Secure Voice and Data Over Wi-Fi Moves Baycrest to Switch to Aruba

The goal was simple: give doctors, nurses and administrators a single 802.11 a+b/g network over which they could transmit voice and data without huge operational expense and management complexity. However, Baycrest Centre for Geriatric Care (Baycrest) had already deployed “fat” AP throughout its four-building health care facility in Toronto, Canada. Enter Aruba Wireless Networks.

“We initially deployed a distributed environment of fat APs everywhere but quickly found that we just couldn’t effectively manage or secure the network,” said Wayne Harris, manager of Technical Services at Baycrest.

”Just the act of adding MAC-based filtering to our wireless network took hours and forced us to configure each AP. With Aruba it literally took one minute. When you’re paying IT staff $100 an hour, it makes a real difference, real quick.”

Baycrest’s goal was to replace its distributed legacy environment with a centralized wireless network that:

• could be managed/optimized from a single point
• provided visibility and control over the RF domain
• reduced troubleshooting times and allowed remote diagnostics
• supported a variety of different wireless devices from VoIP phones to laptops, handheld PDAs to voice communications badges
• could be used to support new applications such as voice over wireless.

Like many health care institutions, Baycrest has more than 200 doctors, nurses and administrators that are constantly on the move. To give patients a higher level of care, Baycrest staff uses some 50 wireless-enabled computers-on-wheels (COWs) to access its Meditech System and to provide patient care services such as bedside charting, monitoring and order entry. Moving forward, Baycrest needed to migrate its Ducane nurse call system to the same wireless network used for data.

To solve these problems, Baycrest replaced its existing fat APs that were installed as a feature on the wired network, with an Aruba wireless LAN switching system. The Aruba solution consisted of 70 dual-purpose, dual-mode 802.1a+b/g thin APs, a modular Aruba 5000 Wi-Fi switch deployed in the data center and Aruba’s entire suite of ArubaOS wireless applications. Aruba’s Wi-Fi switching system operates transparently over existing wired infrastructures without any physical or logical reconfiguration. This allowed Baycrest to build a dedicated and centrally managed wireless infrastructure that used the existing IP network as transport.

With the Aruba system, Baycrest quickly realized the advantage of being able to drop in APs and have them automatically configure and calibrate based on the surrounding RF environment. These features also allowed Baycrest to add capacity and throughput as demand increased. With plans to support large medical image files over the wireless LAN, the shared medium can suffer in performance. But as capacity grows, more Aruba “thin” APs can be easily deployed with no additional network costs or tedious RF configuration.

With Aruba, Baycrest also put in place a security model that added more protection at multiple levels. Data encryption using WEP alone was not sufficient to meet the health care privacy standards defined by PIPEDA (or the HIPPA equivalent in the U.S.). Due to the daunting task of fat AP firmware upgrades to support the emerging WPA standard, Baycrest chose to temporarily use a third-party VPN solution. But with the Aruba 5000, VPN support is now integrated, RF security and user firewalling is added and security upgrades are performed at one central location.

For mobile computer inventory purposes, Baycrest implemented MAC filtering so computer carts would only work on the floor where they were deployed. But doing this with its legacy 802.11 environment was cumbersome and labor intensive because each AP had to be individually programmed with the appropriate MAC ACL. Aruba streamlined this operation by centralizing the management of all APs. In turn, configuring MAC filters, user policies or defining security profiles for specific users or user groups can all be performed in a few minutes for all APs from a single point.

And with the goal of adopting a wireless VoIP solution, Baycrest realized that hand-off times and latency introduced by traditional fat APs would make it extremely difficult to support its nurse call voice system that required specific levels off service and reliability typically required in hospital environments. Aruba’s Wi-Fi system provide sub-5 millisecond AP handoff times within the switch itself. Baycrest could also take advantage of Aruba’s voice flow classification technology that uniquely identifies, classified and prioritizes voice traffic and provides advanced call admission controls that ensure toll quality VoIP calls.

Finally Baycrest saw the need for multiple wireless VLANs. As the wireless network expands, configuration takes place across a number of infrastructure devices. This is often seen when VLANs are implemented to divide network traffic and services. In its old fat AP environment, VLANs has to be mapped to every device through which a user might roam. Whether the VLANs are for voice, data or different user groups, this tasked was one of the most painstaking parts of Baycrest’s configuration. With Aruba, all VLANs are collapsed into a single Aruba switch. Baycrest also enjoys the benefit of being able to map multiple VLANs to a single SSID.