PSN Technical Transition Guidance Public Services Network
Transcription
PSN Technical Transition Guidance Public Services Network
UNCLASSIFIED PSN Technical Transition Guidance Public Services Network Programme Version 2.0 Prepared by: PSN Project Team Date Prepared: 7 Oct 2013 UNCLASSIFIED UNCLASSIFIED Document Information Project Name: Prepared By: Title: PSN Customer Transition Peter Magee Document Version No: Project Manager 2.0 Document Version Date: 07/10/13 Review Date: 07/10/13 Reviewed By: Version History Ver. No. Ver. Date Revised By Description Filename 001 - 006 10/24/2012 Peter Magee Working Draft Technical Transition Guidance 010 .011 11/2/2012 Mark Brett Security Team Review Technical Transition Guidance 011 .012 11/2/2012 Nick Higgins Technical Review Technical Transition Guidance 012 0.19 06/12/2012 Peter Magee Mark Brett Overall review Further security / compliance updates Technical Transition Guidance 019 0.21 11/12/12 Peter Magee Input from various reviewers Technical Transition Guidance 021 0.22 18/02/13 Lisa Agyen Preparation for website publication Technical Transition Guidance 022 0.23 20/03/2013 Lisa Agyen Updated website links Technical Transition Guidance 023 1.0 29/04/2013 Stephen Hoban Document Reconfiguration, Included 9 steps for Transition & Zero Tolerance to Compliance Technical Transition Guidance V1.0 2.0 07/10/13 Stephen Hoban & Conan Gibney Document Update to reflect changes since previous update Technical Transition Guidance V2.0 V2.0 UNCLASSIFIED Page 2 of 23 UNCLASSIFIED Table of Contents 1. 2. 3. Document Purpose and Introduction ............................................................................................................. 4 Reference Architectures ................................................................................................................................ 4 Project Outline - 9 Steps to Transition ........................................................................................................... 6 3.1 Step 1 - Define End-State Architecture ............................................................................................... 7 3.1.1 Identify Dates of Procurement Expiry .......................................................................................... 7 3.1.2 Security Classification for the Data You Use ............................................................................... 8 3.1.3 Choose your DNSP...................................................................................................................... 8 3.2 Step 2 - Identify Who will need your new IP Address ......................................................................... 8 3.2.1 Key Government Applications ..................................................................................................... 9 3.2.2 Data Sharing Actions ................................................................................................................... 9 3.2.3 Staff Security Checks................................................................................................................... 9 3.3 Step 3 – PSN CoCo Compliance ...................................................................................................... 10 3.3.1 PSN CoCo Evaluation and Renewal Process Changes ............................................................ 10 3.3.2 Network Diagram ....................................................................................................................... 11 3.3.3 IT Health Checks ....................................................................................................................... 13 3.3.4 PSN Code Template .................................................................................................................. 13 3.3.5 PSN Code Template Annex B ................................................................................................... 13 3.3.6 Submitting your completed Application...................................................................................... 14 3.3.7 How long does it take to award my certificate? ......................................................................... 14 3.4 Step 4 - PSN IP Address Application ................................................................................................ 14 3.4.1 PSN IP Address Action .............................................................................................................. 14 3.5 Step 5 - Place Connectivity Order ..................................................................................................... 15 3.5.1 Sign Replacement Call Offs ....................................................................................................... 15 3.5.2 Book Testing / Transition Slot .................................................................................................... 15 3.6 Step 6 – PSN Connectivity Circuit Installation & Onward GCN Connectivity ................................... 15 3.7 Step 7 - Central Government & Local Partners IP Changes ............................................................ 15 3.8 Step 8 – Testing the GCF / PSN Interconnect & Transition .............................................................. 15 3.8.1 Firewall Configuration ................................................................................................................ 15 3.8.2 Firewall Rules Set ...................................................................................................................... 16 3.8.3 Domain Name Service (DNS) .................................................................................................... 16 3.8.4 PSN DNS Servers ...................................................................................................................... 16 3.8.5 DNS changes ............................................................................................................................. 16 3.8.6 MX Records ............................................................................................................................... 17 3.8.7 DNS Actions ............................................................................................................................... 17 3.8.8 Public Key Infrastructure, Encryption and Impact Levels .......................................................... 17 3.8.9 PKI, Encryption and Impact Level Actions ................................................................................. 17 3.8.10 Internet Access and Web Services ............................................................................................ 17 3.8.11 Inter-domain and Interoperability Gateways .............................................................................. 17 3.8.12 GSI/GCSx Gateways (Legacy Access) ..................................................................................... 17 3.8.13 GCSx Connectivity ..................................................................................................................... 18 3.8.14 Gateway Actions ........................................................................................................................ 18 3.8.15 NTP and Time Synchronisation ................................................................................................. 18 3.8.16 NTP Actions ............................................................................................................................... 18 3.8.17 Voice over IP and Telephony ..................................................................................................... 18 3.8.18 Voice over IP and Telephony Actions ........................................................................................ 18 3.8.19 Pre Transition Testing ................................................................................................................ 18 3.8.20 Day of Transition Testing ........................................................................................................... 19 3.9 Step 9 – Cease Order ....................................................................................................................... 19 4. References, contacts, useful reading and web resources ........................................................................... 20 5. Appendix 1 – Example List of Applications .................................................................................................. 21 V2.0 UNCLASSIFIED Page 3 of 23 UNCLASSIFIED 1. Document Purpose and Introduction This document is designed for the technical team to help facilitate transition to PSN. Whilst each customer has a unique infrastructure and will have a slightly different transition to PSN, this document provides guidance to ensure important technical aspects of migration are simplified. This is a living document, and the intention is that it will be enhanced with lessons learned. There are a number of drafting notes, marked [DN] where there are outstanding questions, these will be added to over time. This guide will help ensure: Your transition to PSN is de-risked and simplified; Your transition to PSN does not miss any critical technical aspects; Activities with a long lead time are identified and completed to avoid delays, and Lessons learned by other departments help your migration. Further information and the latest version of this and other documents can be found at http://www.cabinetoffice.gov.uk/content/public-services-network and at http://www.cabinetoffice.gov.uk/resource-library/public-services-network This document contains the following elements: A calendar of transition events and key milestones; Reference architectures; A guide to the activities; and Guidance on some non-technical issues. 2. Reference Architectures The schematics below illustrate potential architectures of a typical authority connected to PSN. The authority has a network running at IL2. An Inter-operability Gateway (IOG) allows connections to third party suppliers, such as the Housing Association shown here, running at IL0. An IOG also allows access to publically addressable servers such as public email and remote access servers. These operate in DMZ, which is in turn protected by an Inter-domain gateway. Gateways also allow the authority to connect to the PSN, via their PSN Coco. Through this gateway, Local Authorities will have access to a wide selection of service offerings from many different providers. V2.0 UNCLASSIFIED Page 4 of 23 UNCLASSIFIED Figure 1: Schematic showing a typical Authority connected to the PSN and to other, third party organisations The diagram below shows a Local Authority which also plans to offer services to other PSN Customers. The Services DMZ hosts the PSN available service offerings. In this case the Customer has to sign a PSN CoP as well as PSN CoCo. Figure 2: Schematic showing a typical Authority connected to the PSN and also providing services to other PSN Customers V2.0 UNCLASSIFIED Page 5 of 23 UNCLASSIFIED The diagram below shows a Customer which has parts of their network carrying data that has a security level of IL3. IL3 DNS Head Office (IL3) Data Centre (IL3) Z Regional Office (IL3) Z Z IOG Mail Z Regional Office (IL3) IOG IL2 DNS Z Regional Office (IL3) DNSP (IL2) Mail IOG Z Regional Office (IL3) IOG Mail DMZ (IL0-2) Public Web Servers & Internet Email DNSP Hosted IOG Separate connection for high bandwidth FTP transfers with Supplier IOG Interoperability Gateways Z Internet (IL0) Mail IL0 PEPAS Router IPSec Encryptor IL3 over IL2 PRIME Document: Organisation: Version: Date: Author: Marking: Department 1.0 12/12/12 Andy Smith PROTECT Authority E-Mail Servers Figure3 Schematic showing an Authority which requires IL3 level of security. You are required to submit a network architecture schematic as part of your PSN CoCo application. There is a section below which gives advice about what is required to get accreditation. 3. Project Outline - 9 Steps to Transition The graphic below highlights the 9 key activities that every organisation will need to undertake to transition to PSN. It highlights the core activities, and those responsible for the particular activity, through the lifecycle of the transition process. Each activity will need to be considered and included in your organisations transition plans. Timeframes between your decision to initiate PSN transition planning and Go Live will, of course, vary depending on the complexity of your IT environment. For example; it takes some time to gather the information that is used to complete your PSN CoCo, and this time may increase if you have many partners that will be required to contribute to your submission. It may take potentially three months to award your PSN Compliance certificate It may be more if your submission is very complex. The graphic below illustrates the relative timeline of a typical transition. V2.0 UNCLASSIFIED Page 6 of 23 UNCLASSIFIED The start of any transition project begins with the decision of the organisation to move to PSN. This will be supported by a business case which will set out the scope of services that you will be moving to the PSN and which services you will be in a position to offer to other PSN customers. 3.1 Step 1 - Define End-State Architecture The Public Services Network is, as the name indicates, is built around ‘Services’. Connectivity is one of these services, and as mentioned above, you will be provided this service by a DNSP. As you plan to move to PSN, you will need to think through the various ICT services that you consume, and determine how you want to have those Services provided to you. This will include the various organisations that you connect to, and with whom you exchange data. 3.1.1 Identify Dates of Procurement Expiry You will need to review the contracts that you have with your current service providers to understand when those contracts expire, so that you can determine the plan for transition. In particular you need to check when your GCF and GSi contracts expire. GCF/GSi contracts will not be renewed and so you will have to sign new call offs and CoCo’s to retain connectivity to these services. You will still be able to consume GCF Services while your GCF CoCo is still valid and then once you have been awarded a PSN CoCo. If you have a connection provided under the GCF that is due for renewal you will need to complete a PSN CoCo. Once certified your connection will then be treated as a PSN connection and on expiry of your GCF service contract you will procure your connection from any PSN Compliant service Provider. V2.0 UNCLASSIFIED Page 7 of 23 UNCLASSIFIED 3.1.2 Security Classification for the Data You Use You will need to have a clear understanding of the security classification for your PSN architecture. The PSN has been designed to operate at the CESG classification of Impact Level 2. The reason for this is that, as a Local Authority, you will have personal information on most of your systems. Protecting personal information is a legal requirement, under the Data Protection Act 1998. Fines in excess of £100,000 are regularly issued by the Information Commissioner for non-compliance with the Act. By adopting the standards set out in the PSN Standards, the information in your systems and access to it will be sufficient to assure the public and the Information Commissioners Office that all reasonable steps were taken to preserve and protect their personal information. The PSN is defined to operate at Impact Level 2 (IL2), however IL3 data, (for example, health care records, police evidential and criminal justice records) can also be carried over the network using an Encryption Domain that sits on top of the PSN architecture. 3.1.3 Choose your DNSP In order to connect to PSN, you will need to select a provider of Connectivity Services. These providers are called Direct Network Service Providers (DNSPs). Their services are procured under the GPS PSN Framework. The list of potential providers can be found here http://gps.cabinetoffice.gov.uk/ For the avoidance of doubt, your choice for DNSP is not limited to your incumbent connectivity provider. Furthermore, the Services that you can buy over the PSN are not limited to those offered by the DNSP that you select for your connectivity. PSN provides you increased and increasing access to a range of services that are all accredited for use over the PSN network. These services can be bought from the Framework contracts that have been negotiated by Government Procurement Services. Each of the DNSPs has provided a good deal of information about their approach to providing PSN Connectivity in their bids which can be downloaded from the GPS website above. These generic approaches will be tailored to a greater or lesser extent to your environment. Please Note: Those customers that are going to change their DNSP to an alternative supplier (Option 2); Vodafone (CWW) require 30 days notice to terminate connectivity. 3.2 Step 2 - Identify Who will need your new IP Address You will need to identify all the parties that you exchange data with. One of the main technical reasons for this is due to the fact that as part of the transition to PSN, you will be provided with a new IP address which will be allocated by the PSNA further in the transition process. As such you will need to identify all parties that you exchange data with and identify which Government applications you consume. This is not just a technical issue. To get the full benefit from PSN and the Services that you can buy from it, you will need to talk to your business users to capture their needs for data exchange. One of the strengths of the PSN is that your data needs will be similar to other Customers, and therefore you will be able to obtain ICT Services at a cost which reflects this shared use. You should check with your business users to ensure that you have all of your partners identified. If you migrate to PSN without ensuring that these partners have made the changes required, then transition to PSN will be made that much more complicated. These partners may not have sophisticated technical knowledge, so you may have to provide assistance to them to ensure that they are not cut off. Typical Local Authorities exchange data with the following kinds of partners: Other Local Authorities Government Departments and bodies V2.0 UNCLASSIFIED Page 8 of 23 UNCLASSIFIED Commercial shared Service Providers connected to the PSN Emergency Services Criminal Justice Services Housing Associations Charities Community services such as churches, sports facilities Health Authorities and Trusts Schools and Educational Establishments Providers of services such as facilities management, waste collection. You will need to ensure that these parties can continue to share data during and after transition. You should identify the following attributes for each organisation that you work with. You need to identify the IP Addresses used by them and by you; Advise them of the detailed plans for IP address changes for them to configure their devices; Configure your firewall to ensure that this communication can continue; Test the transition activity, and Update any information sharing agreements and MOUs to reflect PSN connectivity (especially those that are governed by GCF/GSi) 3.2.1 Key Government Applications Local Authorities and central government departments are dependent on a number of key application services. Many of these applications will require changes to be made to ensure that communication is not interrupted during transition. This will typically be changes to firewalls, IP addresses and email addresses. You will need to identify all government applications your organisation utilises and share this information with the PSN Programme Team who will assist in ensuring you can continue to connect to them through your transition to PSN. Appendix 1 contains a list of some of the key government applications that organisations utilise. The list is by no means a complete list of all the applications in use across government and is only meant as a guide 3.2.2 Data Sharing Actions Identify the parties you exchange data with Include all of them on the transition plan, including early communications, testing and cut-over Calculate IP address impacts and if necessary update you PSN IP Address allocation request Ensure that all staff using PSN systems are checked to the appropriate level 3.2.3 Staff Security Checks In order to use PSN, your operations staff must be accredited to an appropriate standard. An acceptable security standard is the Baseline Personnel Security Standard (BPSS). This ensures that all PSN users have met an acceptable level of security. You will need to develop a plan to ensure that your staff connecting to the PSN or consuming PSN services meet this level of accreditation to obtain your PSN CoCo compliance certificate. If you handle data that has IL4 or higher level of security, then staff handling that data will continue to require higher levels of security clearance. BPSS is adequate for up to and including IL3. V2.0 UNCLASSIFIED Page 9 of 23 UNCLASSIFIED 3.3 Step 3 – PSN CoCo Compliance Before your organisation can connect to PSN, or use it to receive PSN services, you must be PSN Compliant. To receive your PSN Compliance you will need to complete and submit a PSN CoCo and other supporting documents to the PSNA at least 1 month prior to expiry of your current CoCo. If you are a supplier of services you will also need to fill out a Code of Practice (CoP). You may have experience of completing the GSi CoCo submission and documentation required for your PSN CoCo is similar. Detailed information on how to complete a PSN CoCo application is available on the PSN website on the link below or by contacting the compliance team on psna.compliance@gsi.gov.uk 3.3.1 PSN CoCo Evaluation and Renewal Process Changes The Evaluation and Renewal process for PSN Compliance was reviewed in April 2013 and changes were made to streamline and increase efficiencies in the process, implement SLA’s around submission and evaluation timeframes and to implement a clear escalation path for those customers that are late with their submission or submit incomplete or substandard paperwork. From April 2013 onwards Reminder Notices will be sent out to all customers 3 months and 1 month prior to CoCo expiry to remind organisations of their obligations to submit their annual CoCo submission. To ensure you remain connected, you will need to complete and return your PSN CoCo annually in advance of expiry. If you fail to submit the required paperwork in advance of expiry, you will enter the escalation process and may risk disconnection. A Zero Tolerance Approach to PSN Compliance will be enforced Some existing GSi customers may find that they need to undertake some security improvements in preparation for their migration to PSN as No Remedial Action Plans or weak compliance positions will be imported into PSN. We are ceasing the issue of Remedial Action Plans and any oversight of actions arising from an On-Site Assessment or IT Health Check – you will either be assessed as ‘Compliant’ or ‘Rejected’. V2.0 UNCLASSIFIED Page 10 of 23 UNCLASSIFIED To complete your PSN CoCo submission you will need to provide the following: Network Diagram IT Health Check report (less than 6 months old at date of submission) PSN Code Template PSN Code Template Annex B 3.3.2 Network Diagram You will need to produce a Network diagram for submission with your PSN CoCo If possible, please provide your Network diagram in Viso; If not Visio, then please ensure that they are readable using one of the MS Office products. An up-to-date Network Diagram (dated within the last 6 months) is required. This high level diagram is not expected to include every device but is required to show that the scope of the connection. The key aspects to be included are: Service interactions V2.0 UNCLASSIFIED Page 11 of 23 UNCLASSIFIED Context around onward connectivity Any off-shoring of systems and information Third-party connectivity No more than six months old at the time you submit your PSN CoCo The document ‘PSN IA Conditions Supporting Guidance’ provides clear guidance on what needs to be in your network diagram and what does not. The current guidance states the following: DIA.x Network Diagrams Explanation: An up to date high level/logical network diagram is fundamental to understand the connection environment. The high level diagram is not expected to include every last device, in fact the diagram can be conceptual, but is required to ensure that the scope of the connection is understood by the customer and anyone carrying out a compliance check. The customer environment may be very complex with a mixture of services being consumed some will be PSN branded services and others locally procured or implemented. The key aspects to be included are: Service interaction, so it is clear which services the organisation is consuming and whether they are PSN or non PSN services. The outcome is to highlight where service interact or interoperate. Context around onward connectivity. If the organisation has onward connections to systems/services/networks that are either PSN or non PSN networks. Onward connections may also include detail around where the gateway is positioned. Any off shoring of systems and information, including any life support/maintenance connections Third party connectivity Guidance: V2.0 UNCLASSIFIED Page 12 of 23 UNCLASSIFIED DIA.x Network Diagrams [DIA.1] As a minimum the diagram will include: Organisational name, date of diagram, author, security domains/environments (e.g. RESTRICTED or IL3 Domain), local connections (with approximate numbers of users, PSN services, Non PSN Services, remote connections/access, all external and third party connections (with names of organisations, impact levels of connection, business reason for connection and boundaries of responsibility), location of security devices such as gateways (it is accepted that not all devices will be included but those that the customer may wish to highlight later in the various controls should be included), wireless network devices, infrastructure or connections that are off shored. It is not necessary for organisations to include the details of services and equipment that has already been accredited by the PSN, simply to show connections to them. Where appropriate, for larger and more complex configurations, it is not expected that every connected device, domain and critical device be shown. A realistic level of abstraction can be employed for standard builds and configurations, to ensure clarity around connections, security domains and services. Abstraction should be used to make the diagram simpler to produce and review. It might be appropriate to group assets by business impact level or function. The diagram method itself is not stipulated, some organisation may consider using the IS1 modelling methodology, others a more technical diagram. Due to the level of detail required, this diagram may require protectively marking. [DIA.2] The customer understands that compliance of the IA Conditions allows them to use the PSN to share information across the PSN with other PSN connected organisation and consume PSN approved services. However customers are not permitted to expose non-PSN approved services to the PSN unless these have been assured and offer protection to the rest of the PSN. An example might be the wider sharing of an organisational developed service such as an HR function from one customer to other PSN connecting customers. Any service delivery of this type will need to be in accordance with the PSN Compliance document (Ref [a]) that places restrictions around the scale, scope and appropriateness of this type of service delivery. Any onward services will need to be included in scope of the PSN IA Conditions submission for assessment. The actual assurance requirements may vary, and therefore it is recommended that any customer intending to offer services in line with the PSN Compliance document seeks advice from the PSNA. Please ensure your diagram clearly shows the PSN connected/consuming network aspects and those out of scope, perhaps using a different coloured background bubble, (e.g. light green = PSN, light yellow = out of scope.) 3.3.3 IT Health Checks Every PSN CoCo application and every annual renewal requires you to submit an up to date (less than 6 months old at time you submit CoCo) IT Health Check that has been undertaken on your organisation. IT Health checks are one of the most informative sources of information that the PSNA has on PSN connected organisations and helps to ensure the integrity of the entire PSN network. IT Health checks take time to schedule but only take a few days to complete so we would recommend booking the IT Health Check 3 months prior to your CoCo expiry date to ensure completion prior to your CoCo submission date. The CESG web site has a list of approved providers that you can use for this service. www.cesg.gov.uk 3.3.4 PSN Code Template The PSN Code Template needs to be completed as part of your PSN CoCo submission. Your CEO, SIRO or Section 151 assure the submissions accuracy and demonstrate their understanding and commitment to the PSN Compliance regime by signing Section 4. 3.3.5 PSN Code Template Annex B The Code Template Annex B is the body of your submission; it is where you detail your Information Assurance (IA) controls against the PSN requirements. Annex B is a Microsoft Excel workbook, with V2.0 UNCLASSIFIED Page 13 of 23 UNCLASSIFIED columns provided to allow you to record evidence. The spreadsheet contains all of the information that every type of connecting organisation requires. If you are a typical Local Authority, then you only need to complete the entries with the word ‘Customer’ in the ‘Applies To’ column. Note that if a question is of type ‘Declaration’ then simply a Yes/No answer is sufficient. If it is of type ‘Inspection’ then it requires some supporting materials. If there is something that is required, but that does not apply to you, then provide the reasons why you don’t need it. Some questions require supporting evidence that you are / have been compliant. In the event that you are just putting in that particular process or procedure, then you can state that it is an initial application. You have to submit your CoCo for renewal every year, and these items will have to be completed next time round. 3.3.6 Submitting your completed Application When you have completed all of the above, you will need to get your Chief Executive to sign your organisation’s application before it can be submitted. We’ve asked your Chief Executive to run through the application with you, to ensure all the necessary information has been included and so they get an understanding of the commitments your organisation is making. When you are both satisfied that the details are fully complete, your Chief Executive should sign the application. You can then email all the documents and supporting information to the PSNA Compliance team at psna.compliance@cabinet-office.gsi.gov.uk. 3.3.7 How long does it take to award my certificate? When PSNA receives your application it will validate all the information you have submitted. The PSNA will confirm to you, in writing, when your organisation has successfully completed PSN Compliance to its satisfaction. At this point you will be issued with your organisation’s PSN Compliance Certificate. Changes made to the CoCo Evaluation and Renewal Process SLA’s in April 2013 will ensure 90% of CoCo applications received, will be verified and assessed within 15 days of receipt and a Compliance outcome provided. Once your PSN Compliance Certificate has been issued, you should contact the PSN Project Team, to discuss your detailed schedule for transition which must occur prior to 31st March 2014. The PSN Transition Project Team can be contacted on via the PSN Mailbox at psn@cabinet-office.gsi.co.uk. The PSN Project Team will advise you if you will be able to get your changes done according to your planned schedule and we will help you coordinate with central government Service Providers, such as DWP to assist with a smooth transition and will help to manage the demands for PSN transition across all public sector bodies to avoid bottlenecks in demand. 3.4 Step 4 - PSN IP Address Application As part of your transition to PSN, your organisations IP address will need to be changed. This is due to an issue with dual running of GCF and PSN. New IP addresses have been pre- allocated by the PSNA for all customers based on current needs and the allocation will be centrally managed by the PSNA via an application process. Customers will be required to request their new IP address via the IP Address Allocation Request form that can be found on the PSN Website. You will need to obtain an appropriate number of IP addresses for your organisation. You can apply for IP Addresses with your PSN CoCo application or following receipt of your PSN Compliance Certificate the PSN Project Team can work with you to ensure that the relevant connecting organisations, such as DWP, know about your changes. 3.4.1 V2.0 PSN IP Address Action Complete the application for a PSN IP address and submit the application via email to: psna.compliance@cabinet-office.gsi.gov.uk UNCLASSIFIED Page 14 of 23 UNCLASSIFIED 3.5 Step 5 - Place Connectivity Order 3.5.1 Sign Replacement Call Offs You will need to place your connectivity order with your chosen DNSP and will need to work with your chosen supplier to ensure your replacement call off is in place within the timeframes outlined below Option Supplier Products Call Off Requirements Option 1 Vodafone (CWW) PSN Connectivity & Services GCF Connectivity & Services Call contract off must be signed by th 15 July. And Transition by March 31st 2014 Option 2 Alternative Supplier (Connection) PSN Connectivity Connectivity needs to be in place prior to st March 31 2014 CWW (Core Services) GCF Core Services GCF Services Call off contract must be signed th by 15 July 13 3.5.2 Book Testing / Transition Slot Testing of PSN connectivity and transition will be managed centrally through the Cabinet Office PSN Project team. You are able to book your proposed transition slot through the PSN mailbox at psna.compliance@cabinet-office.gsi.co.uk or by speaking directly with your PSN Transition Project Manager who will assist you with your organisations transition to PSN. 3.6 Step 6 – PSN Connectivity Circuit Installation & Onward GCN Connectivity Physical installation and configuration of the PSN connectivity service is the responsibility of the Customer’s chosen Connectivity Supplier. Customers should be aware of lead times of circa 50 days from point of a circuit order being received. Customers should confirm with their supplier that onward GCN connectivity is in place.. In order to retain access to GCF services, the customer will need to complete and return an RFC to Vodafone. The RFC needs to be completed and returned to Vodafone no later than 6 weeks prior to your selected transition date. You will need your PSN IP address for the RFC form. 3.7 Step 7 - Central Government & Local Partners IP Changes The PSNA are centrally managing the allocation and distribution of IP addresses across all PSN transitions. The PSN transition team will co-ordinate the IP address changes with those Central Government application hosts. 3.8 Step 8 – Testing the GCF / PSN Interconnect & Transition 3.8.1 Firewall Configuration You will be required to configure your firewall to enable the new IP address scheme and provide connectivity to the New Service Provider. V2.0 UNCLASSIFIED Page 15 of 23 UNCLASSIFIED 3.8.2 Firewall Rules Set The IA guidance sets out the recommended rule set. For ease of use the current version is below. From Your proxy/NAT To PSN Protocol HTTP (TCP/80) HTTP (TCP/8080) HTTPS (TCP/443) Action Allow PSN Your applications/Web servers HTTP (TCP/80) HTTPS (TCP/443) Allow PSN Your mail servers PSN SMTP (TCP/25) Allow SMTP (TCP/25) Allow Your DNS Server(s) PSN DNS servers DNS (UDP/53) DNS (TCP/53) Allow Your NTP servers PSN NTP Servers NTP (UDP/123) Allow Any Any Any Block Your mail servers 3.8.3 Comment Enable outbound access to applications within the PSN using HTTP & HTTPS Enable inbound requests from the PSN to your Web Servers/ Applications Enable inbound email from PSN Enable outbound email from your network to the PSN Allow queries to the PSN DNS servers Allow queries to PSN NTP servers Default rule for all other traffic. Domain Name Service (DNS) 3.8.4 PSN DNS Servers PSN will provide the primary DNS servers and resolvers for all PSN domains. The addresses for the servers are available from PSN Project Team upon request. (The actual addresses are restricted so inclusion in this document would raise the security classification.) These servers will act as the primary DNS for all resolutions, passing requests to the Internet root DNS servers where resolution in non .gov.uk (or other internal DNS servers for other PSN hosted domains) is required. You will need to implement your own DNS resolvers (servers or proxies) which resolve requests from your clients. These resolvers should then point to the PSN primary DNS servers. There will be different PSN primary servers and resolvers at each impact level (IL2 and IL3). You will need to ensure that all DNS requests from your network are directed at your local DNS resolvers, and that all proxies point to the new servers. 3.8.5 DNS changes As more organisations migrate there may be changes both to IP address ranges that are visible and to the DNS servers that are used as the PSN primary resolvers by the organisation. You should use names rather than IP addresses to refer to hosts to minimise your DNS changes. It is important that you make a plan for the before and after state of the DNS entries that are published in the PSN resolvers. This plan should include any publically visible interfaces and services (e.g. email) so that the organisation can still be found by others; it should also include the gateway entries for the organisation to find the primary resolvers and mail servers on PSN. V2.0 UNCLASSIFIED Page 16 of 23 UNCLASSIFIED 3.8.6 MX Records The Mail eXchange (MX) records in the DNS point to the mail servers for each domain that is subordinate to the .gov.uk domain. Organisations should ensure that their mail servers’ MX records are correctly referenced in the primary DNS servers and their mail servers can see the service provider mail servers and where applicable; the Internet. [How do they do that?] 3.8.7 DNS Actions Identify all systems which will be impacted by the DNS changes. Develop a plan to migrate. Develop test scripts to ensure changes are implemented correctly. Implement DNS resolvers to point to the PSN DNS servers. Ensure that all DNS requests from your network are directed at your local DNS resolvers, and that all proxies point to the new servers. 3.8.8 Public Key Infrastructure, Encryption and Impact Levels The PSNA will provide guidance on the necessary procedures and contacts to ensure that you are able to meet the requirements for Public Keys, Encryption and Impact Levels. In particular the organisation will need to identify at least two people, who will need to be civil servants or public servants, to act as crypto custodians. They will deal with the Certificate Authority to obtain the necessary key material (keymat) and ensure policy is followed, including compliance with CESG IA Standard 4 and CESG IA Standard 5. Security standards, guidance and strategy, and PKI strategy, policy and requirements are available on the PSN Website. 3.8.9 PKI, Encryption and Impact Level Actions Contact PSNA and obtain the guidelines for working with secure data. Identify at least two people (one main person and a backup, for example) to be the crypto custodian. Obtain the necessary clearances for those people. 3.8.10 Internet Access and Web Services Internet access from PSN connected organisations can be bought from the PSN services catalogue. It is likely that most DNSP’s will provide Internet access as part of their offering, but there are also likely to be value-add offerings such as those that include Remote Access or web hosting. 3.8.11 Inter-domain and Interoperability Gateways As mentioned above, you will need to identify all services and other organisations that you communicate with and ensure that this communication is not interrupted by migration. As part of your requirements gathering for your PSN procurement, you will need to identify the connection requirements. Some of these organisations will be outside the PSN and may therefore require an Interoperability Gateway. Others that have already migrated to PSN will require Inter-domain gateways which will be provided by your PSN Provider. 3.8.12 GSI/GCSx Gateways (Legacy Access) If you use GSI services you may wish to continue to use them through the PSN/GSI gateway. It is likely that as the first few customers transition onto PSN, that this will be the case. In due course, these services will be transitioned themselves, and they will become PSN services. Additionally, new service providers will begin to offer competing services to those on the GSI, and you will have the option to procure those services instead. V2.0 UNCLASSIFIED Page 17 of 23 UNCLASSIFIED 3.8.13 GCSx Connectivity You should configure your environment to forward requests for DNS name resolution of GCSXrelated systems names to the GCSX DNS resolvers (this is often referred to as ‘conditional forwarding’ or ‘forward zones’). 3.8.14 Gateway Actions Identify connection requirements for third party organisations and detail gateway requirements. Specify gateway requirements in the PSN Order that you place with your chosen DNSP. 3.8.15 NTP and Time Synchronisation Government services need to work on the same time. You will need to ensure that when you migrate to PSN, you continue to obtain an NTP service. In some cases, authorities have built their own NTP service, to address this issue in the past. Many authorities currently obtain the service from GSX. In the future, you will be able to obtain an NTP service from a PSN Service Provider. 3.8.16 NTP Actions Determine your NTP solution, and ensure that it is in place and working before commissioning the New Service Provider. 3.8.17 Voice over IP and Telephony There are two scenarios for migration of currently contracted telephony facilities. If you have a contract with a service provider to provide telephony services, and that provider has a PSN accredited service, then you can buy this off the PSN framework in future, and there is no additional work to be done, If you have a have a contract with a service provider, and it is not an accredited service, then you might be able to persuade your service provider to get a CoP for that service. Once again, there is little work required by you. If you don’t want to keep your current service and plan to buy a telephony service from a new provider once you are on the PSN, then you can buy from any accredited telephony service provider. These service providers are listed on the PSN web site. If you own your own and manage your own equipment and you wish to connect it to the PSN, then you will be required to have that equipment accredited by the PSN. Please contact the PSN Project Team for assistance with this aspect. In the event that you are moving to new telephone numbers, then this will have to be designed and communicated widely. Any key numbers that are published to the public or third party services need to be carefully managed and either forwarded or handled by a termination or call handling service. 3.8.18 Voice over IP and Telephony Actions Develop a migration plan for telephony service which ensures that any PSN connected services are PSN Accredited. Identify key numbers which need to be migrated and develop a communications plan for changes. 3.8.19 Pre Transition Testing It is your responsibility to start testing no later than 2 weeks prior to transition. For testing to occur, your RFC will need to be completed by Vodafone and your PSN circuit installed. Testing must cover the following: V2.0 UNCLASSIFIED Page 18 of 23 UNCLASSIFIED End to End Connectivity between Local Authority and your PSN circuit provider o o o o Ping your gateway from the Internal LAN Ping PSN DNS Servers Ping a test address provided by the PSNA Test DNS resolution using nslookup Secure Mail Relay Testing Central Govt applications 3.8.19.1 Testing Actions Request a PSN test email domain on Vodafone RFC Configure access from stand alone machine to Secure Mail Relay based on Vodafone provided instructions Develop a test plan for each area of your PSN transition. Provide test scripts to the New Service Providers. Manage the execution of the tests and sign-off as appropriate. 3.8.20 Day of Transition Testing Once you have made full network changes on your transition day, then you must test the following: End to End Connectivity between Local Authority and your PSN circuit provider o o o o Ping your gateway from the Internal LAN Ping PSN DNS Servers Ping a test address provided by the PSNA Test DNS resolution using nslookup Secure Mail Relay Testing Central Govt applications Please refer to PSN GCF Transition IL2 Inter-Connect Test Plan for further detail 3.9 Step 9 – Cease Order We would advise putting a Cease Order in with Vodafone for your GCF circuit 2 days following your transition. This may not apply to some customers that use an aggregate connection as this cease will not be able to be completed until last partner organisation is transitioned V2.0 UNCLASSIFIED Page 19 of 23 UNCLASSIFIED 4. References, contacts, useful reading and web resources The PSN Project Team points of contact are Karen Cleale Email: Karen.Cleale@cabinet-office.gsi.goiv.uk Stephen Hoban (Local Authorities) Email: Stephen.Hoban@cabinet-office.gsi.gov.uk Conan Gibney (Local Authorities) Email: Conan.Gibney@cabinet-office.gsi.gov.uk Iain Attree (Central Government) Email:Iain.Attree@cabinet-office.gsi.gov.uk The PSN Website is the authoritative site where original source documents for the PSN are found is here: http://www.cabinetoffice.gov.uk/content/public-services-network and at http://www.cabinetoffice.gov.uk/resource-library/public-services-network V2.0 UNCLASSIFIED Page 20 of 23 UNCLASSIFIED 5. Appendix 1 – Example List of Applications Name DWP Customer Information System (CIS) LAID/LACI DTA ETD/LAWS ATLAS CIS Prompts (Effectively subsumed by ATLAS) i-Works Data MSHBEatching HB/CTB Interest Maintenance Benefit Cap HBCS/ HBSDC JARD (Joint Asset Recovery Database) Libra (Libra.lcd.gsi.gov.uk; Libra-cms.lcd.gsi.gov.uk; Libra-infonet.lcd.gsi.gov.uk) TellUsOnce NHS Spine Application Portal NHS Intranet Homepage SWIFT Blue Badge Activa ePIMS NCRS Reliable messaging (NHS) NCRS ETP (NHS) Choose and Book (NHS) Webmail (NHS) Directory updates (NHS) NHS websites (NHS) TPP Systm1 Government Gateway EAS Service ( http://www.gateway.gsi.gov.uk/) Government Gateway EAS Service - Registration Authority Page (https://ra.gateway.gsi.gov.uk/SSMS/en) LoCTA Service CESG IA Policy Portfolio Sunguard Aspiren Service (sftp.aspiren.gse.gov.uk) National Resilience Extranet (NRE) https://www.resilience-extranet.gse.gov.uk Free School Meals Eligibility Checking Free School Meals Eligibility Checking (Web Service) Electronic Property Information Mapping Service (e-PIMS) Secure Bulk File Transfer (Data Transport Applicance) Paymaster (Xafinity) GSI) CJX online. National Roads Policing intelligence Forum (PNN) Passport Office - Omnibase (GSI) V2.0 UNCLASSIFIED Page 21 of 23 UNCLASSIFIED Name West Lothian eCare (GSX) PLOD (PNN) Home Office web services (GSI) Tachonet (TESTA) ePayfact (GSE) DVLA DRP (GSI) CASWEB (PNN) TESTA Government Gateway (GSi) Knowledge Network (GSI) Lothian and Borders Police (PNN) Cabinet Office – Security Matters web site Group Web Space (GSI) Dept. of Health (DOH) Epayfact Epayfact Epayfact Bank of England Dept. of Trade & Industry GSI1 Banner Online Epayfact e-Government Unit (eGU) Scottish Criminals Record Office (SCRO) CJX SCRO CJX CJX Scottish Police Information Site (SPIS) CJX Scottish Drugs Enforcement Agency (SDEA) www.gsi.gov.uk Epayfact www.gsi.gov.uk HM Court Service (HMCS) Public & Intranet Sites Cable & Wireless Hosting CJX Police CJX GENESIS CJX Police Epayfact CJX Online RedDot Content Management System Eplanner statutelawdatabase.dca.gse.gov.uk Message broker PLOD DCA hosting V2.0 UNCLASSIFIED Page 22 of 23 UNCLASSIFIED Name Epayfact Testa II Knowledge Network Buying Solutions website Forensic Science CJX eGU RSA CJX Police CJX Customer Police Information Technology Organisation (PITO) Knowledge Networks DCA Hosting NOMS (Hendon) Testa II Knowledge Network Inverclyde Council (GSX) Airwave (CJX) VISOR (PNN) CONFIDENTIAL File & Print Services Health - IA Client and smartcard enabled devices IAPTUS EDRMS OfficeBase In house financial system - such as Cambridgshire 'CRIP' Legacy email and file storage Epex Clinical System IPM SCR – Summary Care Record Choose & Book SBS Financials Caretrack - Continuing Healthcare system CommCare - Continuing Healthcare system SQL Server - Datawarehouse SQL Server Reporting Services Combined Predictive Modelling Housing Benefit Applications Payroll Shared CRM across two LAs National Non Domestic Rates Service Traffic Management Database V2.0 UNCLASSIFIED Page 23 of 23