21
UNCLASSIFIED UNCLASSIFIED ` PSN Technical Transition Guidance Public Services Network Programme DRAFT for Comment [18/02/2013 15:59] Prepared by: PSN Project Team Date Prepared: Nov 2012
UNCLASSIFIED
UNCLASSIFIED
`
PSN Technical Transition Guidance Public Services Network Programme DRAFT for Comment [18/02/2013 15:59]
Prepared by:
PSN Project Team
Date Prepared: Nov 2012
UNCLASSIFIED
DRAFT UNCLASSIFIED Page 2 of 21
Document Information
Project Name: PSN Customer Transition Prepared By: Peter Magee Document Version No: 0.22
Title: Project Manager Document Version Date: 18/02/2013 Reviewed By: Review Date: 11/12/2012
Version History
Approvals
Ver. No. Ver. Date Revised By Description Filename 001 - 006 10/24/2012 Peter Magee Working Draft Technical Transition Guidance 010
.011 11/2/2012 Mark Brett Security Team Review Technical Transition Guidance 011
.012 11/2/2012 Nick Higgins Technical Review Technical Transition Guidance 012
0.19 06/12/2012 Peter Magee Mark Brett
Overall review Further security / compliance updates
Technical Transition Guidance 019
0.21 11/12/12 Peter Magee Input from various reviewers Technical Transition Guidance 021
0.22 18/02/2013 Lisa Agyen Prep for website publication Technical Transition Guidance 022
PSN Project Team Work streams & Industry Programme Director Operations Director Design Authority
UNCLASSIFIED
DRAFT UNCLASSIFIED Page 3 of 21
1. Document Purpose and Introduction ............................................................................................................. 4
Table of Contents
2. Project Outline for Transition ......................................................................................................................... 4
2.1 Calendar of Activities .......................................................................................................................... 4 3. Reference Architectures ................................................................................................................................ 5 4. Seniors Agree Moving To PSN ...................................................................................................................... 7 5. Choose your DNSP ........................................................................................................................................ 7 6. Identify Dates of Procurement Expiry ............................................................................................................ 7 7. Security Classification for the Data You Use ................................................................................................. 7 8. Define your PSN End State Architecture ....................................................................................................... 8
8.1 Developing your Network Diagram ..................................................................................................... 8 9. Identify Who You Exchange Data With .......................................................................................................... 9
9.1 Key Government Applications ........................................................................................................... 10 9.2 Data Sharing Actions ........................................................................................................................ 10
10. Transition Project Startup ............................................................................................................................ 10 10.1 Submit Your CoCo ............................................................................................................................ 10 10.2 How to fill in a CoCo .......................................................................................................................... 11 10.3 How long does it take to award my certificate? ................................................................................ 11 10.4 IT Health Checks ............................................................................................................................... 11 10.5 Staff Security Checks ........................................................................................................................ 12 10.6 Contact PSN – Share Your Timeline & Schedule Transition ............................................................ 12 10.7 Project Start Up Actions .................................................................................................................... 12
11. IP Address Provision.................................................................................................................................... 12 11.1 IP Address Action .............................................................................................................................. 13
12. Closed User Groups .................................................................................................................................... 13 13. Firewall Configuration .................................................................................................................................. 13
13.1 Firewall Rules Set ............................................................................................................................. 13 13.2 Firewall Configuration Action ............................................................................................................ 14
14. Domain Name Service (DNS) ...................................................................................................................... 14 14.1 PSN DNS Servers ............................................................................................................................. 14 14.2 DNS changes .................................................................................................................................... 14 14.3 MX Records ...................................................................................................................................... 14 14.4 DNS Actions ...................................................................................................................................... 14
15. Public Key Infrastructure, Encryption and Impact Levels ............................................................................ 15 15.1 PKI, Encryption and Impact Level Actions ........................................................................................ 15
16. Internet Access and Web Services .............................................................................................................. 15 17. Inter-domain and Interoperability Gateways ................................................................................................ 15
17.1 GSI/GCSx Gateways (Legacy Access) ............................................................................................. 15 17.2 GCSx Connectivity ............................................................................................................................ 15 17.3 Gateway Actions ............................................................................................................................... 15
18. NTP and Time Synchronisation ................................................................................................................... 15 18.1 NTP Actions ...................................................................................................................................... 16
19. Voice over IP and Telephony ....................................................................................................................... 16 19.1 Voice over IP and Telephony Action ................................................................................................. 16
20. Testing and test scripts ................................................................................................................................ 16 20.1 Testing Action ................................................................................................................................... 17
21. Decommissioning unused equipment .......................................................................................................... 17 22. Milestones .................................................................................................................................................... 17 23. References, contacts, useful reading and web resources ........................................................................... 19 24. Becoming a PSN Services Provider ............................................................................................................ 19
24.1 Are you going to Offer Services? ...................................................................................................... 19 24.2 Submit Your CoP if you are offering services ................................................................................... 20 24.3 Provision of Services via the internet ................................................................................................ 20
25. Aggregators ................................................................................................................................................. 21
UNCLASSIFIED
DRAFT UNCLASSIFIED Page 4 of 21
1. Document Purpose and Introduction This document is designed for the technical team to help facilitate transition to PSN. Whilst each customer has a unique infrastructure and will have a slightly different transition to PSN, this document provides guidance to ensure important technical aspects of migration are simplified.
This is a living document, and the intention is that it will be enhanced with lessons learned. There are a number of drafting notes, marked [DN] where there are outstanding questions, these will be added to over time.
This guide will help ensure:
Your transition to PSN is de-risked and simplified; Your transition to PSN does not miss any critical technical aspects; Activities with a long lead time are identified and completed to avoid delays, and Lessons learned by other departments help your migration. Further information and the latest version of this and other documents can be found at
http://www.cabinetoffice.gov.uk/content/public-services-network and at http://www.cabinetoffice.gov.uk/resource-library/public-services-network
This document contains the following elements:
A calendar of transition events and key milestones; Reference architectures; A guide to the activities; and Guidance on some non-technical issues.
2. Project Outline for Transition
2.1 Calendar of Activities The picture below gives an indication of the activities that you will undertake and the major milestones for a PSN transition. The triangles represent those milestones and give an indication of the relative priority of the tasks you will need to complete. The time between your decision to go to PSN and Go Live will, of course, vary. It takes some time to gather the information that is used to complete your CoCo, and this increases if you have many partners that will be required to contribute to your submission. It will take potentially three months to award your CoCo certificate. It may be more if your submission is very complex.
The graphic below illustrates the relative timeline of a typical transition.
UNCLASSIFIED
DRAFT UNCLASSIFIED Page 5 of 21
3. Reference Architectures The schematics below illustrate potential architectures of a typical authority. The authority has a network running at IL2. An Inter-operability Gateway (IOG) allows connections to third party suppliers, such as the Housing Association shown here, running at IL0. An IOG also allows access to publically addressable servers such as public email and remote access servers. These operate in DMZ, which is in turn protected by an Inter-domain gateway. Gateways also allow the authority to connect to the PSN, via their Coco. Through this gateway, Local Authorities will have access to a wide selection of service offerings from many different providers.
Figure 1: Schematic showing a typical Authority connected to the PSN and to other, third party organisations
The diagram below shows a Local Authority which also plans to offer services to other PSN Customers. The Services DMZ hosts the PSN available service offerings. In this case the Customer has to sign a CoP as well as CoCo.
Seniors Agree Moving To PSNChoose your DNSPIdentify Dates of Procurement ExpirySecurity Classification for the Data You UseDefine your PSN End State ArchitectureDeveloping your Network DiagramIdentify Who You Exchange Data WithKey Government ApplicationsTransition Project StartupSubmit Your CoCoIT Health ChecksContact PSN – Share Your Timeline & Schedule TransitionCoCo Application Review and QuestionsCoCo AccreditationIP Address ApplicationSubmit Order with DNSPImplement transition planCoordinate with Government (eg DWP) and othersTesting and test scripts and User Acceptance TestingGo LiveDecommissioning unused equipment
= Transition Milestone
UNCLASSIFIED
DRAFT UNCLASSIFIED Page 6 of 21
Figure 2: Schematic showing a typical Authority connected to the PSN and also providing services to other PSN Customers
The diagram below shows a Customer which has parts of their network carrying data that has a security level of IL3.
Figure3 Schematic showing an Authority which requires IL3 level of security.
You are required to submit a network architecture as part of your Code Template. There is a section below which gives advice about what is required to get accreditation.
UNCLASSIFIED
DRAFT UNCLASSIFIED Page 7 of 21
4. Senior Managers Agree Moving To PSN The start of any transition project begins with the decision of the organisation to move to PSN. This will be supported by a business case which will set out the scope of services that you will be moving to the PSN and which services you will be in a position to offer to other PSN customers.
5. Choose your DNSP In order to connect to PSN, you will need to select a provider of Connectivity Services. These providers are called Direct Network Service Providers (DNSPs). Their services are procured under the GPS PSN Framework. The list of potential providers can be found here http://gps.cabinetoffice.gov.uk/
For the avoidance of doubt, your choice for DNSP is not limited to your incumbent connectivity provider. Furthermore, the Services that you can buy over the PSN are not limited to those offered by the DNSP that you select for your connectivity. PSN provides you increased and increasing access to a range of services that are all accredited for use over the PSN network. These services can be bought from the Framework contracts that have been negotiated by Government Procurement Services.
Each of the DNSPs have provided a good deal of information about their approach to providing PSN Connectivity in their bids which can be downloaded from the GPS website above. These generic approaches will be tailored to a greater or lesser extent to your environment.
6. Identify Dates of Procurement Expiry You will need to review the contracts that you have with your current service providers to understand when those contracts expire, so that you can determine the plan for transition. In particular you need to check when your GCF and GSi contracts expire. GCF/GSi contracts will not be renewed, and so you will have to submit a new PSN application to retain connectivity to these services. Contact the PSN Project Team if you are unsure of the date of expiry of your GSi contract.
You will still be able to consume GCF Services while your GCF CoCo is still valid and then once you have been awarded a PSN CoCo.
If you have a connection provided under the GCF that is due for renewal you should complete the PSN CoCo rather than the GCF CoCo. Once certified your connection will then be treated as a PSN connection and on expiry of your GCF service contract you will procure your connection from any PSN Compliant service Provider.
7. Security Classification for the Data You Use You will need to have a clear understanding of the security classification for your PSN architecture. The PSN has been designed to operate at the CESG classification of Impact Level 2. The reason for this is that, as a Local Authority, you will have personal information on most of your systems. Protecting personal information is a legal requirement, under the Data Protection Act 1998. Fines in excess of £100,000 are regularly issued by the Information Commissioner for non-compliance with the Act. By adopting the standards set out in the PSN Standards, the information in your systems and access to it will be sufficient to assure the public and the Information Commissioners Office that all reasonable steps were taken to preserve and protect their personal information.
The PSN is defined to operate at Impact Level 2 (IL2), however IL3 data, (for example, health care records, police evidential and criminal justice records) can also be carried over the network using an Encryption Domain that sits on top of the PSN architecture.
UNCLASSIFIED
DRAFT UNCLASSIFIED Page 8 of 21
8. Define your PSN End State Architecture The Public Services Network is, as the name indicates, is built around ‘Services’. Connectivity is one of these services, and as mentioned above, you will be provided this service by a DNSP. As you plan to move to PSN, you will need to think through the various ICT services that you consume, and determine how you want to have those Services provided to you. This will include the various organisations that you connect to, and with whom you exchange data. To support these services you will have an underlying Network Architecture, you will need to produce a diagram of this for submission with your CoCo. You submit your CoCo to the PSN Authority (PSNA), and contact details are below. The PSNA prefers to receive network diagrams in Visio, if possible. If not Visio, then please ensure that they are readable using one of the MS Office products.
8.1 Developing your Network Diagram The document ‘PSN IA Conditions Supporting Guidance’ provides clear guidance on what needs to be in your network diagram and what does not. The current guidance states the following:
DIA.x Network Diagrams Explanation: An up to date high level/logical network diagram is fundamental to understand the connection environment. The high level diagram is not expected to include every last device, in fact the diagram can be conceptual, but is required to ensure that the scope of the connection is understood by the customer and anyone carrying out a compliance check. The customer environment may be very complex with a mixture of services being consumed some will be PSN branded services and others locally procured or implemented. The key aspects to be included are: Service interaction, so it is clear which services the organisation is consuming and whether they are PSN
or non PSN services. The outcome is to highlight where service interact or interoperate. Context around onward connectivity. If the organisation has onward connections to
systems/services/networks that are either PSN or non PSN networks. Onward connections may also include detail around where the gateway is positioned.
Any off shoring of systems and information, including any life support/maintenance connections Third party connectivity Guidance:
UNCLASSIFIED
DRAFT UNCLASSIFIED Page 9 of 21
DIA.x Network Diagrams [DIA.1] As a minimum the diagram will include: Organisational name, date of diagram, author, security domains/environments (e.g. RESTRICTED or IL3 Domain), local connections (with approximate numbers of users, PSN services, Non PSN Services, remote connections/access, all external and third party connections (with names of organisations, impact levels of connection, business reason for connection and boundaries of responsibility), location of security devices such as gateways (it is accepted that not all devices will be included but those that the customer may wish to highlight later in the various controls should be included), wireless network devices, infrastructure or connections that are off shored. It is not necessary for organisations to include the details of services and equipment that has already been accredited by the PSN, simply to show connections to them. Where appropriate, for larger and more complex configurations, it is not expected that every connected device, domain and critical device be shown. A realistic level of abstraction can be employed for standard builds and configurations, to ensure clarity around connections, security domains and services. Abstraction should be used to make the diagram simpler to produce and review. It might be appropriate to group assets by business impact level or function. The diagram method itself is not stipulated, some organisation may consider using the IS1 modelling methodology, others a more technical diagram. Due to the level of detail required, this diagram may require protectively marking. [DIA.2] The customer understands that compliance of the IA Conditions allows them to use the PSN to share information across the PSN with other PSN connected organisation and consume PSN approved services. However customers are not permitted to expose non-PSN approved services to the PSN unless these have been assured and offer protection to the rest of the PSN. An example might be the wider sharing of an organisational developed service such as an HR function from one customer to other PSN connecting customers. Any service delivery of this type will need to be in accordance with the PSN Compliance document (Ref [a]) that places restrictions around the scale, scope and appropriateness of this type of service delivery. Any onward services will need to be included in scope of the PSN IA Conditions submission for assessment. The actual assurance requirements may vary, and therefore it is recommended that any customer intending to offer services in line with the PSN Compliance document seeks advice from the PSNA.
Please ensure your diagram clearly shows the PSN connected/consuming network aspects and those out of scope, perhaps using a different coloured background bubble, (e.g. light green = PSN, light yellow = out of scope.)
The latest version of the IA guidance is at the following location on the Web, and you should download a copy to assist with the completion of your CoCo. http://www.cabinetoffice.gov.uk/sites/default/files/resources/PSN-IA-Conditions-Supporting-Guidance-v1-4.pdf
9. Identify Who You Exchange Data With You will need to identify all the parties that you exchange data with. This is not just a technical issue. To get the full benefit from PSN and the Services that you can buy from it, you will need to talk to your business users to capture their needs for data exchange. One of the strengths of the PSN is that your data needs will be similar to other Customers, and therefore you will be able to obtain ICT Services at a cost which reflects this shared use. You should check with your business users to ensure that you have all of your partners identified. If you migrate to PSN without ensuring that these partners have made the changes required, then transition to PSN will be made that much more complicated. These partners may not have sophisticated technical knowledge, so you may have to provide assistance to them to ensure that they are not cut off.
Typical Local Authorities exchange data with the following kinds of partners: [CHECK!]
UNCLASSIFIED
DRAFT UNCLASSIFIED Page 10 of 21
Other Local Authorities Government Departments and bodies Commercial shared Service Providers connected to the PSN Emergency Services Criminal Justice Services Housing Associations Charities Community services such as churches, sports facilities Health Authorities and Trusts Schools and Educational Establishments Providers of services such as facilities management, waste collection. Once you identify all the sources and users of data, then you should ensure that they are included on the diagram, as mentioned in the Guidance above. You will need to ensure that these parties can continue to share data during and after transition. You should identify the following attributes for each organisation that you work with.
You need to identify the IP Addresses used by them and by you; Advise them of the detailed plans for IP address changes for them to configure their devices; Configure your firewall to ensure that this communication can continue; Test the transition activity, and Update any information sharing agreements and MOUs to reflect PSN connectivity (especially
those that are governed by GCF/GSi)
9.1 Key Government Applications Local Authorities and central government departments are dependent on a number of key application services. Many of these applications will require changes to be made to ensure that communication is not interrupted during transition. This will typically be changes to firewalls, IP addresses and email addresses. [In [Appendix XX] there is a list of government applications and details of how to ensure that you can continue to connect to them. ]
9.2 Data Sharing Actions Identify the parties you exchange data with Include all of them on the transition plan, including early communications, testing and cut-over Calculate IP address impacts and if necessary update you PSN IP Address allocation request Ensure that all staff using PSN systems are checked to the appropriate level
10. Transition Project Start-up In order to be a PSN customer, you will have to have a Code of Connection (CoCo) certificate authorised by the PSNA.
10.1 Submit Your CoCo If you do not currently have a CoCo certificate issued, one of your first tasks is to start the process to obtain one.
Detailed guidance on how to get a CoCo certificate can be found in ‘PSN Compliance’ which is on the PSN web site (a link to this document is below in the ‘References, contacts, useful reading and web resources’ section. The process is started by you the Customer. The first step is to start to complete a ‘Code Template’. The reason that the phrase ‘Code Template’ is used is because different PSN customers will fill in different ‘Codes’. All Local Authorities joining PSN will need a ‘Code of Compliance’. In the event that you are going to provide services to other PSN customers you will also need a ‘Code of Practice’. Providing services is covered by the sections at the end of this document.
UNCLASSIFIED
DRAFT UNCLASSIFIED Page 11 of 21
You should also notify the PSNA that you intend to commence compliance for their PSN customer environment. In terms of your PSN Transition project these steps immediately appear on the critical path, if they have not been completed already.
10.2 How to fill in a CoCo Instructions for filling in a ‘Code Template’ are held here http://www.cabinetoffice.gov.uk/sites/default/files/resources/PSN-Code-Template-v2-7.doc (the latest version is always held in the Resource Library – be sure to get the latest one!).
The following table contains the required parts for a PSN Code of Connection Submission.
Item Notes A completed PSN Code template, including Schedule II
Schedule II requires you to list the size of your organisation and the services you wish to consume once you are compliant
Section 4 of the PSN Code template, recently signed and scanned, preferably as a ‘pdf’ file
This is a commitment to allow the PSN Authority to confirm that you are adhering to compliance requirements
A completed Annex B
A set of requirements that you must meet to be compliant
An up to date network diagram
The level of detail that you need in a network diagram is described very clearly in the IA Guidance, as described above.
A recent IT Health Check report, plus any necessary action plan to address issues found
See below
The Remedial Action Plan from your most recent CoCo Assessment, if applicable
If you are re-submitting, then you will need to identify how you are addressing the shortfalls in your original submission
The Code Template is an Excel spreadsheet. The spreadsheet that you need to complete contains all of the information that every type of connecting organisation requires. If you are a typical Local Authority, then you only need to complete the entries with the word ‘Customer’ in the ‘Applies To’ column.
Note that if a question is of type ‘Declaration’ then simply a Yes/No answer is sufficient. If it is of type ‘Inspection’ then it requires some supporting materials. If there is something that is required, but that does not apply to you, then provide the reasons why you don’t need it. Some questions require supporting evidence that you are have been compliant. In the event that you are just putting in that particular process or procedure, then you can state that it is an initial application. You have to submit your CoCo for renewal every year, and these items will have to be completed next time round.
If you are not able to meet some conditions, but you intend to put in some remedial plan to meet them in the future, then you need to provide details of the plan.
The PSN Project Team have examples of good CoCo submissions which you can take a look at. There is one on the PSN Website, and more will be available from time to time. Contact us at the address below and we can send you a version.
10.3 How long does it take to award my certificate? The time taken to award a PSN CoCo Certificate is dependent on the size and complexity of your organisation and the thoroughness of your submission. It is likely to take a few months for a typical Local Authority from the start of their preparation to the end of the certificate award.
10.4 IT Health Checks Every CoCo application and every annual renewal of the CoCos require you to have an IT Health Check undertaken on your organisation. IT Health checks are one of the most informative sources of
UNCLASSIFIED
DRAFT UNCLASSIFIED Page 12 of 21
information that the PSNA has on PSN connected organisations, and help to ensure the integrity of the entire PSN network. IT Health checks take a few days to complete. One of the recognised IT Healthcheck qualifications is CHECK, which is mandatory at IL3, whilst Tigerscheme and CREST qualified testers can be used at IL2. The Check scheme is described here http://www.cesg.gov.uk/servicecatalogue/CHECK/Pages/WhatisCHECK.aspx . The CESG web site also has lists of providers that you can use for this service.
If you have a recent IT Health Check you will not need to complete a new one. Generally your IT Health Check should not be more than six months old at the time you submit your CoCo.
Once you have the IT Health Check, you should baseline the deficiencies into a Remedial Action Plan (RAP). Ensure that the RAP is adequately resourced with milestones to complete the actions in as short a time as possible.
10.5 Staff Security Checks In order to use PSN, your operations staff must be accredited to an appropriate standard. An acceptable security standard is the Baseline Personnel Security Standard (BPSS). This ensures that all PSN users have met an acceptable level of security. The current standard is located here https://update.cabinetoffice.gov.uk/sites/default/files/resources/HMG%20Baseline%20Personnel%20Security%20Standard%20V3%201a.pdf
You will need to develop a plan to ensure that your staff connecting to the PSN or consuming PSN services meet this level of accreditation to obtain your CoCo certificate.
If you handle data that has IL4 or higher level of security, then staff handling that data will continue to require higher levels of security clearance. BPSS is adequate for up to and including IL3.
10.6 Contact PSN – Share Your Timeline & Schedule Transition Once your plans are finalised, you should contact the PSN Project Team, to discuss your detailed schedule for transition. The email and phone numbers to use are at the end of this document. We will help you coordinate with central government Service Providers, such as DWP to assist with a smooth transition. The PSN Project Team will help to manage the demands for PSN transition across all public sector bodies to avoid bottlenecks in demand. We will advise you if you will be able to get your changes done according to your planned schedule.
10.7 Project Start Up Actions Confirm that you have an authorised Code of Connection. If not, apply immediately; Identify an IT Health Check provider and engage them to carry out your first check if needed; Develop a plan to provide Baseline Personnel Security Standard checks in agreement with
PSNA. Start the Remedial Action Plan in line with the IT Health Check. Contact the PSN Project Team to check that your transition schedule is achievable.
11. IP Address Provision You will need to obtain an appropriate number of IP addresses for your organisation. IP Addresses are requested using the form found at http://www.cabinetoffice.gov.uk/sites/default/files/resources/PSN-IP-Address-Allocation-Request-v1-4.doc
Staff Security Checks One of the benefits of the PSN is that your DNSP (and any other Service Provider you buy from) will have gone through similar checks. By ensuring that they have an appropriate certificate for the services you are buying from them, you can rest assured that they are who they say they are.
UNCLASSIFIED
DRAFT UNCLASSIFIED Page 13 of 21
Guidance notes for the application are set out here http://www.cabinetoffice.gov.uk/sites/default/files/resources/PSN-IP-Address-Allocation-Guidance-v1-4.pdf .
Section 7 of the Technical Domain Description (TDD – the set of standards that the PSN works to. See below for a link to it) describes the policy for issuing PSN IP addresses. For most Local Authorities, you are likely to be able to re-use your GSI IP Address, and it is the PSNAs hope and expectation that you will. Similarly most Local Authorities will probably only need one IP address to ‘present themselves’ to the PSN. If you need more than one, then your network diagram – which is required with your IP Address request – will show your reviewer why you need more than one. The PSNA is, in general only allocating IP Addresses for current needs. If you plan to develop some new services that will require an IP Address in the future, you will need to apply for the address at that time.
The best time to apply for IP Addresses is with your CoCo application. If you apply at that time, then your IP address can be allocated and the PSN Project Team can work with you to ensure that the relevant connecting organisations, such as DWP, know about your changes.
11.1 IP Address Action Complete the application for a PSN IP address if required. Submit the application with your
CoCo.
12. Closed User Groups You will need to determine which Closed User Groups you are part of and ensure that your move to PSN does not impact your use. You are potentially going to have to submit a change request to your user group and include them in the transition plans.
13. Firewall Configuration You will be required to configure your firewall to enable the new IP address scheme and provide connectivity to the New Service Provider. Your New Service Provider will provide details of how to configure your device.
The specification below provides requirements for a PSN compliant firewall device. This baseline set of requirements is an example which is appropriate for a PSN Customer who is only a consumer of services. If you wish to be a provider of services, then the specifications need to be increased. The PSNA can provide guidance in this case.
13.1 Firewall Rules Set The IA guidance sets out the recommended rule set. For ease of use the current version is below.
From To Protocol Action Comment Your proxy/NAT PSN HTTP (TCP/80)
HTTP (TCP/8080) HTTPS (TCP/443)
Allow Enable outbound access to applications within the PSN using HTTP & HTTPS
PSN Your applications/Web servers
HTTP (TCP/80) HTTPS (TCP/443)
Allow Enable inbound requests from the PSN to your Web Servers/ Applications
PSN Your mail servers SMTP (TCP/25) Allow Enable inbound email from PSN
Your mail servers PSN SMTP (TCP/25) Allow Enable outbound email from your network to the PSN
UNCLASSIFIED
DRAFT UNCLASSIFIED Page 14 of 21
Your DNS Server(s)
PSN DNS servers DNS (UDP/53) DNS (TCP/53)
Allow Allow queries to the PSN DNS servers
Your NTP servers PSN NTP Servers NTP (UDP/123) Allow Allow queries to PSN NTP servers
Any Any Any Block Default rule for all other traffic.
13.2 Firewall Configuration Action Configure Firewall devices with assistance from your New Service Provider and with guidance
from PSNIA and Enterprise SIRO risk management guidance. Test firewall configurations to ensure they have been completed successfully.
14. Domain Name Service (DNS)
14.1 PSN DNS Servers PSN will provide the primary DNS servers and resolvers for all PSN domains. The addresses for the servers are available from PSN Project Team upon request. (The actual addresses are restricted so inclusion in this document would raise the security classification.) These servers will act as the primary DNS for all resolutions, passing requests to the Internet root DNS servers where resolution in non .gov.uk (or other internal DNS servers for other PSN hosted domains) is required.
You will need to implement your own DNS resolvers (servers or proxies) which resolve requests from your clients. These resolvers should then point to the PSN primary DNS servers. There will be different PSN primary servers and resolvers at each impact level (IL2 and IL3).
You will need to ensure that all DNS requests from your network are directed at your local DNS resolvers, and that all proxies point to the new servers.
14.2 DNS changes As more organisations migrate there may be changes both to IP address ranges that are visible and to the DNS servers that are used as the PSN primary resolvers by the organisation. You should use names rather than IP addresses to refer to hosts to minimise your DNS changes.
It is important that you make a plan for the before and after state of the DNS entries that are published in the PSN resolvers. This plan should include any publically visible interfaces and services (e.g. email) so that the organisation can still be found by others; it should also include the gateway entries for the organisation to find the primary resolvers and mail servers on PSN.
14.3 MX Records The Mail eXchange (MX) records in the DNS point to the mail servers for each domain that is subordinate to the .gov.uk domain.
Organisations should ensure that their mail servers’ MX records are correctly referenced in the primary DNS servers and their mail servers can see the service provider mail servers and where applicable; the Internet. [How do they do that?]
14.4 DNS Actions Identify all systems which will be impacted by the DNS changes. Develop a plan to migrate.
Develop test scripts to ensure changes are implemented correctly. Implement DNS resolvers to point to the PSN DNS servers. Ensure that all DNS requests from your network are directed at your local DNS resolvers, and
that all proxies point to the new servers.
UNCLASSIFIED
DRAFT UNCLASSIFIED Page 15 of 21
15. Public Key Infrastructure, Encryption and Impact Levels The PSNA will provide guidance on the necessary procedures and contacts to ensure that you are able to meet the requirements for Public Keys, Encryption and Impact Levels.
In particular the organisation will need to identify at least two people, who will need to be civil servants or public servants, to act as crypto custodians. They will deal with the Certificate Authority to obtain the necessary key material (keymat) and ensure policy is followed, including compliance with CESG IA Standard 4 and CESG IA Standard 5. Security standards, guidance and strategy, and PKI strategy, policy and requirements are available on the PSN Website.
15.1 PKI, Encryption and Impact Level Actions Contact PSNA and obtain the guidelines for working with secure data. Identify at least two people (one main person and a backup, for example) to be the crypto
custodian. Obtain the necessary clearances for those people.
16. Internet Access and Web Services Internet access from PSN connected organisations can be bought from the PSN services catalogue. It is likely that most DNSP’s will provide Internet access as part of their offering, but there are also likely to be value-add offerings such as those that include Remote Access or web hosting.
17. Inter-domain and Interoperability Gateways As mentioned above, you will need to identify all services and other organisations that you communicate with and ensure that this communication is not interrupted by migration. As part of your requirements gathering for your PSN procurement, you will need to identify the connection requirements. Some of these organisations will be outside the PSN and may therefore require an Interoperability Gateway. Others that have already migrated to PSN will require Inter-domain gateways which will be provided by your PSN Provider.
17.1 GSI/GCSx Gateways (Legacy Access) If you use GSI services you may wish to continue to use them through the PSN/GSI gateway. It is likely that as the first few customers transition onto PSN, that this will be the case. In due course, these services will be transitioned themselves, and they will become PSN services. Additionally, new service providers will begin to offer competing services to those on the GSI, and you will have the option to procure those services instead.
17.2 GCSx Connectivity You should configure your environment to forward requests for DNS name resolution of GCSX-related systems names to the GCSX DNS resolvers (this is often referred to as ‘conditional forwarding’ or ‘forward zones’).
17.3 Gateway Actions Identify connection requirements for third party organisations and detail gateway requirements. Specify gateway requirements in the PSN Order that you place with your chosen DNSP.
18. NTP and Time Synchronisation Government services need to work on the same time. You will need to ensure that when you migrate to PSN, you continue to obtain an NTP service. In some cases, authorities have built their own NTP service, to address this issue in the past. Many authorities currently obtain the service from GSX. In the future, you will be able to obtain an NTP service from a PSN Service Provider.
The IP Addresses for NTP services are found in the Annex [Reference here].
UNCLASSIFIED
DRAFT UNCLASSIFIED Page 16 of 21
18.1 NTP Actions Determine your NTP solution, and ensure that it is in place and working before commissioning
the New Service Provider.
19. Voice over IP and Telephony There are two scenarios for migration of currently contracted telephony facilities.
If you have a contract with a service provider to provide telephony services, and that provider has a PSN accredited service, then you can buy this off the PSN framework in future, and there is no additional work to be done,
If you have a have a contract with a service provider, and it is not an accredited service, then you might be able to persuade your service provider to get a CoP for that service. Once again, there is little work required by you.
If you don’t want to keep your current service and plan to buy a telephony service from a new provider once you are on the PSN, then you can buy from any accredited telephony service provider. These service providers are listed on the PSN web site.
If you own your own and manage your own equipment and you wish to connect it to the PSN, then you will be required to have that equipment accredited by the PSN. Please contact the PSN Project Team for assistance with this aspect.
In the event that you are moving to new telephone numbers, then this will have to be designed and communicated widely. Any key numbers that are published to the public or third party services need to be carefully managed and either forwarded or handled by a termination or call handling service.
19.1 Voice over IP and Telephony Action Develop a migration plan for telephony service which ensures that any PSN connected services
are PSN Accredited. Identify key numbers which need to be migrated and develop a communications plan for
changes.
20. Testing and test scripts It is your responsibility to design test scripts which will verify the successful transition of services. The scope of tests will be defined by your Requirements Specification, and each element of the transition should have a test plan. You will be required to define these tests in your RFP for connectivity services.
Remember to clearly discuss and document the plans that your supplier has for regression in the event that the transition fails. You should also take the opportunity to review your business continuity plans.
Listed below are tests that are useful to ensure that connectivity has been established successfully. This list will grow over time. The PSN Project Team will also capture example test scripts to assist you to develop your own.
Ping your gateway from the Internal LAN Ping PSN DNS Servers Ping a test address provided by the PSNA Test DNS resolution using nslookup Test access to CIS Test Access to N3 Synchronise with time source
UNCLASSIFIED
DRAFT UNCLASSIFIED Page 17 of 21
Mail exchange testing
20.1 Testing Action Obtain test IP Addresses from PSNA Develop a test plan for each area of your PSN transition. Provide test scripts to the New Service
Providers. Manage the execution of the tests and sign-off as appropriate.
21. Decommissioning unused equipment The final step is to decommission any legacy kit and if applicable remove any services from your previous suppliers. Any components that have been used to hold IL3 or above information must be destroyed in accordance with CESG IA Standard 5, but it is recommended that all components have information blanked using a proper tool. Do not forget to manage backup media. If your services were provided by a third party, obtain a destruction certificate.
The organisation should also review any contracts or billing to ensure that they are not being billed for any systems, maintenance and support or communications that have been decommissioned.
It is likely that the Customer will be asked to arrange meetings between the new and previous suppliers. If your previous supplier does not have an exit agreement, you may have to negotiate terms with them to provide exit services.
22. Milestones Some key milestones in the transition process are listed below. This is provided as a straw man for you to modify to reflect your transition plan.
Milestone Description Time to complete?
1. Choose your DNSP
Select the partner you want to work with to provide connectivity
?
2. IT Health Check Complete IT Health check if the previous one is out of date
Around 6 weeks to arrange and complete
3. Submit CoCo Application
Complete the elements of the CoCo and submit to PSNA
Around 8-10 weeks to complete
4. Submit IP Address request
Along with the CoCo application, submit your IP Address application, if required
Part of CoCo development
5. CoCo Application review
If necessary, be ready to answer questions about CoCo submission. Ensure that your Remdial Action Plan is included if required.
Potentially another 4
weeks 6. CoCo
Accreditation Certificate Issued. Up to 8
weeks after submission
7. Submit Order with DNSP
Submit the final order for services Around one week
8. User acceptance testing
Carry out testing. 1 week
9. Go Live Go Live on PSN
UNCLASSIFIED
DRAFT UNCLASSIFIED Page 18 of 21
UNCLASSIFIED
DRAFT UNCLASSIFIED Page 19 of 21
23. References, contacts, useful reading and web resources The PSN Project Team points of contact are
Karen Cleale [email protected] 07590 047581 / 020 7271 2684
Lisa Agyen [email protected] 0207 271 2873
PSN main contact email is [email protected]
The PSNA can be contacted at [email protected] .
The PSN Website is the authoritative site where original source documents for the PSN are found is here:
http://www.cabinetoffice.gov.uk/content/public-services-network and at http://www.cabinetoffice.gov.uk/resource-library/public-services-network
There is a list of Frequently Asked Questions here http://www.cabinetoffice.gov.uk/sites/default/files/resources/PSN_FAQ_V1.0_261112_0.pdf .
An example completed CoCo is here: http://www.cabinetoffice.gov.uk/sites/default/files/resources/PSN_Code_Template_exemplar_version_V1.pdf
Guidance for understanding the entire process of procuring PSN connectivity is provided in this guide: http://gps.cabinetoffice.gov.uk/sites/default/files/contracts/PSN%20Customer%20Guidance%20Document%20v1-5_0.pdf
The suppliers who are on the PSN Connectivity Framework contract are listed here with their bids are on this page of the GPS Website http://gps.cabinetoffice.gov.uk/contracts/rm860
The sources below are not Cabinet Office owned assets and we are not endorsing any of them by including them here. We will happily add more links here, if you find them. Please email any suggestions to Peter Mage as above. Similarly, if any of these links are not correct or change, please advise us and we shall update this guide as appropriate.
PSN for Dummies is available for download at http://your.level3.com/content/2012EUPSNETDGUIDILP1_PSNDumGuideRegPage_20120423#
A nice overview video of PSN is available here: http://your.level3.com/content/2012EUPSNETDGUIDILP1_PSNDumGuideRegPage_20120423
24. Becoming a PSN Services Provider
24.1 Are you going to Offer Services?
UNCLASSIFIED
DRAFT UNCLASSIFIED Page 20 of 21
Once connected to the PSN you will be able to buy services from all other PSN Service Providers. You may, however, have services that you wish to offer to other PSN customers. This element of the PSN is designed to ensure that expertise that resides in the Public Sector is made available to a wide audience and perhaps to reap some benefit for the investments you made in developing services.
If you have services that you wish to offer, they must be accredited by the PSNA. In order to become accredited you need to complete a Code Template, but in this instance it is a Code of Practice - CoP,
24.2 Submit Your CoP if you are offering services Details of how to fill in a CoP are in the same Code Template document as the CoCo. Once your service is accredited, you will be issued with a PSN Certificate, and your service will be listed on the PSN web site as an available service.
The diagram below shows a Local Authority which also plans to offer services to other PSN Customers. The Services DMZ hosts the PSN available service offerings. In this case the Customer has to sign a CoP as well as CoCo.
Figure 3: Schematic showing a typical Authority connected to the PSN and also providing services to other PSN Customers
24.3 Provision of Services via the internet There are a number of different factors about Internet Access to web servers that need to be taken into account. These include:
Do the Web servers access data on any back office databases and how will these connections be affected by the migration?
Is any service management conducted by the organisation (e.g. requiring remote logon) or is it all outsourced? If there is remote logon, does that only permit logon from particular IP addresses and will these change?
How is content created and managed and would a migration affect this?
UNCLASSIFIED
DRAFT UNCLASSIFIED Page 21 of 21
Does the web service have any interdependencies with other organisations who may migrate at some point to PSN but at different times to each other? See Third Party Connections above.
25. Aggregators You can connect to PSN in two main ways, either singly or through a collaborative way, which is referred to as ‘An Aggregator’. Examples of Aggregators are London PSN (LPSN) and Kent (KPSN). If you are connecting singly, then most of this document is relevant directly to you. If you are connecting through an Aggregator, (For example, the London Borough of Bromley is connecting through LPSN) then your Aggregator will take on the burden of much of the transition. If you are an Aggregator, of course, you have the burden!
