| Infrastructure Assessment | August 3 2012 | |
| KNS Consulting | El Centro De Corazon | |
| Infrastructure Assessment | August 3 2012 | |
| KNS Consulting | El Centro De Corazon | |
Findings
Network Infrastructure
Service Providers
Three service providers provide El Centro with both phone and internet: AT&T, CBeyond, and Airband.
Airband – primary provider for Eastwood – provides Internet and phone
CBeyond – Secondary internet provider for Eastwood; primary provider for all other clinics
AT&T – PRI – phone provider for CBeyond connections
External IP addresses:
· Airband – 63.133.130.xx/29
· CBeyond – 74.7.204.xx/29
**Note – during assessment Alpheus Communications installed fiber connections at all clinics. The plan was to have Eastwood as the primary provider of internet services to all clinics. At this time, including this new service into the clinic’s infrastructure has been delayed until the network can be configured to support it.
Current Issues:
· Airband does not provide a stable connection – PRI and internet are constantly flipping
· CBeyond does not provide a stable connection – PRI and internet are constantly flipping
· Trouble tickets with providers take days to completely resolve
· Service outages are constantly recurring and affects clinic business and patients
Firewalls
There are three types of firewalls used at El Centro: Windows, Linux server hosted and router hosted.
Windows Firewall –
· VMXP1 port 80 redirect for elcentrochc.org web site
· VHOST public IP used for remote access
Linux Firewall –
· DOCS public IP address
· COMM public IP address
Router Firewall
· Non functional
Routers
Each Clinic hosts a HP ProCurve 7203dl router. All routing is performed via static routes. IP addressing schema for each clinic has been standardized. IP addresses 1-69 and 200-254 are excluded ranges. Printers and other network devices are assigned IP addresses in the lower ranges while the upper ranges are filled with servers.
Issues found relating to the schema are as follows:
· DHCP issuing out addresses in the excluded ranges
· Scoop hard coding MAC addresses into the DCHP instead of assigning static IPs to servers
· Servers assigned static IP addresses in the DHCP ranges
IP address schema is as follows:
Dunn –
· 10.1.9.0/24 - Internal
· 10.1.19.0/24 - Tunnel
· 72.16.240.xx/29 - CBeyond
Eastwood –
· 10.1.1.0/24 - Internal
· 10.1.11.0/24 - Tunnel
· 63.133.130.18/29 – Air Band
· 74.7.204.xx/29 - CBeyond
Long –
· 10.1.6.0/24 - Internal
· 10.1.16.0/24 – Tunnel
· 72.54.195.xx- CBeyond
Magnolia –
· 10.1.7.0/24 - Internal
· 10.1.17.0/24 - Tunnel
· 74.7.204.xx/29 - CBeyond
Navigation –
· 10.1.3.0/24 - Internal
· 10.1.13.0/24 – Tunnel
· 74.7.204.xx/29 - CBeyond
Wayside
· 10.1.5.0/24 - Internal
· 10.1.15.0/24 – Tunnel
· 69.115.163.xx/29 - CBeyond
Switches
The number of switch types and brands vary per site. The environment is mixed between managed HP POE and non-POE switches and non-managed Net Gear switches. All managed switches are assigned an IP address. Security settings for the switches have been turned on for the web interface for most switches. However, telnet is not secure as it does not require user name or password to access.
Server Infrastructure
The main infrastructure consists of the DOCS, COMM, DB and TS servers that are owned and managed by El Centro. At this time, there is no external or cloud backup device however, some backups are being directed to the DOCS server.
Domain Controller
Conceptually a single server, this server consists of three services that include LDAP, DNS and DHCP. At El Centro, the three services are split between two servers: DOCS and COMM. DOCS supports DNS while COMM supports DHCP and LDAP.
LDAP manages the users rights and access, while DHCP and DNS both work together to assign, manage and route IP address. All three services are critical to the functionality of the network. In El Centro’s case, they experience many issues related to the misconfiguration or malfunction of these services. The most recent issues include:
· LDAP users with roaming profiles are only logged in temporarily to a Windows workstation.
o Causes users to lose session added configurations
o Causes printer unavailability
o Causes user profile errors in logs
· DNS services chronically failing
o New computers cannot be added to the domain
o Users are unable to resolve internal addresses
o Users are unable to resolve external addresses
o Causes network to run sluggish
· DHCP services issuing addresses in excluded ranges
o Causes IP conflicts
o Causes devices to stop working correctly
Email Server
In good practice, this server would reside on a single physical server or on a single virtual server. El Centro’s email server resides on both COMM and DOCS. DOCS supports the database portion of the mail services while COMM supports the web and application interface.
· RoundCube is the application that provides email for the Clinic and can be accessed via:
o Outlook
o http:// webmail.elcentrochc.org web interface
· Does not support integration with Outlook
· Does not support shared calendars
· Does not support server managed inbox folder and file synchronization
· Limited functionality
Database Server
The database server has the following attributes:
· Name: DB
· IP Address: 10.1.1.251
· Custom build server
· Two Intel Xeon 2100 series quad core processors
· 8GB RAM
· 146 GB Hard drives.
· Supports Media Dent application and database
· Sevocity
Current Issues:
· The server is configured with one hard drive and has a Windows Server 2008 Standard R2 operating system.
· At present the server has available only 6 GB of hard drive space.
· During the assessment of the hard drive it was noted that over a year’s worth of images are stored on the server and as a result, the hard drive is running out of space.
· The server was not configured according to Microsoft’s best practices.
o Server was not speced out according to needs
o Server was not configured according to Microsoft Best Practices
o Server has no hard drive redundancy (No RAID configuration)
**Note – at this time there are six hard drives waiting to go into the DB server. This task will be performed once the network has been stable for one week. Server will be scheduled to be off line during non-clinic hours for upgrade.
Terminal Server
· Name: TS
· IP Address: 10.1.1.249
· Custom build server
· Two Intel Xeon 2100 series quad core processors
· 16GB RAM
· 146 GB Hard drives.
· Supports Media Dent application
· Terminal Services
· Sevocity
· DNS
· Terminal Services
· Hyper V
Current Issues:
· Problematic latency issues when running Media Dent
· Corrupted computer account in LDAP
· Resides in ECDC workgroup
· Cannot be placed back on domain due to malfunctioning DNS on LDAP server
Cabling Infrastructure
Server Room (MDF)
· Cables were not labeled
· Cables unmanaged and tangled
· Switches located in various places
· Servers located in various places
· UPS sitting directly on floor
· Unsecure
Current issues:
· Cannot add new server to server room until MDF is cleaned up and tagged
· Switch racks needs to have equipment removed
· Heat – need additional cooling
· Space – move servers to room behind server room and combine rooms
· All switches need to be installed properly in switch rack
Server Room Switch Rack – upper/rear Server Room Switch Rack – lower/rear
All IDFs
· Cables were not labeled
· Cables unmanaged and tangled
· Switches located in various places
Recommendations
Network Infrastructure
Service Providers
· Connect Alpheus Communications equipment and integrate new services into clinic infrastructure
· Find a new service provider to obtain PRI’s and failover internet
Firewalls
· Obtain enterprise level firewall for Eastwood
· Obtain smaller firewalls for surrounding clinics
· NAT server IP addresses to external IP addresses
· Create more robust ACLs
· Obtain content filtering module or service for firewall
Routers
· Create new IP schema for all clinics
· Obtain enterprise level routers for all sites that support VLANs
· Configure routers with new IP schema
· Add new configurations for Alpheus services
Switches
· Obtain layer 2 and layer 3 switches
· Configure switches for VLANs
· Configure layer 3 inter VLAN routing on layer 3 switches
Server Infrastructure
Domain Controller
· Build out new Windows Domain Controller
o Active Directory
o Certificate Services
o DNS
· Build secondary domain controller
o AD
o DHCP
o DNS
o Print server
o Windows Distribution Services
· Create Active Directory domain user accounts
o Redirect My Documents folder
o Add AUP to initial startup screen via default Group Policy
o Map network drives
o Deploy printers via Group Policy
o Deploy software via Group Policy
Email Server
· Build out new Windows Exchange 2010 email server
· Migrate all users to new email
· Customize email to clients specifications (i.e. shared calendars, global address lists, etc)
Database Server
· Complete installation of new hard drives and configure
· Complete installation of RAM
· Analyze current system configuration – move media Dent to new hard drives
· Clean up OS and reconfigure all apps so they do not reside on the C:\ drive
Terminal Server
· Install new hard drives to increase capacity
· Complete configuration of Hyper V supported DC and App server
· Move all software to new hard drives
· Clean up OS
· Work with Media Dent to install application according to their best practices
Cabling Infrastructure
Server Room
· Cabling on walls should be in conduit or cable management trays
· All cabling should be properly labeled
· All switches should be mounted on switch rack
· All servers should be mounted in a server rack
· Move switch rack to center of room or approximately 3’ from back wall and 3’ from side walls
· Mount router in switch rack
· Re-plumb cables to accommodate rack location
· Color-code cables for easier identification
· Other improvements as necessary
IDFs
· Cabling on walls should be in conduit or cable management trays
· All cabling should be properly labeled
· All servers and switches should be mounted on switch rack
· Mount router in switch rack
· Color-code cables for easier identification
· Other improvements as necessary
