 Remote
Site Setup within the Prison Environment
Lee Ratzan
In this article, I will discuss some issues encountered by systems
and network administrators when a major health care provider network
becomes responsible for integrating their services into a highly
restrictive security-conscious prison environment. The job mandate
involves information access and cooperation in a setting not necessarily
known for either. Two large organizations concerned with different
aspects of security must work together. These issues pose challenges
to routine remote site setup.
The Setting
Bringing up a remote site or adapting a series of remote sites
should be a straightforward task. To be sure, each site has its
own economic, logistical, and political headaches, but most problems
are usually dispatched in due course of time. Problems become challenges
when the task involves communicating information in and out of jails.
By its very nature, a prison setting is an enclosed, strictly
defined, standalone, self-contained environment. A prison is specifically
designed for isolation from all influences both internal and external,
from within and without. Prison network administrators do not share
their router addresses or their network easily.
There is relatively little public information available regarding
prison networking or prison computers. Many prisons operate with
an implicit siege mentality even to the point of maintaining their
own heat, light, power, electricity, food, and water. Even a mighty
search engine (e.g., Google) does not find many detailed relevant
Web sites or technical documentation. If public online documents
dealing with prison networking or prison computer systems administration
exist, then they may lie deep within the Invisible Web (Sherman
and Price, 2001).
University Behavioral HealthCare (UBHC) supports the largest online
mental health network in New Jersey and one of the largest in the
country. The system configuration consists of multiple Windows 2003
servers, Windows 2000 servers, several residual dedicated Windows
NT machines, and two legacy SCO Unix servers. There is a production
domain and a test domain. Most workstations have new or upgraded
Dell hardware running Microsoft Windows XP. Users generally do not
have administrative access to their own machines. (The latter policy
is in place for reasons of command and control. Illicit downloads
are a serious problem and certainly would be so within a prison
setting as well.)
The network configuration uses a gamut of telecommunications features
ranging from ISDN lines to SMDS clouds to 100-Mb optical fiber and
wireless connections. Dynamic IP addressing applies to most of the
network. Static IP addresses are used primarily in mixed turf, dual-jurisdictional
environments within the University of Medicine and Dentistry of
New Jersey. Routine dial-up is not supported due to HIPAA regulations.
(Note that a few very select staff members -- such as the CEO, CIO,
Director, and NetOPS support -- do have remote VPN access.)
UBHC operates dozens of servers supplying distributed file sharing
(DFS), remote terminal administration, electronic mail, Web mail,
an online clinical pharmacy, an online clinical laboratory, an online
clinical medical records system, an online registration system,
a crisis alert center, distributed print services, continuous anti-virus
protection, and backup services. UBHC maintains a private intranet
corporate Web site (ubhcweb) and a general Web site for the public
(http://ubhc.umdnj.edu). All services are provided 24 hours
a day, 7 days a week to a score of large and small satellite sites
across the state.
The Challenge
UBHC recently received a contract for up to $50 million per year
for 2 years to supply networked mental health services to the New
Jersey State penal system of the Department of Corrections (DOC),
including maximum and moderate security institutions. According
to the Newark Star Ledger (October 24, 2004), there are currently
3400 mentally ill inmates in 14 state facilities. An additional
14,000 people are evaluated each year as they interact with the
DOC. On average, one of every six New Jersey prison inmates is diagnosed
as mentally ill.
UBHC created a new corporate unit called University Correctional
HealthCare (UCHC) to affect this contract. Corporate enthusiasm
rapidly gave way to the stark reality of systems administrators
and network operations as it was their mandate to make it happen.
These administrators were faced with major issues imposed in a security
environment not accustomed to sharing or cooperation.
These issues included but were not limited to:
- Network 14 prisons with reliable secure high bandwidth connectivity.
- Create hundreds of new staff computer accounts quickly.
- Create electronic mailboxes for new staff.
- Install LanDesk remote management agents on all relevant desktops.
- Administer email for new staff.
- Provide desktop support for 154 older jail machines (Windows
98).
- Allocate file space for dozens of new network shares.
- Back up data from the influx of new work.
- Fund staff positions to accommodate all of the above.
- Track tasks and work assignments dynamically, both projected
and actual.
Did I mention resetting users' forgotten passwords several
times a day?
Getting Physical Access
The first step involved physical examination of the environment,
so we scoped it out. To gain access, two forms of photo ID are
required. Everyone must pass through metal detectors, magnetic
wands, body frisking, and searching. Bags and briefcases are
carefully searched item by item. Sharp objects, such as penknives
or pocket multi-function tools, are not routinely permitted.
UCHC computer and network diagnostic equipment may not be carried
in unless cleared, authorized, delineated, checked, scheduled,
and verified well in advance. If you suddenly realize you need
a tool that's out in the van, but it was not included within
the approved equipment list, then the tool might as well be
at the North Pole. (Most of the time DOC on-site equipment was
readily available so the need for our own tools was not as severe
as once anticipated.) Our networking and systems staff must
wear blue or black pants to distinguish themselves from the
inmates. Khaki-colored clothing is not permitted.
Cell phones, pagers, and Blackberry devices are forbidden.
Telephone access is highly controlled. Some inmates are desperate
for surreptitious phone communication. (According to one anecdotal
tale, several years ago a conspirator on the outside used a
bow and arrow to shoot a cell phone over the barbed wire fence
and adjoining brick wall. To no avail, the recipient was caught
immediately.) Clearly, standard commercial ISP dial-up and DSL
are not viable telecommunication options.
Getting Network Access
Many New Jersey State agencies connect to each other via the
Garden State Network through the Office of Information Technology
(OIT: http://www.state.nj.us/it/oit/index.html) and NJEdge
service (http://www.njedge.org). The former boasts 450
mission-critical applications including various aspects of the
Office of Criminal Justice. The latter serves most state schools
and universities. NJEdge supports a robust, readily available,
well-maintained, high-bandwidth network. Nevertheless, NJEdge
and OIT were rejected as not sufficiently secure for prison
applications. A prison router is too tempting a target for hackers.
Networking options resolved to choices between ISDN, VPN,
Citrix, or Frame Relay T1 connections. ISDN offered inadequate
bandwidth and limited growth potential. Citrix was rejected
for reasons of compatibility. VPN has the distinct advantage
of exploiting communication across the ubiquitous Internet.
This method was initially the mode of choice but later dismissed
when analysis showed too many security concerns. Additionally,
many jail networks had formerly locked down VPN access as a
general policy, thus making a virtual private network virtually
unavailable. Prison administrators only reluctantly open the
gates.
VPN access in this environment had other deficiencies for
general-purpose connectivity. There was a definite need for
more advanced firewall rules agreed upon at both ends of the
connection. The Internet may be convenient, but it is not fundamentally
secure. Also, in our experience, VPN operation is often too
complicated for the typical user, and too much time is spent
helping users log on.
A direct Frame Relay T1 circuit became the best option. UCHC
machines working on the periphery of the DOC network would receive
an Internet Protocol (IP) address directly from the UMDNJ name
space:
UMDNJ Class B network IP = 130.219.XXX.YYY
We would assign reserved IP addresses from one of 15 existing
UBHC subnets. Dynamic addressing via DHCP was chosen because it
is more easily managed when remote desktops move. Static IP addressing
might involve multiple visits, and physical access is cumbersome.
As far as our users were concerned, their desktops would be connected
directly to our network and servers. They would see no functional
difference. DOC workstations would maintain their own IP addresses
within their own network.
UCHC staff receives email from the Outlook Web Access (OWA)
feature of Microsoft Exchange Server via Internet Explorer as
desired. A DOC proxy server includes the UMDNJ Web server address
in its exception list. Additionally, DOC and UCHC operate with
a cooperative extranet agreement via the Garden State Network
sharing Web-based applications and exchanging LDAP address files.
A Frame Relay solution has additional benefits. It is easier
to manage and maintain. We can manage it remotely. There are
fewer security bottlenecks. We monitor network activity 24 hours
a day and maintain an on-call network engineer. (A second one
will be funded.) Lastly, and possibly more importantly, the
prison IT administrators would more easily cooperate with us
since much of the support would emanate from our turf, not theirs.
UCHC Back Office Server Issues
Current file server storage is adequate for existing needs
but may not be so with the influx of several hundred new users.
Three deployment strategies were considered:
Dedicated DOC servers interface with other systems on demand.
On-site servers with scheduled synchronization back to some
master.
DOC supports their people, and we support ours.
The last method is simple, effective, and especially cogent
in an environment where security is a dominant mandate.
Remote printing must be secured and cannot be misdirected.
The following simple script embedded in the startup folder with
appropriate permissions assigns a specific printer from the
print server to the workstation:
Rem Install Remote Printer Script
If not exist C:\Docume~1\%username%\Printer.txt got to run
Go to EOF
:run
start \\server\pZZZ
copy y:\helpdesk\Printer.txt c:\Docume~1\%username%
goto EOF
:EOF
exit
Loss of connectivity must be detected quickly in this diverse
distributed network.
In addition to full-scale network monitoring tools, our systems
administrators can run a simple on-demand, in-house checking
utility developed in the WinBatch scripting language (http://www.windowware.com).
A ping-able server may or may not be working properly, but servers
that cannot be pinged have certainly lost connectivity. The
script pings each server, posts results, and then moves on.
A sample code snippet for one server is cited below. It is easily
embellished and adapted for auto-alerts by email or pager to
notify relevant personnel:
ip="server_name"
GoSub pingme
Exit
:pingme
TimeOut=2
Check= IpPing(ip,timeout)
If check ==1
Display (1, "Successful ping", ip)
End if
If check ==0
Message ("Cannot ping", ip)
End if
Return
The current backup system consists of nightly online copies to
disk and offline copies to DLT media. Older tape images are stored
off site. The disk copy refreshes daily for immediate file restores.
On-site local backups are carefully guarded.
Mailbox administration blocks many potentially dangerous attachment
types (.zip, .exe, .com, .bat, etc.). User mail operates on
a three-tiered quota system. The user may send or receive below
a mailbox of size M, can receive but not send if the size increases
to size N, and cannot send when the mailbox exceeds size O (for
overload!). This strategy discourages users from sending massive
attachments because of the immediate impact on their mailbox
operations.
UCHC scans incoming mail using Symantec anti-virus software
updated daily. The University itself also imposes a spam filter,
which has become steadily more restrictive.
DOC manages electronic medical records using the Logician
system (http://www.medicalogic.com). UBHC manages their
online medical records using the Clinical Work Station (http://www.csmcorp.com).
Each agency maintains its own secure database server environment.
No effort is being made to merge records across agencies.
Getting User Access
The user account creation process involves setting a unique
user name according to a prescribed naming policy, granting
user membership to appropriate access control groups, building
a login script with proper network share mappings, creating
an internal electronic mail mailbox, designating an Internet
address, coordinating with the UMDNJ Human Resources personnel
and billing databases, and assigning a temporary password valid
for one initial login.
The temporary password must be changed at first login. User
names remain consistent across applications although some applications
require separate passwords. (Single sign-on capability is not
available at this time.) Basic login script templates expedite
account setup and are adapted as necessary. Note that in the
prison environment no physical personal authentication token
or ID device (e.g., swipe card, magnetic reader) is acceptable
because it has the potential of being stolen:
Logon Script Template
@rem **** Set time
@net time %LOGONSERVER% /set /y
rem Primary network drive attachments
@net use p: \\server\dfs_root$
@net use y: \\server\public$
@net use q: \\server\userdatafiles$
rem Secondary network drive attachments
@net use k: \\server\acutesvcs$
@net use l: \\server\briefsvcs$
@net use n: \\server\nursingsvcs$
@net use h: \\server\extclinadm$
@net use i: \\server\copsa$
@net use j: \\server\accntr$
@y:\inteldtm\script\global.bat
Password resets are a major disruption. Users balk at good password
practices such as password expiration (every 90 days), password
complexity (mixed case with digits), account lockouts (three wrong
tries). They try password recycling (password A then password
B then back to password A). Many users try passwords based on
names. (You might as well give an inmate a key.)
We enforce best practices where passwords must be a minimum
of eight characters long, mixed case, contain at least one digit,
no names or common words. Many new users have difficulty typing
their password properly. Many devise clever excuses for simple
passwords. One user assured us that there was no Shift key on
her keyboard. Such issues result from a mindset in which computers
are seen as impositions and not as tools. We expend a great
deal of time training staff.
Calling for Help
For better or worse, our Help Desk has a 300:1 user to staff
ratio. Helpers are reachable by phone, pager, email, and Blackberry.
The prison site setups may add another 400 new users all of
whom need new accounts, passwords, privileges, permissions,
logins, mailboxes, network shares, and home directories. Given
the cumbersome nature of physical access, it was agreed that
each prison would use its own staff as the first level of support
for its own routine day-to-day operations (broken keyboards,
unplugged cables, bad monitors, etc.)
The Help Desk expects funding for one new staff member. This
strategy will maintain the user-to-support staff ratio. It remains
to be seen whether the project is best served by locating that
individual on-site (the largest prison with the most users),
on the road (travelling between sites), or at the main UBHC
office armed with multiple remote administration consoles.
Tasks are assigned, tracked, and recorded using the HEAT help
desk control system (http://www.frontrange.com/heat).
HEAT is currently being used successfully by the U.S. Navy,
Lucent, Shell Oil, Electricite de France, and other major organizations.
The system issues and monitors work tickets by project, date,
assignee, and task. A sophisticated report generator provides
executive management decision support. This information can
justify additional funding or staffing levels. The Department
of Corrections requires a thorough and complete documentation
trail.
Summary
Setting up a remote site should be a routine straightforward
task. Although each site has its own peculiar problems, attributes,
and headaches, putting a remote site online is a common systems
administration function. Problems become more challenging when
the task involves a highly secure prison environment.
Acknowledgements
The author thanks Christopher Kosseff (President and CEO,
UBHC), Dr. Jeffery Dickert (Vice President, UCHC), Bruce Blakeslee
(Director, Information Services), Lucien Antonis (Network Operations),
Charles Gist (Help Desk), Shirley Lee (UCHC), and DOC staff
Louis Mancuso, Gary Maholic, Deidre Fedkenheuer, Mary Ellen
Maguire, Matthew Schuman, and its Commissioner for their support
in the production of this article.
Resources
Garden State Network -- http://www.state.nj.us/it/oit/index.html
NJEdge -- http://www.njedge.org
Peet, Judy. October 24, 2004. Newark Star Ledger --
http://www.shanj.org/News/UMDNJ_prison.services.htm
Ratzan, Lee. 2004. Understanding Information Systems,
American Library Association, Chicago, IL.
Sherman, Chris and Price, Gary. 2001. The Invisible Web:
Uncovering Information Search Engines Can't See. Cyber Age
Books. Medford, NJ.
University Behavioral HealthCare (Public Web site) -- http://www.ubhc.umdnj.edu
University of Medicine and Dentistry of New Jersey -- http://www.umdnj.edu
Dr. Lee Ratzan is a systems analyst at University Behavioral
HealthCare of the University of Medicine and Dentistry of New
Jersey. He teaches information systems at Rutgers University
and has written feature articles for professional computer magazines.
His book, Understanding Information Systems, contains
discussions on networking, securing, and concealing information.
Contact the author at: ratzan@umdnj.edu. | 
