Managing big enterprise wireless LANs is a matter of weaving together a variety of products and policies, according to St. Vincent's Hospital in Birmingham, Ala. The IT group blanketed the hospital's five-building campus with 167 Cisco Systems Inc. wireless access points to create one of the biggest Cisco mobile deployments in the Southeast. In doing so, the group ran into a number of problems and discovered there is no silver bullet for solving them.
"As we pushed the wireless LAN envelope in various areas, we found there's never one company that can deliver everything you want," says Tim Stettheimer, CIO for the 138-bed hospital, part of the Ascension Health System, which has 55 hospitals nationwide. "Cisco has some great tools, and they're always improving. But we wanted to fill the gaps in managing our access points."
Those gaps included monitoring access-point radio signals, detecting intruders, setting up group-based authentication and configuration policies, tying into the hospital's Remote Authentication Dial-In User Service (RADIUS) servers, and optimizing wireless bandwidth use.
The 11M bit/sec 802.11b wireless LAN, based on Cisco's Aironet 350 802.11b access points, covers all five buildings. Wireless support is seen as an essential step in letting doctors and nurses access the most current data anywhere at anytime.
"You're too limited in a wired net to meet that goal," Stettheimer says. "No matter how many computers you have on desks, they don't give the ability for a physician or nurse to access medication histories, medical images and assessment data anywhere, and that is critical."
Multiple wireless options
Users with laptops, tablet PCs and some PDAs connect wirelessly to the net, and run Citrix Systems Inc.'s MetaFrame client/server software to access server-based clinical and administrative applications and databases. MetaFrame's Intelligent Console Architecture protocol is designed to efficiently send instructions to the Windows graphics subsystem on the client device, which then displays only the application screen. This system, developed for the wired net, easily was extended to wireless laptops and tablets, so users had full-screen, full keyboard access to applications and data at bedsides, in hallways or in waiting rooms.
Stettheimer says this server-based approach lets an array of client devices wirelessly work with massive medical files, with no bandwidth problems.
Network managers monitor signal strength at individual access points and check for unauthorized or rogue radios using Fluke Electronics Inc.'s OptiView network analyzer. The handheld device analyzes radio waves and can detect unauthorized access points for clients. Data can be transferred for storage and analysis to a companion program running on a Windows PC.
The St. Vincent wireless LAN is representative of what are, today, large-scale campus deployments. The main problem is that every added access point represents an entirely separate node that has to be set up, configured, updated, monitored and managed. "Once you get to a certain size with wireless nets, the real problem is how to deal with all these access points," Stettheimer says.
For setting up user access privileges and for configuring the access points St. Vincent's network managers rely on Wavelink Corp.'s Mobile Manager software. This roles-based tool lets physicians working in their offices have one set of access privileges and security, while clerks working in payroll and accounting can have a different set.
"You can let a new person in the [human resources] department inherit the access rights of all members of that department," he says. "You can group the access points based on functions. And then you can deploy upgrades or make changes based on these functional categories."
Rolling out a new revision of Cisco's IOS software to the access points would be a lengthy process if it had to be done at each location. St. Vincent's will be able to roll out the next version of Cisco's network software, IOS, to every access point using Wavelink's Mobile Manager, without having to load each access point individually.
The Wavelink software can send out alerts for a range of wireless LAN problems. The alerts pop up on a new Web browser window on a manager's screen. Managers can drill down for more details without having to hunt manually for a failed access point.
There is a range of security precautions, which is a special concern now that strict new federal privacy and security requirements, part of the Health Insurance Portability and Accountability Act, are about to take effect. Fluke's OptiView lets the network staff sweep regularly for unauthorized wireless LAN radios. Users authenticate via the enterprise RADIUS servers. The hospital has a policy that forbids setting up an access point so that it broadcasts the Service Set Identifier (SSID, the device's network name). The media access control address of each authorized access point is registered in a network database as a further way to bar outsiders from network access.
Hashing out security
Stettheimer has what he calls "security brainstorming sessions" with his network staff, both wired and wireless, on a three-week rotating plan. The sessions are intended to hash out what's being done and why, identify new threats and new countermeasures, and keep abreast of new security technologies, such as fingerprinting or retinal eye scans, for network access.
Finally, the network group has a set of contingency plans for containing a security breach. "We've only had one, and that was to contain a virus," he says.
The administration and security framework that's been set up is being used in the next phase of the network: giving patients and visitors wireless access to the Internet via the same access points that physicians and administrators use.
The grant of access will be made possible by a pending Cisco software upgrade that will let one access point support several virtual LANs, so that visitors can be segregated on one VLAN, while doctors work unhindered on another. -- Network World (US)
Join the CIO New Zealand group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.