1: Network Infrastructure
[Original article by: KC Lai]
The wiring in your office and the network hub
A secure and easily managed office IT system begins with good planning and wiring of your network infrastructure.
Identify all the rooms and exact wall locations of where you might need a computer, printer, scanner, phone, wifi access point, video camera etc. and install CAT5e or CAT6 network jacks (at least 2 jacks, also called RJ45, for each location). Run the network wires from each location back to the “Hub”, a central locked location (ie. a room, or a closet) where the cables will terminate.
What is in the “Hub”?
The “Hub” is where all the network cables will feed in to a patch bay. The Hub will be a locked room or closet so it can remain secure. This area should NOT be accessible by anyone except you or trusted individuals. It should also be large enough to accomodate all your main infrastructure equipment such as:
- patch panel where all the network cables terminate
- network switches
- Internet connection: ask Rogers or Bell to terminate the cable or fiber optic in the “Hub”
- modem (for Internet connection)
- the router
- telephone lines (if you use a landline instead of VoIP)
- server(s): you may want to separate the server from the other equipment if you like added security
- monitor and keyboard
- network attached storage devices (NAS)
- smart thermostat controller
- security system digital video recorder (DVR)
Why have a central “Hub”?
IT security starts with physical security. The “Hub” allows you to lock down all the essential equipment so it is hard for someone to steal it or tamper with it. This also makes it easier to manage everything when it is physically close together. You can easily make changes and switch connections from the patch bay. It makes no sense to have a highly secure EMR, when you server is out in the open at the reception desk where patients and staff walk around. If you have various third-party technicians (ie. phone guy) that needs access to parts of the “Hub”, you can add another layer of security by further segregating and locking away the server within the “Hub” area from the other hardware that needs frequent access for maintenance.
What can I do with the “Hub”?
The Patch Panel
You can use the patch bay to easily connect or switch around what you want each network jack to be connected to, without needing to rewire the whole office. Notice we did not mention installing telephone jacks (RJ11). This is because you can use the same RJ45 jack to plug in a tradition telephone RJ11 plug (it will fit), or use the newer VoIP telephones (much more versatile). What you connect the corresponding jacks on the patch panel will determine what the wall plug is used for. For IP computer networks, use a short patch cabel to connect the patch panel jacks in to a network switch. For tradition land line phones, use a custom crimped cable that connects the corresponding twisted pair wires to a telephone demarcation panel (connect with a punch down tool) or a VoIP gateway.
The Network Switch
There may be multiple gigabit switches, but you can start with one large 24-port gigabit switch. The switch will be your backbone of the network to connect all the computers, servers, and peripherals together. You can organize your network in to various groups topologies for added security. For example, you can segregate parts of your network from other parts with VLANs.
This piece of equipment is central to your network infrastructure. The router protects your network from the Internet. The Internet provider connects their wires to a modem (usually provided by the Internet provider), and the modem should connect to the WAN port of the router. Nothing else should be connected to the modem. The wireless features on the modem should be turned off (if you need wireless, enable it from within your network, ie. the router or a separate Wifi access point). Do not use a regular home router that you can buy from the local computer store or online. It may not have all the features that you may need to protect your clinic.
Use a business router with commercial-grade features such as:
- firewall: stateful packet inspection, ability to block WAN requests, limit types of access (SSH, Telnet), filter capabilities
- consider using a unified threat management gateway (UTM)
- port management: port forwarding (single or range), port triggering
- wifi access point (with WPA2 encryption, or RADIUS server)
- MAC filtering
- dual WAN port, with keep-alive function
- WAN access restrictions by IP, MAC, schedule
- VPN server
- quality of service (QoS) features
Some examples of commercial-grade routers:
- Juniper routers (high-end)
- Cisco RV Series Routers
- Ubiquiti Networks UiFi Security Gateway
- Sophos XG Series Firewall Appliances
- OpenWrt or dd-wrt (flash a home router and upgrade to commercial-features)
- pfSense (open source appliance that you need to know how to install on hardware or virtual machine)
Read Next: Setting Up the Router