of endpoints and more diverse building requirements (multiple floors, sub-areas, etc).

•Improved network and application availability by using redundant equipment and alternate WAN connectivity.

•Support for a larger number of wireless devices and wireless guests to the clinic.

Limitations

•No distribution layer between core layer (the ISR) and the access layer switches.

•A single WCS Controller at the clinic presents a single point of failure for the wireless network. Access points should be configured to fallback to a central WCS controller if the local WCS controller fails. A second WCS controller may also be installed at the clinic.

Hospital

The hospital scenario in Figure 2-4 meets the following design requirements:

•Supports more than 100 devices requiring network connectivity.

•Provides redundant routers to connect to the central data center.

•Preference for a combination of network services distributed within the hospital to meet resilience and application availability requirements.

•Tiered network architecture within the hospital; distribution layer switches are employed between the central network services core and the access layer connecting to the network endpoints such as POS, wireless access points, and servers.

•Connection to data center may be over wide area or Ethernet connection.

Figure 2-4 PCI Solution for Healthcare—Hospital Network Design

The hospital reference architecture is based on several features from a traditional campus design. A hierarchical campus design approach has been widely tested, deployed, and documented. The goal of this design is to provide highly available and modular connectivity by separating buildings, floors, and servers into smaller groups. The network design should provide a level of redundancy where no points of failure exist in hardware components and allow for hardware to be swapped without interrupting the operation of devices.

Advantages

•Highest network resilience based on highly available design.

•Higher port density and redundant paths.

•Provides the flexibility to accommodate future hospital requirements and applications.

•Increase segmentation of traffic.

Limitations

•The design is more complex and may be harder to implement and troubleshoot.

•Since redundant devices are required, the design may be more expensive.

Data Center

The data center is a central component of an IT architecture and provides the computational power and applications necessary to support healthcare services. Proper planning of the data center design is critical, and performance, resilience, and scalability need to be carefully considered. Figure 2-5 shows a typical healthcare data center design.

Figure 2-5 Typical Healthcare Data Center Design

For the purpose of this document, the data center is split into five areas: WAN aggregation, core, services aggregation, server access, and storage. In additional to these five areas, there is an alternative way in which a branch location such as a hospital can be connected to the data center. Instead of connectivity through a WAN, the hospital location is directly connected to the data center over an Ethernet-based campus.

The WAN aggregation architecture is based on the Infrastructure Protection and Security Service Integration Design for the Next Generation WAN Edge v 2.0:

http://www.cisco.com/application/pdf/en/us/guest/netsol/ns171/c649/ccmigration_09186a0080759487.pdf

The core, services aggregation, and server access tiers of the multi-tier data center architecture was based on the design documented in the Cisco Data Center Infrastructure Design Guide 2.5:

http://www.cisco.com/application/pdf/en/us/guest/netsol/ns107/c649/ccmigration_09186a008073377d.pdf

Primary Design Requirements

The data center design should meet the following requirements:

•A scalable, highly available repository of business application data and compute servers.

•WAN aggregation layer that securely connects healthcare networks via public or private networks.

•IPSec encryption is required for healthcare facilities connected via public networks.

•A high performance core network between WAN aggregation and the service aggregation layer.

•Aggregated network services between the core and server access layer.

•A server access layer that securely connects business and solution management servers to other data center resources.

•A storage area network layer that securely connects storage resources to other resources in the data center.

WAN Aggregation

The WAN aggregation layer is a transit network that aggregates the connections from the healthcare facilities, via a private or public service provider network. The WAN aggregation layer does not directly connect end users in the HQ, campus, or regional branches; rather, it provides connectivity for the healthcare facilities' LAN to connect to the data center core network and its resources.

The WAN edge devices are Cisco routers and should be dedicated to provide WAN connectivity and should not be used as Internet gateways for the data center. This recommendation is based on segmentation and typical throughput requirements for the healthcare WAN.

A dedicated firewall appliance is used to secure incoming WAN traffic and to terminate VPN connections to the clinics and hospitals. Many Cisco routers also support the IOS security software option which includes a firewall feature.

Cisco provides several network security devices dedicated to protect the data communication between the data center and the healthcare facilities. Figure 2-6 shows two main ways to provide security and connectivity to the clinics and hospitals. The Cisco ISR routers with the IOS security features provide an integrated security approach within a single device, but using dedicated security devices, such as the Cisco ASA and IDS/IPS appliances is also a common design that offers more granularity and scalability.

Figure 2-6 Data Center—WAN Aggregation Alternatives

Core

The core layer provides the high-speed packet switching backplane for all flows going in and out of the data center. The core layer provides connectivity to multiple aggregation modules and provides a resilient Layer 3 routed fabric with no single point of failure. The core layer runs an interior routing protocol, such as Open Shortest Path First (OSPF) or Enhanced Interior Gateway Routing Protocol (EIGRP), and load balances traffic between the campus core and aggregation layers using the Cisco Express Forwarding (CEF)-based hashing algorithms.

Services (Edge) Aggregation

The services aggregation layer modules provide important functions, such as service module integration, Layer 2 domain definitions, Spanning Tree processing, and default gateway redundancy. Server-to-server multi-tier traffic flows through the aggregation layer and can use services, such as firewall and server load balancing, to optimize and secure applications. The service modules provide services such as content switching, firewall, SSL offload, intrusion detection, network analysis, and more. Figure 2-7 illustrates a characterized view of the Cisco Catalyst 6500 switch aggregating service modules, such as firewall services, intrusion detection, load balancing, and others.

Figure 2-7 Conceptual Service Aggregation Layer

Server Access Layer

The server access layer is where the servers physically attach to the network. In typical data centers, the server components consist of 1RU servers, blade servers, and clustered servers. The access layer network infrastructure consists of modular, fixed configuration, and blade server switches. Switches provide both Layer 2 and Layer 3 topologies.

The network management servers connect to the server access layer in order to be segmented from other business application servers, and to be protected by firewall services from the service aggregation layer above. Business servers, consisting of POS transaction log servers, database, and data warehouse servers, would also exist at this layer but would be segmented via separate VLANs and firewall policy.

Storage

A combination of the file encryption provided by the RSA File Security Manager product, fiber-channel zoning, and Logical Unit (LUN) masking/zoning as provided by the Cisco family of multi-layer director switches (MDS) were used in the storage implementation of this solution to deliver encryption and restricted access to cardholder data at rest in the data center. By deploying zoning within a Fibre Channel fabric, device access is limited to devices within the zone. This allows the user to segregate devices based on access to a particular storage device (disk array). This is generally an absolute requirement when dealing with a data center environment in which multiple file servers in the data center server farm are connected to the same SAN fabric and access to cardholder data must be restricted to a subset of servers (see Figure 2-8).

Figure 2-8 Data Center Storage Area Networking

Advantages

•Highly available data center design permits highly resilient access from clinics and hospitals to core data and storage services.

•Standardized equipment and software images, deployed in a modular, layered approach, simplifies configuration management and increases the systems availability.

•WAN aggregation alternatives allow flexible selection of service provider network offerings.

•Service aggregation designs allow for a modular approach to adding new access layers and managing shared network services (FW, IDS, application networking, wireless management, etc.).

•Firewall, IDS and application networking services are available at all layers of the data center.

•Scalable to accommodate shifting requirements in data center compute and storage requirements.

Limitations

•WAN access speeds are typically the limiting factor between the health facilities and the data center.

•Oversubscription of WAN circuits can have a severe impact on credit card transactions, resulting in inconsistent results or packet loss. Quality-of-service (QoS) features should be enabled to protect credit card transactions.

•Backup network connections to the data center are recommended when payment card information is transported via the WAN. These options are not covered in this design guide as they are not a requirement to meet PCI guidelines.

Internet Edge

This design takes into account best practices from the Data Center Networking: Internet Edge Design Architecture Design Guide (http://www.cisco.com/go/srnd/) and customizes these recommendations for a Healthcare Internet edge and extranet network.

The edges connects Internet services to the complete enterprise environment (i.e., from headquarters to Internet service providers (ISP), branch office connections that use Cisco secure VPN to connect to headquarters). The collapsed design provides highly centralized and integrated edge networks and transports the aggregated traffic through different service modules (Cisco ACE, Cisco FWSM, and Cisco IDSM2) within a pair of Cisco Catalyst 6500 switch chassis. The design also provides protection and defense against XML and OWASP Top Ten threats using the Cisco ACE XML Gateway.

The Internet edge solution architecture is shown in Figure 2-9.

Figure 2-9 Typical Internet Edge Architecture

The Internet edge provides the following security functions:

•Secure configurations and management.

•Access Control Lists (ACLs) —Provide explicitly permitted and/or denied IP traffic that may traverse between inside, outside, and Demilitarized Zone (DMZ).

•Stateful inspection—Provide the ability to establish and monitor session states of traffic permitted to flow across the Internet edge and deny traffic which fails to match the expected state of an existing or allowed session.

•IP anti-spoofing.

•Intrusion detection using Cisco IDSM2—Provides the ability to promiscuously monitor traffic across discrete points within the Internet edge and alarm and/or take action when detecting suspicious behavior that may threaten the enterprise network.

•Demilitarized Zone (DMZ)—Application servers that need to be directly accessed from the Internet are placed in a quasi-trusted secure area between the Internet and the internal enterprise network. This allows internal hosts and Internet hosts to communicate with servers in the DMZ .

Primary Design Requirements

The Internet edge design meets the following requirements:

•An enterprise connection to Internet.

•Securing the Internet edge design using Cisco firewall and intrusion detection systems.

•Protecting enterprise network against web attacks.

•Dual-threaded design for network resiliency.

•Collapsed Internet edge and extranet network for a highly centralized and integrated edge network.

•Remote VPN access to enterprise users/telecommuters.

	Cisco PCI Solution for Healthcare Design and Implementation Guide
	Solution Framework
Cisco PCI Solution for Healthcare Design and Implementation Guide Preface Solution Overview Solution Framework Solution ComponentsBest Practices and PCI Implementing and Configuring the Solution Bill Of Materials of Devices for Branch Data Center/Internet Edge Components and Versions Application Protocols Detailed Implementation and Configuration Steps Device Configurations Report on Compliance (ROC) Glossary	Download this chapter Solution Framework Download the complete book Cisco PCI Solution for Healthcare Design and Implementation Guide (PDF - 11 MB) Table Of Contents Solution Framework Applications and Partner Services Infrastructure Services Network Systems Layer Network Designs Doctor's Office Advantages Limitations Medical Clinic Advantages Limitations Hospital Advantages Limitations Data Center Primary Design Requirements WAN Aggregation Core Services (Edge) Aggregation Server Access Layer Storage Advantages Limitations Internet Edge Primary Design Requirements Solution Framework The PCI Solution for Healthcare architecture is based on Cisco 's Medical-Grade Network (MGN), a Service-Oriented Network Architecture (SONA). For more information on SONA and the MGN, refer to the following URL: http://www.cisco.com/go/healthcare The Cisco MGN provides the framework required to meet healthcare's unique needs for interoperability, security, availability and productivity. As shown in Figure 2-1, different reference designs serve as the foundation of the network systems layer, such as clinics and hospitals. Figure 2-1 PCI Solution for Healthcare SONA Framework Applications and Partner Services The top layer of the SONA framework includes the applications and services that are part of the PCI solution, such as point-of-sale, payment, and encryption applications. Some of these applications use popular middleware services based on J2EE, .NET, or other systems. The shared network services approach allow these various Service-Oriented Architecture (SOA) environments to share the same infrastructure services across multiple network topologies. Annual audits, network scans, and remediation services are necessary services required to be compliant with PCI requirements. Infrastructure Services Process control is simplified by using common infrastructure services for security, mobility and identity, and management. These are key advantages that aid in operational reporting and the policy requirements of achieving PCI compliance. Fewer services that are shared across more intelligent devices increases the operational efficiency of the whole system. •Application networking services are the connection from the business applications to the shared services of the infrastructure services layer. This is where filtering, caching, load balancing and protocol optimization interact with applications or application middleware services to optimize the performance from the source of data to the end user. Application delivery services include server load-balancing and content filtering features performed by Cisco IOS routers or Cisco Application Control Engines (ACEs) . •Security services are used extensively in the PCI Solution for Healthcare architectures. These services are a combination of security features shared across multiple physical devices, central management in the data center, and virtual access to the security control plane from anywhere in the network. •Firewall services are used by the Cisco ISR Routers, Firewall Service Modules (FWSM) and Adaptive Security Appliances (ASA) in order to protect credit card transactions. •Intrusion Detection and Prevention systems (IDS/IPS) are used across the Cisco ISR, ASA, Intrusion Detection System Services Module 2 (IDSM2), Unified Wireless Network (UWN), and Cisco Security Agent (CSA) at the point-of-sale (POS) host and server levels. The combination of these systems is centrally managed through the Cisco management applications in the data center. •Monitoring, Analysis and Remediation data is correlated by the centralized event correlation applications in the data center. The Cisco Security Monitoring, Analysis, and Response System (CS-MARS) provides correlation and monitoring services, in addition to remediation of network attacks dynamically or through reactive alarm notifications. The CiscoWorks Network Compliance Manager (NCM) is dedicated to enforce PCI policy on the monitored devices. •Mobility services are very critical in healthcare facilities and provide support for Biomedical devices and handheld POS applications or mobile kiosks. The Cisco Unified Wireless Network supports a very scalable set of wireless LAN (WLAN) systems ranging from single access points to systems connecting thousands of access points as a single, centrally managed domain. •Identity services are used to help ensure that authenticated and authorized users are allowed access to the healthcare network systems. The Cisco Secure Access Control Server (CS-ACS) provides the central management of the RADIUS and TACACS+ systems configured on each network device throughout the architecture. The use of a distributed network time service helps to ensure consistent synchronization of network and application events, and allows better correlation of events. •Several Management Systems are used to manage and monitor the devices and services in the architecture. The CiscoWorks LAN Management solution simplifies the configuration, performance monitoring and troubleshooting of Cisco network devices. The Cisco Security Manager (CS-M) is dedicated to manage the security policies of Cisco security devices. The CiscoWorks Network Compliance Manager (NCM) provides visibility into network changes and tracks compliance with technology best practices. This information helps identify and correct trends that could lead to network instability or service disruption. Wireless systems are managed with the Cisco Wireless Control System (WCS). These systems include configurations, administrative elements, and security services. RSA data security applications use specific management tools in this architecture. RSA file security manager manages file encryption services on hosts and servers with payment data. Network Systems Layer The network systems layer is where all resources are interconnected across a converged network transport infrastructure designed and tested with a set of modular architectural blueprints. Path isolation is a key component of network virtualization. The PCI Solution for Healthcare isolates point-of-sale and network control traffic from other types of network traffic using VLANs, multiple WLAN SSID domains, and a private connectivity to the data center, where network management is centralized. The Enterprise Network Virtualization design guides cover additional techniques to isolate and protect sensitive traffic These design guides may be found at: http://www.cisco.com/go/cvd Network Designs The following three designs are intended to address the deployment of a network infrastructure in different health facilities in order to achieve PCI compliance. These designs should also allow for future expansion and support for new applications in the Cisco Medical Grade Network. Doctor's Office The purpose of a typical doctor's office is to provide outpatient healthcare services and typically includes treatment rooms and laboratories. A doctor's office facility typically has less than eight physicians. The doctor's office reference architecture presented in this design guide provides the security required to transmit cardholder data while offering a compact form factor and the flexibility to expand the system if additional devices or services are required. The scenario shown in Figure 2-2 meets the following requirements: •Supports up to 25 devices requiring network connectivity. •A single router is required to connect to a central data center for management and data storage purposes. •Based on the port density, a single Cisco Catalyst switch is sufficient to connect all devices and provide path isolation via Virtual LANs (VLANs). •Wireless connectivity is available at the facility. Figure 2-2 PCI Solution for Healthcare—Doctor's Office This network architecture is widely used and consolidates many services into a few networking components. The Cisco ISR router provides security and can be expanded to support other services, such as an integrated Ethernet switch and an integrated content engine to support centralized application optimization and other application velocity services. Advantages •Lower cost per facility. •Fewer parts to spare. •Fewer software images to maintain. •Lower equipment maintenance costs. Limitations •Decreased levels of network resilience. •Dependence on the Wide Area connectivity. •Greater potential downtime because of single points of failure. Medical Clinic A medical clinic also focuses on providing outpatient healthcare services and typically has between 8 to 20 physicians. As more mission-critical applications and services rely on the IP infrastructure, network availability becomes more important. The reference architecture presented in this design guide offers an increased level of application availability and network resilience. The medical clinic scenario in Figure 2-3 meets the following design requirements: •Supports up to 100 devices requiring network connectivity. •Provides redundant routers to connect to the central data center. •Redundant Catalyst switches to increase network availability. •Extends the wireless connectivity to wireless guests. Figure 2-3 PCI Solution for Healthcare-Medical Clinic Network Design The redundant Catalyst switches and Cisco ISR routers increase the availability of the medical clinic design. Each of the ISR routers is able to run IOS security services and other communication services simultaneously and is connected to a dedicated WAN connection. The Hot-Standby Routing Protocol (HSRP) is used to ensure network resilience in the event of a network failure. Up to 12 wireless access points can be installed in the clinic (supported by the WCS controller as tested and without adding more controllers). Advantages •More adaptive access layer with support for a greater number of endpoints and more diverse building requirements (multiple floors, sub-areas, etc). •Improved network and application availability by using redundant equipment and alternate WAN connectivity. •Support for a larger number of wireless devices and wireless guests to the clinic. Limitations •No distribution layer between core layer (the ISR) and the access layer switches. •A single WCS Controller at the clinic presents a single point of failure for the wireless network. Access points should be configured to fallback to a central WCS controller if the local WCS controller fails. A second WCS controller may also be installed at the clinic. Hospital The hospital scenario in Figure 2-4 meets the following design requirements: •Supports more than 100 devices requiring network connectivity. •Provides redundant routers to connect to the central data center. •Preference for a combination of network services distributed within the hospital to meet resilience and application availability requirements. •Tiered network architecture within the hospital; distribution layer switches are employed between the central network services core and the access layer connecting to the network endpoints such as POS, wireless access points, and servers. •Connection to data center may be over wide area or Ethernet connection. Figure 2-4 PCI Solution for Healthcare—Hospital Network Design The hospital reference architecture is based on several features from a traditional campus design. A hierarchical campus design approach has been widely tested, deployed, and documented. The goal of this design is to provide highly available and modular connectivity by separating buildings, floors, and servers into smaller groups. The network design should provide a level of redundancy where no points of failure exist in hardware components and allow for hardware to be swapped without interrupting the operation of devices. Advantages •Highest network resilience based on highly available design. •Higher port density and redundant paths. •Provides the flexibility to accommodate future hospital requirements and applications. •Increase segmentation of traffic. Limitations •The design is more complex and may be harder to implement and troubleshoot. •Since redundant devices are required, the design may be more expensive. Data Center The data center is a central component of an IT architecture and provides the computational power and applications necessary to support healthcare services. Proper planning of the data center design is critical, and performance, resilience, and scalability need to be carefully considered. Figure 2-5 shows a typical healthcare data center design. Figure 2-5 Typical Healthcare Data Center Design For the purpose of this document, the data center is split into five areas: WAN aggregation, core, services aggregation, server access, and storage. In additional to these five areas, there is an alternative way in which a branch location such as a hospital can be connected to the data center. Instead of connectivity through a WAN, the hospital location is directly connected to the data center over an Ethernet-based campus. The WAN aggregation architecture is based on the Infrastructure Protection and Security Service Integration Design for the Next Generation WAN Edge v 2.0: http://www.cisco.com/application/pdf/en/us/guest/netsol/ns171/c649/ccmigration_09186a0080759487.pdf The core, services aggregation, and server access tiers of the multi-tier data center architecture was based on the design documented in the Cisco Data Center Infrastructure Design Guide 2.5: http://www.cisco.com/application/pdf/en/us/guest/netsol/ns107/c649/ccmigration_09186a008073377d.pdf Primary Design Requirements The data center design should meet the following requirements: •A scalable, highly available repository of business application data and compute servers. •WAN aggregation layer that securely connects healthcare networks via public or private networks. •IPSec encryption is required for healthcare facilities connected via public networks. •A high performance core network between WAN aggregation and the service aggregation layer. •Aggregated network services between the core and server access layer. •A server access layer that securely connects business and solution management servers to other data center resources. •A storage area network layer that securely connects storage resources to other resources in the data center. WAN Aggregation The WAN aggregation layer is a transit network that aggregates the connections from the healthcare facilities, via a private or public service provider network. The WAN aggregation layer does not directly connect end users in the HQ, campus, or regional branches; rather, it provides connectivity for the healthcare facilities' LAN to connect to the data center core network and its resources. The WAN edge devices are Cisco routers and should be dedicated to provide WAN connectivity and should not be used as Internet gateways for the data center. This recommendation is based on segmentation and typical throughput requirements for the healthcare WAN. A dedicated firewall appliance is used to secure incoming WAN traffic and to terminate VPN connections to the clinics and hospitals. Many Cisco routers also support the IOS security software option which includes a firewall feature. Cisco provides several network security devices dedicated to protect the data communication between the data center and the healthcare facilities. Figure 2-6 shows two main ways to provide security and connectivity to the clinics and hospitals. The Cisco ISR routers with the IOS security features provide an integrated security approach within a single device, but using dedicated security devices, such as the Cisco ASA and IDS/IPS appliances is also a common design that offers more granularity and scalability. Figure 2-6 Data Center—WAN Aggregation Alternatives Core The core layer provides the high-speed packet switching backplane for all flows going in and out of the data center. The core layer provides connectivity to multiple aggregation modules and provides a resilient Layer 3 routed fabric with no single point of failure. The core layer runs an interior routing protocol, such as Open Shortest Path First (OSPF) or Enhanced Interior Gateway Routing Protocol (EIGRP), and load balances traffic between the campus core and aggregation layers using the Cisco Express Forwarding (CEF)-based hashing algorithms. Services (Edge) Aggregation The services aggregation layer modules provide important functions, such as service module integration, Layer 2 domain definitions, Spanning Tree processing, and default gateway redundancy. Server-to-server multi-tier traffic flows through the aggregation layer and can use services, such as firewall and server load balancing, to optimize and secure applications. The service modules provide services such as content switching, firewall, SSL offload, intrusion detection, network analysis, and more. Figure 2-7 illustrates a characterized view of the Cisco Catalyst 6500 switch aggregating service modules, such as firewall services, intrusion detection, load balancing, and others. Figure 2-7 Conceptual Service Aggregation Layer Server Access Layer The server access layer is where the servers physically attach to the network. In typical data centers, the server components consist of 1RU servers, blade servers, and clustered servers. The access layer network infrastructure consists of modular, fixed configuration, and blade server switches. Switches provide both Layer 2 and Layer 3 topologies. The network management servers connect to the server access layer in order to be segmented from other business application servers, and to be protected by firewall services from the service aggregation layer above. Business servers, consisting of POS transaction log servers, database, and data warehouse servers, would also exist at this layer but would be segmented via separate VLANs and firewall policy. Storage A combination of the file encryption provided by the RSA File Security Manager product, fiber-channel zoning, and Logical Unit (LUN) masking/zoning as provided by the Cisco family of multi-layer director switches (MDS) were used in the storage implementation of this solution to deliver encryption and restricted access to cardholder data at rest in the data center. By deploying zoning within a Fibre Channel fabric, device access is limited to devices within the zone. This allows the user to segregate devices based on access to a particular storage device (disk array). This is generally an absolute requirement when dealing with a data center environment in which multiple file servers in the data center server farm are connected to the same SAN fabric and access to cardholder data must be restricted to a subset of servers (see Figure 2-8). Figure 2-8 Data Center Storage Area Networking Advantages •Highly available data center design permits highly resilient access from clinics and hospitals to core data and storage services. •Standardized equipment and software images, deployed in a modular, layered approach, simplifies configuration management and increases the systems availability. •WAN aggregation alternatives allow flexible selection of service provider network offerings. •Service aggregation designs allow for a modular approach to adding new access layers and managing shared network services (FW, IDS, application networking, wireless management, etc.). •Firewall, IDS and application networking services are available at all layers of the data center. •Scalable to accommodate shifting requirements in data center compute and storage requirements. Limitations •WAN access speeds are typically the limiting factor between the health facilities and the data center. •Oversubscription of WAN circuits can have a severe impact on credit card transactions, resulting in inconsistent results or packet loss. Quality-of-service (QoS) features should be enabled to protect credit card transactions. •Backup network connections to the data center are recommended when payment card information is transported via the WAN. These options are not covered in this design guide as they are not a requirement to meet PCI guidelines. Internet Edge This design takes into account best practices from the Data Center Networking: Internet Edge Design Architecture Design Guide (http://www.cisco.com/go/srnd/) and customizes these recommendations for a Healthcare Internet edge and extranet network. The edges connects Internet services to the complete enterprise environment (i.e., from headquarters to Internet service providers (ISP), branch office connections that use Cisco secure VPN to connect to headquarters). The collapsed design provides highly centralized and integrated edge networks and transports the aggregated traffic through different service modules (Cisco ACE, Cisco FWSM, and Cisco IDSM2) within a pair of Cisco Catalyst 6500 switch chassis. The design also provides protection and defense against XML and OWASP Top Ten threats using the Cisco ACE XML Gateway. The Internet edge solution architecture is shown in Figure 2-9. Figure 2-9 Typical Internet Edge Architecture The Internet edge provides the following security functions: •Secure configurations and management. •Access Control Lists (ACLs) —Provide explicitly permitted and/or denied IP traffic that may traverse between inside, outside, and Demilitarized Zone (DMZ). •Stateful inspection—Provide the ability to establish and monitor session states of traffic permitted to flow across the Internet edge and deny traffic which fails to match the expected state of an existing or allowed session. •IP anti-spoofing. •Intrusion detection using Cisco IDSM2—Provides the ability to promiscuously monitor traffic across discrete points within the Internet edge and alarm and/or take action when detecting suspicious behavior that may threaten the enterprise network. •Demilitarized Zone (DMZ)—Application servers that need to be directly accessed from the Internet are placed in a quasi-trusted secure area between the Internet and the internal enterprise network. This allows internal hosts and Internet hosts to communicate with servers in the DMZ . Primary Design Requirements The Internet edge design meets the following requirements: •An enterprise connection to Internet. •Securing the Internet edge design using Cisco firewall and intrusion detection systems. •Protecting enterprise network against web attacks. •Dual-threaded design for network resiliency. •Collapsed Internet edge and extranet network for a highly centralized and integrated edge network. •Remote VPN access to enterprise users/telecommuters.
	© 1992-2009 Cisco Systems, Inc. All rights reserved. Terms & Conditions \| Privacy Statement \| Cookie Policy \| Trademarks of Cisco Systems, Inc.