Challenges

Ottawa Regional’s campus spans eight buildings, which are interconnected with a private fiber network. A physician office is connected to the main campus through T-1 circuits.

The hospital wanted to upgrade its 100 Mbps campus network to 10GbE. It also wanted to enhance network reliability and availability to meet the rigorous demands of healthcare IT, while minimizing complexity and reducing operating expenses. It was time for a new approach and “the new network.”

Ottawa Regional’s new campus network had to meet several requirements. First and foremost, it needed a high-performance infrastructure to support voice over IP (VoIP) and new healthcare information management software. Higher WAN speeds were also essential to support its enterprise virtual private network (VPN), remote access, and a quality voice experience.

The hospital also wanted to improve network resiliency. Its Ethernet switches were daisychained on the fiber, which meant that if one switch failed, the entire network could go down. Plus, the incumbent switches didn’t support Power over Ethernet (PoE), which the hospital needed to support IP telephony. Furthermore, the campus WAN architecture had a single point of failure that could negatively impact the hospital’s enterprise VPN, firewall, and WAN services.

Solution

The hospital deployed Juniper Networks routing, switching, and security solutions to build its new network and also installed new single-mode fiber between campus buildings to support high-performance networking. The campus network consists of Juniper Networks® EX Series Ethernet Switches. The EX4200 line of Ethernet switches with Virtual Chassis technology provides carrier-class performance in a single rack unit form factor that is easy to deploy and manage. The EX4200 switches are also powered by Juniper Networks Junos® operating system.

Virtual Chassis technology enables up to 10 interconnected EX4200 switches to behave and operate like a single logical device, reducing management overhead and operational expenses. Switches can be added to a Virtual Chassis configuration incrementally, as needed, delivering a scalable and energy efficient solution that doesn’t demand a large up-front investment.

Ottawa Hospital deployed Juniper Networks J Series Services Routers at the network edge. The J6350 Services Router is a modular router that’s ideal for enterprises running desktops, servers, VoIP, and enterprise applications. The Juniper routers connect the hospital to the high-speed Illinois Century Network (ICN) as well as AT&T for redundant WAN connectivity.

Juniper Networks SRX Series Services Gateways provide firewall, VPN, and intrusion prevention system (IPS) as well as antispam, antivirus, and Web filtering, protecting the hospital against known and emerging threats. Physicians and administrative staff at Ottawa Regional have secure remote access to key applications via any standard Web browser, thanks to Juniper Networks SA4500 SSL VPN Appliance. The use of SSL eliminates the need for preinstalled client software, changes to internal servers, and costly ongoing maintenance and desktop support. The SA Series provides Ottawa’s IT staff with extranet features that allow controlled access to differentiated users and groups without requiring infrastructure changes, demilitarized zone (DMZ) deployments, or software agents.

Results

One of Ottawa Regional Hospital’s biggest benefits from its new network is the ability to do more with less. With the new network the hospital increased network capacity more than 20 times from its previous infrastructure. The hospital has 10GbE links per fiber strand, which is enabled by a full 20GbE fiber ring to improve network resiliency. With J Series routers, the hospital has successfully migrated from a static routed environment to OSPF, which has improved network resiliency.

The EX Series switches gave the hospital the port density it needed to support core and edge access. It has 48 1GbE PoE ports in a compact platform on the EX Series switches. The routing infrastructure has sufficient room to grow as well, moving from supporting just one T1 to three T1s for redundancy.

Junos OS, a single network operating system that runs across Juniper Networks routing, switching, and security platforms, reduces cost and complexity, minimizes operator error, and increases reliability. Because Junos OS automates network operations in a streamlined system, Ottawa’s IT staff has more time to focus on strategic, proactive efforts.

The hospital has also been able to improve security to better comply with regulatory requirements such as the Health Information Portability and Accountability Act (HIPAA). The hospital now enjoys best-in-class enterprise network compliance security while protecting against emerging security threats. Plus, physicians and staff have secure and easy access to essential applications from anywhere, anytime, which allows the hospital to deliver better patient care.

Excerpted and reposted with permission from Juniper.net (pdf).

1. 0
2. 50
3. 100
4. none

The correct answer is 1.

When working from the command line (CLI) all interfaces other than the inside interface get a default security level of 0 (Most untrusted).

Related Courses:
ASAE — ASA Essentials
FIREWALL — Deploying Cisco ASA Firewall Solutions
VPN — Deploying Cisco ASA VPN Solutions
CCNP Security — Cisco Certified Network Professional Security

1. Reliable and secure Wi-Fi access. Smartphones, tablets, and wireless IP phones need the speed and stability of Wireless-N (802.11n) network access, as well as quality of service (QoS) support. Some wireless routers integrate security — such as VLANs, firewall, VPN, and security services — to increase and simplify your control.
2. Power over Ethernet (PoE). PoE juices up a network in two ways: It gives you more flexibility locating wireless access points and other wired devices, and it adds more power per port to support higher-draw technologies such as Wireless-N.
3. Stronger network security. Mobility, social networking, cloud services, and international hacking are growing. Is your security technology keeping pace? Essential technologies include content security, firewall, VPN, and VLANs. Integrated security solutions can increase application performance and give you better control.
4. Collaborative communications. Businesses can reduce operating costs and raise productivity by through unified communications and video and audio conferencing applications. Collaboration technologies demand high-performance, high-availability connections and reliable, intuitive user devices, ranging from basic IP phones to unified IP phones.
5. High-performance, high-availability connections. Businesses that use mobile devices, cloud applications, or IP voice or video require a fast and efficient traffic flow. If you want to optimize your traffic flow by investing in a new router or switch (or DNS server), it should include support for IPv6.

Recreated with permission from Cisco.com.

The answer is False.

The Cisco ASA AIP-SSM does not support hot swap capabilities. To install the module, you must first shut down the Cisco ASA adaptive security appliance. You then power on the appliance after the module has been installed.

Related Courses:
ASAE — ASA Essentials
FIREWALL — Deploying Cisco ASA Firewall Solutions
VPN — Deploying Cisco ASA VPN Solutions
CCNP Security — Cisco Certified Network Professional Security

1. failover preempt
2. reset failover
3. failover primary
4. failover active

The correct answer is 4.

Use the failover active command when you need to force the current unit into the active state. This need can occur in a situation such as when you want to switch control back from a unit after you have fixed a problem and want to restore service to the current standby unit.

Related Courses:
ASAE — ASA Essentials
FIREWALL — Deploying Cisco ASA Firewall Solutions
VPN — Deploying Cisco ASA VPN Solutions
CCNP Security — Cisco Certified Network Professional Security

1. 1
2. 2
3. 4
4. 10

The correct answer is 2.

The transparent adaptive security appliance supports only two traffic passing interfaces. If the adaptive security appliance platform supports a dedicated management interface, you can also enable the management interface for management traffic only.

Related Courses:
ASAE — ASA Essentials
FIREWALL — Deploying Cisco ASA Firewall Solutions
VPN — Deploying Cisco ASA VPN Solutions
CCNP Security — Cisco Certified Network Professional Security

The ICMP existed for more than 30 years, having largely been specified in RFC792. Most network engineers are familiar with its diagnostic capabilities via ping and the assorted “unreachable” messages. What’s most likely not as well recognized is that the ICMP message often contains the first 28 bytes of the packet that caused the error. Since the IP header itself is frequently limited to 20 bytes, this ensures that the source and destination addresses will be seen since these are at the end of the header. An excellent graphic of the ICMP error message can be seen below.

With the embedding of IP addresses in this return packet in mind, a network admin is presented with an interesting diagnostic challenge. If the “packet that caused the error” (as often stated in the return message) was translated by a Network Address Translation (NAT) device between its point of origin and the point of error, then the reported source address needs to correlate to the current NAT device translation table — a bothersome task at best.

Cisco Systems provided NAT support for such a scenario in the PIX Operating System version 6.3 with the fixup protocol ICMP error command. As the Configuration Guide for this operating system suggests, the recognition of NAT-relevant IP addresses in diagnostic return messages was implemented before the general inspection capability for ICMP packets introduced in ASA/PIX OS7.0. In addition, the syntax changed with this release to “deprecate” (Cisco lingo for obsolete) the fixup command and replace it with the more general inspect.

One of the implied fringe benefits of the switchover to the inspect syntax is to use this as part of the overall Modular Policy Framework capability of OS7.0 and beyond. A network administrator could configure the ASA for the inspection of ICMP error packets to occur only for specific flows (from the out-of-band IT management network, for example). This would avoid a potentially unnecessary saturation of the NAT table.

1. ACLs
2. uRPF
3. AIP-SSM
4. Shunning

The answer is 2.

Specifying Cisco ASA adaptive security appliance per-interface access rules to protect against source-spoofed packets can be a labor-intensive task. As the adaptive security appliance can refer to its routing table to determine which networks are reachable through which interface, it can also use its routing table to validate source addresses of incoming packets. The technique is called Unicast Reverse Path Forwarding (uRPF), and the Cisco ASA adaptive security appliance supports the strict uRPF usage, where packets must arrive over the correct interface in order to be accepted.

Related Courses:
ASAE — ASA Essentials
FIREWALL — Deploying Cisco ASA Firewall Solutions
VPN — Deploying Cisco ASA VPN Solutions
CCNP Security — Cisco Certified Network Professional Security

1. Windows
2. Linux
3. Mac OS X
4. Solaris

The answers are 1, 2, and 3.

ASDM is supported on Windows, Linux and Mac OS X.

Related Courses:
ASAE — ASA Essentials
FIREWALL — Deploying Cisco ASA Firewall Solutions
VPN — Deploying Cisco ASA VPN Solutions
CCNP Security — Cisco Certified Network Professional Security

1. IPS
2. Proxy
3. Dynamic firewall
4. Stateful firewall

The answer is 2.

An application layer gateway (ALG) is commonly called an (application) proxy. It is a piece of software that is designed to act as an intermediary and relay application layer requests and responses between clients and servers.

Related Courses:
ASAE — ASA Essentials
FIREWALL — Deploying Cisco ASA Firewall Solutions
VPN — Deploying Cisco ASA VPN Solutions
CCNP Security — Cisco Certified Network Professional Security