Security is twice the problem at 10Gbit/s

Jon Campbell of healthcare provider FirstHealth gives his views on security in that sector

Where do you start in terms of locking down the network in such an open and frenetic place as a hospital?

We’ve gone through a major process to secure our environment. We’ve implemented a combination of IDS [intrusion detection system] and IPS [intrusion prevention system] sensors, depending on where they are located.

I prefer not to use IPS in the core of the network. People will tell me all day long that IPS does not have latency issues, but I’m running 10 Gig switching, so to me there is a latency issue. And I don’t even want a perception to be there from a user standpoint. So, we use IDS in the core and IPS at the edges. And we’ve been pretty successful at that.

We also have over 2,000 Cisco security agents on our hosts. That’s been working well. They caught the Zotob virus that came out recently. When we did the design of our CSA rollout, we started out on the edge, in the WANs, because I knew that if an infection occurred, that’s where it was going to occur. So that actually was very successful.

How do you ensure QoS for wireless?

We’ve had good success with QoS and wireless. We just set up an individual wireless voice virtual LAN. We apply QoS to that particular VLAN, and we always service that VLAN first, no matter what.

We use the Wireless LAN Solutions Engine to monitor that [a Cisco software product for managing WLAN access points]. It gives instant feedback, so if I get congestion in one area, I get an email saying that we’re suffering congestion in this area.

As we started getting more wireless devices in the network, we ended up setting up wireless access points with 802.11a and 802.11b/g for different users. Now I have [802.11a] APs running at 5MHz, and 802.11b APs running at 2.4MHz. I split them up: for wireless laptops that stay in one area, I use 802.11a; for roaming devices that go everywhere, such as IP phones and handheld devices, I use b and g.

What is the condition of your LAN? Are you forcing gigabits of traffic through megabit-sized pipes?

In the core, we have three Catalyst 6500 switches, and in the server farm, the switches are Catalyst 4500s. All server farm switches have [10 Gigabit Ethernet] uplinks to the core. We’re migrating all high-capacity links to 10Gig; all interconnects between our core 6500s are 10G.

Our [radiology picture archiving and communications, or PACS] system is the driver for that. PACS is a bandwidth hog [with images that can range from 100MB to 500MB]. But one of the nice things about FirstHealth that I really love is that if you say, “To support this, we need to do that,” you get it done.

Are you interested at all in the new IEEE standard for 10 Gigabit Ethernet over Category 5e/6 copper wiring? Do you see that as a way to expand 10G or to cut current fibre costs?

Interesting thing is, the way copper pricing is right now, I wonder which is going to be cheaper in the end? Personally, I think fibre is cheaper in the end. Not right now, but maybe in a few years.

When you look at the cost of copper going from 50 cents a pound to US$2 a pound, the expense to me is going to balance out soon. I’ve seen us paying about US$30 for 1,000 feet of [category 6] copper wiring. Now we’re paying close to US$90 (NZ$148). And it’s just going to continue to go up as demand increases.

You might not think that demand for copper among developing economies would affect wiring prices, but there’s a direct link there.

Cisco talks a lot of about its Services Oriented Network Architecture (SONA), which is supposed to tie together network infrastructure with voice, video, data, security and applications. Do you see SONA as a technology architecture that you can adopt?

From my perspective, it’s a way to securely converge all the voice, video and data, and all the infrastructure. I like the concept of creating multiple networks over the same infrastructure. Sometimes it’s hard to get your head around it. But with my job, I spend a lot of time doing research. Cisco can get pretty bold in what they’re trying to shoot for, but the overall concept is pretty good.

What was your motivation for getting CCIE-certified?

It just felt like the next level to go to. I had a degree in engineering and when I was starting out working at Unisys, at one of my first jobs, I saw these guys called CNEs [Certified Novell Engineers]. These CNE guys had no technology degrees, but they were making twice what I was making. So that’s the first thing I did, was go and study to be a CNE.

The CCIE was a whole different level. For 15 years, I’ve worked with all the routing protocols and technologies. I took the [CCIE] written test and passed it. Then I took the lab test and I realised I was an idiot. I realised there were all these different things that I’d done, but no real way of putting it all together. The amount of knowledge that I had and what I was learning was all being put together as I was going through this process and it was just tremendous.

Are you dealing more with managing staff, or are you dealing with nuts-and-bolts issues?

I’m the director of network services, and I have a staff of 15 people. And a lot of people say, you’re a director, why should you be doing this [hands-on] stuff? The way the CIO sees my role is not just as a manager, but also as the technical leader. When we have new designs to implement, basically, they come to me to work these things out. I enjoy the experience of going through the process. The amount you learn, not just from books but also from other people, is fabulous.

Join the newsletter!

Error: Please check your email address.

Tags healthsecuritySecurity ID

More about CiscoCSAIEEEIPSLANNovellUnisys Australia

Show Comments
[]