1、醫療行業 無線處理方案第1頁企業介紹第2頁HPE and ArubaBetter Together“Clients globally should consider HP Aruba for all wired / WLAN access layer opportunities.” Gartner MQ for Wired and Wireless LAN Access Infrastructure, August Source: Gartner Magic Quadrant for the Wired and Wireless LAN Access Infrastructure Septem

2、ber . Tim Zimmerman, Bill Menezes, Andrew Lerner, ID Number: G00277052 This Magic Quadrant graphic was published by Gartner Inc. as part of a larger research note and should be evaluated in the context of the entire report. The Gartner report is available upon request from HP. The Magic Quadrant is

3、a graphical representation of a marketplace at and for a specific time period. It depicts Gartners analysis of how certain vendors measure against criteria for that marketplace, as defined by Gartner. Gartner does not endorse any vendor, product or service depicted in the Magic Quadrant, and does no

4、t advise technology users to select only those vendors placed in the Leaders quadrant. The Magic Quadrant is intended solely as a research tool, and is not meant to be a specific guide to action. Gartner disclaims all warranties, express or implied, with respect to this research, including any warra

5、nties of merchantability or fitness for a particular purpose. Leader in Campus Networks第3頁 關鍵能力匯報 Wired and Wireless LAN Access InfrastructureEnterprise Unified Wired and WLAN AccessHPE Aruba 4.14Cisco4.14Avaya3.64Extreme3.63Enterprise Wired-Only ConnectivityCisco4.24HPE Aruba4.15Juniper3.91Brocade3

6、.74Enterprise Wireless-Only ConnectivityHPE Aruba4.11Cisco4.06Aerohive3.82Avaya3.55SMB and/or Small or Remote Branch OfficeHPE Aruba4.12Cisco4.11Avaya3.62Extreme3.61Voice Over WLANHPE Aruba4.10Cisco4.05Aerohive3.81Avaya3.53IaaS or Managed ServiceHPE Aruba4.14Cisco4.11Aerohive3.63Avaya3.61Source: Gar

7、tner Critical Capabilities for the Wired and Wireless LAN Access Infrastructure September . Bill Menezes, Tim Zimmerman, Andrew Lerner, Michelle A. Brosnahan, ID Number: G00270164. The data used in creation of this table was published by Gartner Inc. as part of a larger research note and should be e

8、valuated in the context of the entire report. The Gartner report is available upon request from HP. Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other desig

9、nation. Gartner research publications consist of the opinions of Gartners research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a parti

10、cular purpose.第4頁全球超出500家高端醫院正在使用Aruba無線處理方案第5頁是多家專業醫療廠商合作處理方案提供商New IEC 80001-2 StandardRecommends against multiple SSIDSStresses airtime fairnessHighlights spectrum analysisDropouts as low as 0.02% 第6頁方案設計介紹第7頁醫療行業正在革新LocationMobile EngagementGuestAccessMobileEHRDigital ImagingIoT第8頁查房，以前第9頁護理，以前第

11、10頁現在天線Skype話機行動護理計算機藥品盒針頭盒垃圾袋鍵盤Web護理信息系統電池椅子第11頁新生兒防盜第12頁整體網絡架構INTERNETAC7210-1AC7210-2關鍵交換機關鍵交換機POE接入交換機POE接入交換機APAP醫療內網防火墻/網閘防火墻關鍵交換機AC7000醫療外網WAN/4GRAP-3家/酒店/救護車服務器群第13頁內外網融合方案內網流量INTERNETAC7200-1AC7200-2關鍵交換機關鍵交換機POE接入交換機POE接入交換機AP-325AP-325醫療內網防火墻/網閘防火墻關鍵交換機AC7000醫療外網WAN/4GRAP-3家/酒店/救護車服務器群第14

12、頁內外網融合方案外網流量INTERNETAC7200-1AC7200-2關鍵交換機關鍵交換機POE接入交換機POE接入交換機AP-325AP-325醫療內網防火墻/網閘防火墻關鍵交換機AC7000醫療外網WAN/4GRAP-3家/酒店/救護車服務器群GRE隧道第15頁案例：中山大學從屬腫瘤醫院，無線外網應用GRE控制器認證系統GRE隧道第16頁新一代控制器OS -Multizone AP 3-node ClusterPrimary ZoneMobility Master/StandbyStandalone中國電信Standalone中國移動Standalone中國聯通Standalone邁外迪

13、第17頁遠程VPN訪問方案如遠程會診INTERNETAC7200-1AC7200-2關鍵交換機關鍵交換機POE接入交換機POE接入交換機AP-325AP-325醫療內網防火墻/網閘防火墻關鍵交換機AC7000醫療外網WAN/4GRAP-3家/酒店/救護車服務器群GRE隧道IPSEC隧道第18頁點位設計多層布署第19頁點位設計多層布署第20頁SSID 設計內部員工SSID認證方式802.1x認證，EAP-PEAP或EAP-TLS醫生護士移動終端、醫療設備和語音視頻終端外網SSID認證方式MAC+portal雙原因認證首次portal認證成功后，后臺自動將用戶名和MAC地址綁定后續連接做無感知認證

14、（MAC認證）住院病人MAC地址綁定使用期為5天，每個帳號只能綁定一個終端病人家眷經過注冊手機號接收密碼短信或微信認證， MAC地址綁定使用期為1天，每個帳號只能綁定一個終端醫生MAC地址綁定使用期為1個月，每個帳號可綁定兩個終端部分醫生和病人及家眷終端啟用終端隔離第21頁不間斷無線醫療網絡接入智能優化終端與AP之間無線連接非優化連接問題消除 = 大幅降低醫生護士投訴基于802.11標準，不需要安裝任何終端軟件實時射頻校準DEVICE TYPEINTERFERENCELOCATIONCONGESTIONMU-MIMO AwareAruba ClientMatch專利技術漫游優化設計第22頁Ar

15、uba ClientMatch 極大改進“粘滯”終端問題 終端漫游后自動優化到最正確AP終端漫游后依然“粘滯”在原來AP上不具備CLIENTMATCH第23頁案例：上海兒童醫院，卓越漫游及定位效果第24頁第三方測試評定項目主要有：射頻穩定性（ping包延遲）連續漫游（挑選其中14個AP，Ping + RSSI統計）無線定位（評定準確度、延遲）移動查房系統評定項目主要有：漫游下系統訪問速度故障排查工具（AirWave）測試點位第25頁漫游測試用例：一共14個AP，終端為thinkpad x201（測試機構提供），以低于正常步行速度連續移動，觀察切換過程，并統計丟包情況和信號強度漫游切換次數：Ci

16、sco 7/8次vs Aruba 13次（100%）切換時RSSI： Cisco -70dBm左右 vs Aruba -50至-65 dBm（Aruba結果見上圖）測試結果第26頁傳統安全架構Enterprise PerimeterEmployeesEmployeesWANBranch OfficeBranch EmployeesInternetData CenterVisitorsContractorsEnterprise PerimeterHome OfficesPartner Sites第27頁Aruba基于角色和內容感知策略執行Data CenterBillTammyPartnersB

17、ranch EmployeesSteveBobJaneScottKimContractorsVisitorsJane第28頁實現基于角色用戶接入控制ApplicationServices 外來訪客 醫生護士醫療設備患者、家眷 醫院領導Virtual AP 1SSID: HospitalVirtual AP 2SSID: GUESTDMZRADIUSLDAPADCaptive Portal基于角色接入控制接入權限Secure TunnelTo DMZ基于SSID接入控制醫院領導醫生護士醫療設備患者、家眷外來訪客第29頁愈加直觀用戶體驗Aruba方法：基于角色動態策略傳統方法： 基于SSID實現權

18、限分離第30頁SSID：SYSUCC-In作用：醫院內網無線終端接入無線網絡認證方式：采取MAC認證和802.1X認證結合認證方式MAC認證（經過） = 802.1X認證 = 賬號身份匹對 = 匹配對應策略MAC認證（失敗） = 拒絕接入隔離功效：啟用二層隔離功效，即同個VLAN下終端無法相互訪問SSID廣播：隱藏SSID案例：中山大學從屬腫瘤醫院，內網接入認證方式第31頁ClearPass Policy Manager NAC 處理方案CLEARPASS POLICY MGROnboardGuest內置:策略引擎RADIUS/CoA/TACACS終端識別計費/報表身份存放Expandable

19、 ApplicationsREMOTE LOCATIONBYOD onboarding簡單訪客接入健康檢驗OnGuard第32頁ClearPass 關鍵功效NETWORK EDGEMulti-VendorWired/Wireless/VPNNETWORK COREProfilerAAA/RADIUSNACCert. AuthorityOnboardingGuestDevice RegistrationVisitorEmployeeEmployee BYODHeadless DevicesContractorAdministratorUSERSPolicy Visibility - Workfl

20、owAD/LDAPSQLTokenPKIIDENTITYSOURCESClearPassUser/RoleTime/DayLocationDevice Type/HealthCONTEXT第33頁Adaptive Trust for end-to-end policyBest of breed security and productivity systemsClearPassUsers, Device and App trafficClearPass Exchange第34頁ClearPass 交換生態系統InfrastructureMDM / EMM使用實時終端數據進行網絡控制基于位置和時

21、間顆粒化控制Next-Gen Perimeter Defense SIEM, Automation, MFA基于用戶和終端顆粒化流量控制可視化和交互式控制功效第35頁例子: 準入風險保護 Firewall / IPSLAN/WLANUser connects and downloads threatNGFW/IPS sends event to ClearPassClearPass isolates clientOffers enhanced user experience as ClearPass can initiate user notifications, help-desk tick

22、ets, and update third-party security solutionsDevice in step 2 can be MDM/EMM, SIEM, etc.123第36頁為了保護移動查房iPad安全，醫院采取了MDM廠商MobileIron處理方案；每個iPad有獨立證書；經過Aruba CPPM與MobileIron服務器聯動，CPPM實時同時終端信息，確保僅允許有效終端接入網絡中；ClearPassCPPM依據終端屬性下發策略給AC，由AC決定是否允許終端接入網絡及訪問權限1.2.服務器ACAP案例：北京宣武醫院，iPad移動查房MDM應用第37頁BYOD證書分發Do

23、mainKey & Certificate企業 PKI and CA內置 ClearPass CACertificateAuthorityValidation AuthorityRegistrationAuthorityActiveDirectoryIT-ManagedDevicesDomainUserDeviceKey & Unique CertificatePersonalDevicesCACertificateAuthorityADRAVACA第38頁針對患者、家眷自注冊訪客接入頁面可定制化，嵌入醫院推廣信息可引導患者下載醫院APP支持社交網絡登錄支持無感知認證登錄 ClearPass

24、Guest第39頁智能應用流量控制 AppRFEHR and communication prioritizedBandwidth allocated to Healthcare applicationsAppRFMedium priority healthcare appsHigh priority real-timeLow priority personal第40頁AppRF 策略執行防火墻Block/Unblock, Throttle, QoSEnable/Disable Firewall Visibility第41頁AppRF Web內容分類Simple ControlSelect b

25、y: Web categoryURLRoleApply policy (block,throttle, prioritize)Web reputation scores第42頁無線安全控制經過AirWave RAPIDS阻止非法AP- 自動探測& 抑制掃描無線+ 有線網絡判定全部連接設備集合 & 關聯結果降低誤報威脅分類定義 & 自定義規則警告 & 報表警告安全團體抑制自動或手動第43頁2.1.1: Dont Use Defaults2.2: Standard Config4.1.1: Better Than WEP6.1: Get latest patches 7.2:Role-based

26、Access10: Monitor Access1.1.2: Inventory WLAN1.2.3: Firewall WLAN9.1.3: Physical Security11.1: Wireless Scanning/NAC11.1: Wireless Scanning/NAC11.1: Wireless Scanning/NAC1.1.2: Inventory WLAN1.2.3: Firewall WLAN9.1.3: Physical SecurityPCI v2.0 標準Wireless LAN Is Considered A Public NetworkCategory 1N

27、o WLANCategory 2No cardholder data over WLANCategory 3Cardholder data over WLANPCI Security Controls With ArubaAPs for scanning onlyAirWave to log/reportAPs in hybrid modeBuilt-in Firewall segments WLAN AirWave to log/reportAPs in hybrid modeSupplement with AMsWPA2 EnterpriseBuilt-in Firewall segmen

28、ts WLAN AirWave to mitigate rogues, log & report第44頁電磁兼容性設計對電子醫療設備無電磁干擾認證機構：TUV Rheinland of North AmericaTUV Rheinland of North America是一家著名對全球產品提供美國和加拿大市場準入認證服務企業，擁有美國職業安全與健康管理局（OSHA）授權全國公認測試試驗室（Nationally Recognized Testing Laboratory），NRTL對特定產品或材料進行測定，并擔保這些產品或材料滿足OSHA所要求相關安全標準，以確保這些產品在美國市場使用是足夠安

29、全。TUV有權依據美國國家標準為全球產品提供正當認證，成功經過測試并取得美國市場準入證書產品將取得TUVus標識。加拿大標準委員會（Standards Council of Canada）也授權TUV Rheinland of North America依據加拿大國家標準對產品進行測試和認證，成功經過測試并取得加拿大市場準入證書產品將取得cTUV標識。成功經過測試并取得美國市場和加拿大市場認證產品將取得cTUVus標識，表示該產品能夠同時滿足兩國規范。認證標準：EN 60601-1-2:EN 60601-1-2:（醫用電氣設備 第1-2部分：安全通用要求 并列標準：電磁兼容性 要求和試驗）為歐

30、洲標準，較國際標準IEC 60601-1-2:更為嚴格。 第45頁ARUBA取得TUV認證經過第46頁為醫院量身訂做組網架構終端接入管理ClearPassHIS (Oracle)電子病歷(DB2)控制器(Standby)控制器(Active)網絡管理AirWave有線內網住院留院輸液內部專線Internet網管數據認證數據無線控制(Master)總院有線內網分院有線內網分院分門診IAP(虛擬AC)IPSec VPN遠程診療院領導、教授客戶端RAP3G/4G，ADSL3G/4GADSL控制器控制器第47頁Aruba AirWave時刻看護移動醫療網絡健康終端網絡端到端可視化無線射頻環境質量可視化

31、網絡歷史統計數據可視化無線網絡應用質量可視化RADIUS, DHCP, DNS IP網絡關鍵服務可視化第48頁全方面網絡可視化性能和故障可視化管理終端網絡端到端可視化無線射頻環境質量可視化有線網絡關鍵服務可視化無線網絡應用質量可視化第49頁全方面網絡可視化性能和故障可視化管理終端網絡端到端可視化無線射頻環境質量可視化有線網絡關鍵服務可視化無線網絡應用質量可視化第50頁全方面網絡可視化性能和故障可視化管理終端網絡端到端可視化無線射頻環境質量可視化有線網絡關鍵服務可視化無線網絡應用質量可視化第51頁全方面網絡可視化性能和故障可視化管理終端網絡端到端可視化無線射頻環境質量可視化有線網絡關鍵服務可視化

32、無線網絡應用質量可視化第52頁基于位置服務，帶來不一樣體驗wave2全系列AP內置Beacons第53頁產品介紹第54頁Broad Portfolio of WLAN ConnectivityHospitality Access Points103H2 ports11n dual205H3 ports11ac dualPSEIndoor Access Points330 Series 11 ac WAVE 2Highest Density4x4 MU-MIMO2.5 Gbps, Dual uplinkSmart Rate (2.5GBASE-T)Outdoor Access Points270

33、 SeriesOutdoor3x3 11acHardened Access Points228 SeriesIndustrial grade3x3 11acBroad Portfolio of WLAN Connectivity310 Series 11ac WAVE 2Carpeted space3x3 MU-MIMO 2.1 Gbps320 Series 11ac WAVE 2Highest Density4x4 MU-MIMO 2.5 Gbps, Dual uplink200 SeriesLower density2x2 11ac MIMO 1.2 Gbps103 SeriesLower

34、 cost2x2 11n 600 MbpsRemote Access PointsRAP-32 ports, 2.4GHz, PSERAP-108/1091 port, 11n dual radioRAP-1554 ports, 11n dual radio, PSE210 Series 11ac WAVE 1Carpeted space3x3 MIMO1.9 Gbps220 Series 11ac WAVE 1High Density3x3 MIMO1.9 Gbps, Dual uplink第55頁 Controllers scale from branch to campus7030Lar

35、ge branchUp to 64 APs and up to 8Gbps throughputMidsize branch with integrated switch12 or 24 ports of PoE+ for unified branches Up to 32 APsSmall branchVirtualized or PoE-powered controllersMidsize CampusHigh performance, fixed form factorUp to 256 APs, 12 Gbps throughputLarge CampusHigh performanc

36、e, redundant power/fan512 2048 APs, up to 40Gbps throughput72407220721072057024 (24 PoE+)7010 (12 PoE+)VMC-TACT (8/16 AP)7005/7008 (16 AP) Branch Campus7024 32 AP/2K Devices, 24 PoE, 4 Gbps第56頁案例介紹第57頁Customer Requirement國立成大醫院成立于1981年，是南臺灣主要醫學中心，當前員工約2,400位并提供1100個病床及每日約4,000人門診服務。本項目擬建置壹套無線馬上尋址系統(

37、RTLS)來作為并病患及儀器設備追縱，而且能擴充使用無線語音(VoIP)服務來作為內部語音溝通，所以整套無線網絡需具備穩定信息存取和高質量語音整合服務。Solution成大醫院選擇了Aruba無線網絡，因為測試后Aruba能與AeroScout WiFi-tag整合并達成精準位置追縱能力，成大醫院并使用3.5G網卡搭配Aruba AP來作為小區服務遠距聯機需求，且透過無線入侵防護(WIPS)功效與暨有資安網關搭配，以增加成大醫院整體資安防護能力。Deployment本案使用了Aruba A6000無線總控器及300多顆AP61及AP70無線AP，為了達成整體資安考慮，成大醫院使用了無線防火墻(PEF)與無線入侵防護(WIPS)和遠程訪問AP服務之功效，作為醫護人員與行動護理推車和訪客都能含有獨立無線存取管制能力，以及保護全部使用者防止惡意無線攻擊問題，而遠程訪問功效(RAP)則提供醫療人員遠距存取HIS機動能力。第58頁昆明醫學院第一從屬醫院昆明醫學院第一從屬醫院是一所集醫療、教學、科研、干部保健于一體大型綜合醫院。始建于1941年，原為“國立云南大學醫學院從屬醫院”（即云大醫院），是昆明醫學院最早設置從屬醫院。掛牌為第一臨床醫學院。1993年1月被國家衛生部首批評定為