PSN Technical Transition Guidance Public Services Network

Transcription

PSN Technical Transition Guidance Public Services Network
UNCLASSIFIED
PSN Technical Transition
Guidance
Public Services Network
Programme
Version 2.0
Prepared by: PSN Project Team
Date Prepared: 7 Oct 2013
UNCLASSIFIED
UNCLASSIFIED
Document Information
Project Name:
Prepared By:
Title:
PSN Customer Transition
Peter Magee
Document Version No:
Project Manager
2.0
Document Version Date:
07/10/13
Review Date:
07/10/13
Reviewed By:
Version History
Ver. No.
Ver. Date
Revised By
Description
Filename
001 - 006
10/24/2012
Peter Magee
Working Draft
Technical Transition Guidance 010
.011
11/2/2012
Mark Brett
Security Team Review
Technical Transition Guidance 011
.012
11/2/2012
Nick Higgins
Technical Review
Technical Transition Guidance 012
0.19
06/12/2012
Peter Magee
Mark Brett
Overall review
Further security / compliance updates
Technical Transition Guidance 019
0.21
11/12/12
Peter Magee
Input from various reviewers
Technical Transition Guidance 021
0.22
18/02/13
Lisa Agyen
Preparation for website publication
Technical Transition Guidance 022
0.23
20/03/2013
Lisa Agyen
Updated website links
Technical Transition Guidance 023
1.0
29/04/2013
Stephen Hoban
Document Reconfiguration, Included 9 steps for
Transition & Zero Tolerance to Compliance
Technical Transition Guidance V1.0
2.0
07/10/13
Stephen Hoban &
Conan Gibney
Document Update to reflect changes since
previous update
Technical Transition Guidance V2.0
V2.0
UNCLASSIFIED
Page 2 of 23
UNCLASSIFIED
Table of Contents
1.
2.
3.
Document Purpose and Introduction ............................................................................................................. 4
Reference Architectures ................................................................................................................................ 4
Project Outline - 9 Steps to Transition ........................................................................................................... 6
3.1
Step 1 - Define End-State Architecture ............................................................................................... 7
3.1.1 Identify Dates of Procurement Expiry .......................................................................................... 7
3.1.2 Security Classification for the Data You Use ............................................................................... 8
3.1.3 Choose your DNSP...................................................................................................................... 8
3.2
Step 2 - Identify Who will need your new IP Address ......................................................................... 8
3.2.1 Key Government Applications ..................................................................................................... 9
3.2.2 Data Sharing Actions ................................................................................................................... 9
3.2.3 Staff Security Checks................................................................................................................... 9
3.3
Step 3 – PSN CoCo Compliance ...................................................................................................... 10
3.3.1 PSN CoCo Evaluation and Renewal Process Changes ............................................................ 10
3.3.2 Network Diagram ....................................................................................................................... 11
3.3.3 IT Health Checks ....................................................................................................................... 13
3.3.4 PSN Code Template .................................................................................................................. 13
3.3.5 PSN Code Template Annex B ................................................................................................... 13
3.3.6 Submitting your completed Application...................................................................................... 14
3.3.7 How long does it take to award my certificate? ......................................................................... 14
3.4
Step 4 - PSN IP Address Application ................................................................................................ 14
3.4.1 PSN IP Address Action .............................................................................................................. 14
3.5
Step 5 - Place Connectivity Order ..................................................................................................... 15
3.5.1 Sign Replacement Call Offs ....................................................................................................... 15
3.5.2 Book Testing / Transition Slot .................................................................................................... 15
3.6
Step 6 – PSN Connectivity Circuit Installation & Onward GCN Connectivity ................................... 15
3.7
Step 7 - Central Government & Local Partners IP Changes ............................................................ 15
3.8
Step 8 – Testing the GCF / PSN Interconnect & Transition .............................................................. 15
3.8.1 Firewall Configuration ................................................................................................................ 15
3.8.2 Firewall Rules Set ...................................................................................................................... 16
3.8.3 Domain Name Service (DNS) .................................................................................................... 16
3.8.4 PSN DNS Servers ...................................................................................................................... 16
3.8.5 DNS changes ............................................................................................................................. 16
3.8.6 MX Records ............................................................................................................................... 17
3.8.7 DNS Actions ............................................................................................................................... 17
3.8.8 Public Key Infrastructure, Encryption and Impact Levels .......................................................... 17
3.8.9 PKI, Encryption and Impact Level Actions ................................................................................. 17
3.8.10 Internet Access and Web Services ............................................................................................ 17
3.8.11 Inter-domain and Interoperability Gateways .............................................................................. 17
3.8.12 GSI/GCSx Gateways (Legacy Access) ..................................................................................... 17
3.8.13 GCSx Connectivity ..................................................................................................................... 18
3.8.14 Gateway Actions ........................................................................................................................ 18
3.8.15 NTP and Time Synchronisation ................................................................................................. 18
3.8.16 NTP Actions ............................................................................................................................... 18
3.8.17 Voice over IP and Telephony ..................................................................................................... 18
3.8.18 Voice over IP and Telephony Actions ........................................................................................ 18
3.8.19 Pre Transition Testing ................................................................................................................ 18
3.8.20 Day of Transition Testing ........................................................................................................... 19
3.9
Step 9 – Cease Order ....................................................................................................................... 19
4. References, contacts, useful reading and web resources ........................................................................... 20
5. Appendix 1 – Example List of Applications .................................................................................................. 21
V2.0
UNCLASSIFIED
Page 3 of 23
UNCLASSIFIED
1. Document Purpose and Introduction
This document is designed for the technical team to help facilitate transition to PSN. Whilst each
customer has a unique infrastructure and will have a slightly different transition to PSN, this
document provides guidance to ensure important technical aspects of migration are simplified.
This is a living document, and the intention is that it will be enhanced with lessons learned. There
are a number of drafting notes, marked [DN] where there are outstanding questions, these will be
added to over time.
This guide will help ensure:
Your transition to PSN is de-risked and simplified;
Your transition to PSN does not miss any critical technical aspects;
Activities with a long lead time are identified and completed to avoid delays, and
Lessons learned by other departments help your migration.
Further information and the latest version of this and other documents can be found at
http://www.cabinetoffice.gov.uk/content/public-services-network and at
http://www.cabinetoffice.gov.uk/resource-library/public-services-network
This document contains the following elements:
A calendar of transition events and key milestones;
Reference architectures;
A guide to the activities; and
Guidance on some non-technical issues.
2. Reference Architectures
The schematics below illustrate potential architectures of a typical authority connected to PSN. The
authority has a network running at IL2. An Inter-operability Gateway (IOG) allows connections to
third party suppliers, such as the Housing Association shown here, running at IL0. An IOG also
allows access to publically addressable servers such as public email and remote access servers.
These operate in DMZ, which is in turn protected by an Inter-domain gateway. Gateways also allow
the authority to connect to the PSN, via their PSN Coco. Through this gateway, Local Authorities will
have access to a wide selection of service offerings from many different providers.
V2.0
UNCLASSIFIED
Page 4 of 23
UNCLASSIFIED
Figure 1: Schematic showing a typical Authority connected to the
PSN and to other, third party organisations
The diagram below shows a Local Authority which also plans to offer services to other PSN
Customers. The Services DMZ hosts the PSN available service offerings. In this case the Customer
has to sign a PSN CoP as well as PSN CoCo.
Figure 2: Schematic showing a typical Authority connected to the
PSN and also providing services to other PSN Customers
V2.0
UNCLASSIFIED
Page 5 of 23
UNCLASSIFIED
The diagram below shows a Customer which has parts of their network carrying data that has a
security level of IL3.
IL3
DNS
Head Office (IL3)
Data Centre (IL3)
Z
Regional Office (IL3)
Z
Z
IOG
Mail
Z
Regional Office (IL3)
IOG
IL2
DNS
Z
Regional Office (IL3)
DNSP (IL2)
Mail
IOG
Z
Regional Office (IL3)
IOG
Mail
DMZ (IL0-2)
Public Web Servers & Internet Email
DNSP Hosted
IOG
Separate connection for
high bandwidth FTP
transfers with Supplier
IOG Interoperability Gateways
Z
Internet (IL0)
Mail
IL0
PEPAS Router
IPSec Encryptor IL3 over IL2 PRIME
Document:
Organisation:
Version:
Date:
Author:
Marking:
Department
1.0
12/12/12
Andy Smith
PROTECT
Authority E-Mail Servers
Figure3 Schematic showing an Authority which requires IL3 level
of security.
You are required to submit a network architecture schematic as part of your PSN CoCo application.
There is a section below which gives advice about what is required to get accreditation.
3. Project Outline - 9 Steps to Transition
The graphic below highlights the 9 key activities that every organisation will need to undertake to
transition to PSN. It highlights the core activities, and those responsible for the particular activity,
through the lifecycle of the transition process. Each activity will need to be considered and included
in your organisations transition plans. Timeframes between your decision to initiate PSN transition
planning and Go Live will, of course, vary depending on the complexity of your IT environment. For
example; it takes some time to gather the information that is used to complete your PSN CoCo, and
this time may increase if you have many partners that will be required to contribute to your
submission. It may take potentially three months to award your PSN Compliance certificate It may
be more if your submission is very complex.
The graphic below illustrates the relative timeline of a typical transition.
V2.0
UNCLASSIFIED
Page 6 of 23
UNCLASSIFIED
The start of any transition project begins with the decision of the organisation to move to PSN. This
will be supported by a business case which will set out the scope of services that you will be moving
to the PSN and which services you will be in a position to offer to other PSN customers.
3.1 Step 1 - Define End-State Architecture
The Public Services Network is, as the name indicates, is built around ‘Services’. Connectivity is one
of these services, and as mentioned above, you will be provided this service by a DNSP. As you plan
to move to PSN, you will need to think through the various ICT services that you consume, and
determine how you want to have those Services provided to you. This will include the various
organisations that you connect to, and with whom you exchange data.
3.1.1 Identify Dates of Procurement Expiry
You will need to review the contracts that you have with your current service providers to understand
when those contracts expire, so that you can determine the plan for transition. In particular you need
to check when your GCF and GSi contracts expire. GCF/GSi contracts will not be renewed and so
you will have to sign new call offs and CoCo’s to retain connectivity to these services.
You will still be able to consume GCF Services while your GCF CoCo is still valid and then once you
have been awarded a PSN CoCo.
If you have a connection provided under the GCF that is due for renewal you will need to complete a
PSN CoCo. Once certified your connection will then be treated as a PSN connection and on expiry
of your GCF service contract you will procure your connection from any PSN Compliant service
Provider.
V2.0
UNCLASSIFIED
Page 7 of 23
UNCLASSIFIED
3.1.2 Security Classification for the Data You Use
You will need to have a clear understanding of the security classification for your PSN architecture.
The PSN has been designed to operate at the CESG classification of Impact Level 2. The reason for
this is that, as a Local Authority, you will have personal information on most of your systems.
Protecting personal information is a legal requirement, under the Data Protection Act 1998. Fines in
excess of £100,000 are regularly issued by the Information Commissioner for non-compliance with
the Act. By adopting the standards set out in the PSN Standards, the information in your systems
and access to it will be sufficient to assure the public and the Information Commissioners Office that
all reasonable steps were taken to preserve and protect their personal information.
The PSN is defined to operate at Impact Level 2 (IL2), however IL3 data, (for example, health care
records, police evidential and criminal justice records) can also be carried over the network using an
Encryption Domain that sits on top of the PSN architecture.
3.1.3 Choose your DNSP
In order to connect to PSN, you will need to select a provider of Connectivity Services. These
providers are called Direct Network Service Providers (DNSPs). Their services are procured under
the GPS PSN Framework. The list of potential providers can be found here
http://gps.cabinetoffice.gov.uk/
For the avoidance of doubt, your choice for DNSP is not limited to your incumbent connectivity
provider. Furthermore, the Services that you can buy over the PSN are not limited to those offered by
the DNSP that you select for your connectivity. PSN provides you increased and increasing access
to a range of services that are all accredited for use over the PSN network. These services can be
bought from the Framework contracts that have been negotiated by Government Procurement
Services.
Each of the DNSPs has provided a good deal of information about their approach to providing PSN
Connectivity in their bids which can be downloaded from the GPS website above. These generic
approaches will be tailored to a greater or lesser extent to your environment.
Please Note: Those customers that are going to change their DNSP to an alternative supplier (Option
2); Vodafone (CWW) require 30 days notice to terminate connectivity.
3.2 Step 2 - Identify Who will need your new IP Address
You will need to identify all the parties that you exchange data with. One of the main technical
reasons for this is due to the fact that as part of the transition to PSN, you will be provided with a new
IP address which will be allocated by the PSNA further in the transition process. As such you will
need to identify all parties that you exchange data with and identify which Government applications
you consume.
This is not just a technical issue. To get the full benefit from PSN and the Services that you can buy
from it, you will need to talk to your business users to capture their needs for data exchange. One of
the strengths of the PSN is that your data needs will be similar to other Customers, and therefore you
will be able to obtain ICT Services at a cost which reflects this shared use. You should check with
your business users to ensure that you have all of your partners identified. If you migrate to PSN
without ensuring that these partners have made the changes required, then transition to PSN will be
made that much more complicated. These partners may not have sophisticated technical
knowledge, so you may have to provide assistance to them to ensure that they are not cut off.
Typical Local Authorities exchange data with the following kinds of partners:
Other Local Authorities
Government Departments and bodies
V2.0
UNCLASSIFIED
Page 8 of 23
UNCLASSIFIED
Commercial shared Service Providers connected to the PSN
Emergency Services
Criminal Justice Services
Housing Associations
Charities
Community services such as churches, sports facilities
Health Authorities and Trusts
Schools and Educational Establishments
Providers of services such as facilities management, waste collection.
You will need to ensure that these parties can continue to share data during and after transition. You
should identify the following attributes for each organisation that you work with.
You need to identify the IP Addresses used by them and by you;
Advise them of the detailed plans for IP address changes for them to configure their
devices;
Configure your firewall to ensure that this communication can continue;
Test the transition activity, and
Update any information sharing agreements and MOUs to reflect PSN connectivity
(especially those that are governed by GCF/GSi)
3.2.1 Key Government Applications
Local Authorities and central government departments are dependent on a number of key application
services. Many of these applications will require changes to be made to ensure that communication
is not interrupted during transition. This will typically be changes to firewalls, IP addresses and email
addresses. You will need to identify all government applications your organisation utilises and share
this information with the PSN Programme Team who will assist in ensuring you can continue to
connect to them through your transition to PSN.
Appendix 1 contains a list of some of the key government applications that organisations utilise. The
list is by no means a complete list of all the applications in use across government and is only meant
as a guide
3.2.2
Data Sharing Actions
Identify the parties you exchange data with
Include all of them on the transition plan, including early communications, testing and
cut-over
Calculate IP address impacts and if necessary update you PSN IP Address allocation
request
Ensure that all staff using PSN systems are checked to the appropriate level
3.2.3 Staff Security Checks
In order to use PSN, your operations staff must be accredited to an appropriate standard. An
acceptable security standard is the Baseline Personnel Security Standard (BPSS). This ensures that
all PSN users have met an acceptable level of security.
You will need to develop a plan to ensure that your staff connecting to the PSN or consuming PSN
services meet this level of accreditation to obtain your PSN CoCo compliance certificate.
If you handle data that has IL4 or higher level of security, then staff handling that data will continue to
require higher levels of security clearance. BPSS is adequate for up to and including IL3.
V2.0
UNCLASSIFIED
Page 9 of 23
UNCLASSIFIED
3.3 Step 3 – PSN CoCo Compliance
Before your organisation can connect to PSN, or use it to receive PSN services, you must be PSN
Compliant. To receive your PSN Compliance you will need to complete and submit a PSN CoCo and
other supporting documents to the PSNA at least 1 month prior to expiry of your current CoCo.
If you are a supplier of services you will also need to fill out a Code of Practice (CoP).
You may have experience of completing the GSi CoCo submission and documentation required for
your PSN CoCo is similar. Detailed information on how to complete a PSN CoCo application is
available on the PSN website on the link below or by contacting the compliance team on
psna.compliance@gsi.gov.uk
3.3.1 PSN CoCo Evaluation and Renewal Process Changes
The Evaluation and Renewal process for PSN Compliance was reviewed in April 2013 and changes
were made to streamline and increase efficiencies in the process, implement SLA’s around
submission and evaluation timeframes and to implement a clear escalation path for those customers
that are late with their submission or submit incomplete or substandard paperwork. From April 2013
onwards Reminder Notices will be sent out to all customers 3 months and 1 month prior to CoCo
expiry to remind organisations of their obligations to submit their annual CoCo submission.
To ensure you remain connected, you will need to complete and return your PSN CoCo
annually in advance of expiry. If you fail to submit the required paperwork in advance of
expiry, you will enter the escalation process and may risk disconnection. A Zero Tolerance
Approach to PSN Compliance will be enforced
Some existing GSi customers may find that they need to undertake some security improvements in
preparation for their migration to PSN as No Remedial Action Plans or weak compliance
positions will be imported into PSN. We are ceasing the issue of Remedial Action Plans and any
oversight of actions arising from an On-Site Assessment or IT Health Check – you will either be
assessed as ‘Compliant’ or ‘Rejected’.
V2.0
UNCLASSIFIED
Page 10 of 23
UNCLASSIFIED
To complete your PSN CoCo submission you will need to provide the following:
Network Diagram
IT Health Check report (less than 6 months old at date of submission)
PSN Code Template
PSN Code Template Annex B
3.3.2 Network Diagram
You will need to produce a Network diagram for submission with your PSN CoCo If possible, please
provide your Network diagram in Viso; If not Visio, then please ensure that they are readable using
one of the MS Office products.
An up-to-date Network Diagram (dated within the last 6 months) is required. This high level diagram
is not expected to include every device but is required to show that the scope of the connection. The
key aspects to be included are:
Service interactions
V2.0
UNCLASSIFIED
Page 11 of 23
UNCLASSIFIED
Context around onward connectivity
Any off-shoring of systems and information
Third-party connectivity
No more than six months old at the time you submit your PSN CoCo
The document ‘PSN IA Conditions Supporting Guidance’ provides clear guidance on what needs to
be in your network diagram and what does not. The current guidance states the following:
DIA.x Network Diagrams
Explanation:
An up to date high level/logical network diagram is fundamental to understand the connection environment.
The high level diagram is not expected to include every last device, in fact the diagram can be conceptual,
but is required to ensure that the scope of the connection is understood by the customer and anyone
carrying out a compliance check. The customer environment may be very complex with a mixture of services
being consumed some will be PSN branded services and others locally procured or implemented. The key
aspects to be included are:
Service interaction, so it is clear which services the organisation is consuming and whether
they are PSN or non PSN services. The outcome is to highlight where service interact or
interoperate.
Context around onward connectivity. If the organisation has onward connections to
systems/services/networks that are either PSN or non PSN networks. Onward connections
may also include detail around where the gateway is positioned.
Any off shoring of systems and information, including any life support/maintenance
connections
Third party connectivity
Guidance:
V2.0
UNCLASSIFIED
Page 12 of 23
UNCLASSIFIED
DIA.x Network Diagrams
[DIA.1] As a minimum the diagram will include: Organisational name, date of diagram, author, security
domains/environments (e.g. RESTRICTED or IL3 Domain), local connections (with approximate numbers of
users, PSN services, Non PSN Services, remote connections/access, all external and third party connections
(with names of organisations, impact levels of connection, business reason for connection and boundaries of
responsibility), location of security devices such as gateways (it is accepted that not all devices will be
included but those that the customer may wish to highlight later in the various controls should be included),
wireless network devices, infrastructure or connections that are off shored.
It is not necessary for organisations to include the details of services and equipment that has already been
accredited by the PSN, simply to show connections to them.
Where appropriate, for larger and more complex configurations, it is not expected that every connected
device, domain and critical device be shown. A realistic level of abstraction can be employed for standard
builds and configurations, to ensure clarity around connections, security domains and services.
Abstraction should be used to make the diagram simpler to produce and review. It might be appropriate to
group assets by business impact level or function. The diagram method itself is not stipulated, some
organisation may consider using the IS1 modelling methodology, others a more technical diagram.
Due to the level of detail required, this diagram may require protectively marking.
[DIA.2] The customer understands that compliance of the IA Conditions allows them to use the PSN to share
information across the PSN with other PSN connected organisation and consume PSN approved services.
However customers are not permitted to expose non-PSN approved services to the PSN unless these have
been assured and offer protection to the rest of the PSN. An example might be the wider sharing of an
organisational developed service such as an HR function from one customer to other PSN connecting
customers. Any service delivery of this type will need to be in accordance with the PSN Compliance
document (Ref [a]) that places restrictions around the scale, scope and appropriateness of this type of
service delivery. Any onward services will need to be included in scope of the PSN IA Conditions submission
for assessment.
The actual assurance requirements may vary, and therefore it is recommended that any customer intending
to offer services in line with the PSN Compliance document seeks advice from the PSNA.
Please ensure your diagram clearly shows the PSN connected/consuming network aspects and
those out of scope, perhaps using a different coloured background bubble, (e.g. light green = PSN,
light yellow = out of scope.)
3.3.3 IT Health Checks
Every PSN CoCo application and every annual renewal requires you to submit an up to date (less
than 6 months old at time you submit CoCo) IT Health Check that has been undertaken on your
organisation. IT Health checks are one of the most informative sources of information that the PSNA
has on PSN connected organisations and helps to ensure the integrity of the entire PSN network. IT
Health checks take time to schedule but only take a few days to complete so we would recommend
booking the IT Health Check 3 months prior to your CoCo expiry date to ensure completion prior to
your CoCo submission date. The CESG web site has a list of approved providers that you can use
for this service. www.cesg.gov.uk
3.3.4 PSN Code Template
The PSN Code Template needs to be completed as part of your PSN CoCo submission. Your CEO,
SIRO or Section 151 assure the submissions accuracy and demonstrate their understanding and
commitment to the PSN Compliance regime by signing Section 4.
3.3.5 PSN Code Template Annex B
The Code Template Annex B is the body of your submission; it is where you detail your Information
Assurance (IA) controls against the PSN requirements. Annex B is a Microsoft Excel workbook, with
V2.0
UNCLASSIFIED
Page 13 of 23
UNCLASSIFIED
columns provided to allow you to record evidence. The spreadsheet contains all of the information
that every type of connecting organisation requires. If you are a typical Local Authority, then you only
need to complete the entries with the word ‘Customer’ in the ‘Applies To’ column.
Note that if a question is of type ‘Declaration’ then simply a Yes/No answer is sufficient. If it is of type
‘Inspection’ then it requires some supporting materials. If there is something that is required, but that
does not apply to you, then provide the reasons why you don’t need it. Some questions require
supporting evidence that you are / have been compliant. In the event that you are just putting in that
particular process or procedure, then you can state that it is an initial application. You have to submit
your CoCo for renewal every year, and these items will have to be completed next time round.
3.3.6 Submitting your completed Application
When you have completed all of the above, you will need to get your Chief Executive to sign your
organisation’s application before it can be submitted. We’ve asked your Chief Executive to run
through the application with you, to ensure all the necessary information has been included and so
they get an understanding of the commitments your organisation is making.
When you are both satisfied that the details are fully complete, your Chief Executive should sign
the application. You can then email all the documents and supporting information to the PSNA
Compliance team at psna.compliance@cabinet-office.gsi.gov.uk.
3.3.7 How long does it take to award my certificate?
When PSNA receives your application it will validate all the information you have submitted. The
PSNA will confirm to you, in writing, when your organisation has successfully completed PSN
Compliance to its satisfaction. At this point you will be issued with your organisation’s PSN
Compliance Certificate. Changes made to the CoCo Evaluation and Renewal Process SLA’s in April
2013 will ensure 90% of CoCo applications received, will be verified and assessed within 15 days of
receipt and a Compliance outcome provided.
Once your PSN Compliance Certificate has been issued, you should contact the PSN Project Team,
to discuss your detailed schedule for transition which must occur prior to 31st March 2014. The PSN
Transition Project Team can be contacted on via the PSN Mailbox at psn@cabinet-office.gsi.co.uk.
The PSN Project Team will advise you if you will be able to get your changes done according to your
planned schedule and we will help you coordinate with central government Service Providers, such
as DWP to assist with a smooth transition and will help to manage the demands for PSN transition
across all public sector bodies to avoid bottlenecks in demand.
3.4 Step 4 - PSN IP Address Application
As part of your transition to PSN, your organisations IP address will need to be changed. This is due
to an issue with dual running of GCF and PSN. New IP addresses have been pre- allocated by the
PSNA for all customers based on current needs and the allocation will be centrally managed by the
PSNA via an application process. Customers will be required to request their new IP address via the
IP Address Allocation Request form that can be found on the PSN Website. You will need to obtain
an appropriate number of IP addresses for your organisation.
You can apply for IP Addresses with your PSN CoCo application or following receipt of your PSN
Compliance Certificate the PSN Project Team can work with you to ensure that the relevant
connecting organisations, such as DWP, know about your changes.
3.4.1
V2.0
PSN IP Address Action
Complete the application for a PSN IP address and submit the application via email to:
psna.compliance@cabinet-office.gsi.gov.uk
UNCLASSIFIED
Page 14 of 23
UNCLASSIFIED
3.5 Step 5 - Place Connectivity Order
3.5.1 Sign Replacement Call Offs
You will need to place your connectivity order with your chosen DNSP and will need to work with
your chosen supplier to ensure your replacement call off is in place within the timeframes outlined
below
Option
Supplier
Products
Call Off Requirements
Option 1
Vodafone (CWW)
PSN Connectivity &
Services
GCF Connectivity &
Services Call contract
off must be signed by
th
15 July. And Transition
by March 31st 2014
Option 2
Alternative Supplier
(Connection)
PSN Connectivity
Connectivity needs to
be in place prior to
st
March 31 2014
CWW (Core Services)
GCF Core Services
GCF Services Call off
contract must be signed
th
by 15 July 13
3.5.2 Book Testing / Transition Slot
Testing of PSN connectivity and transition will be managed centrally through the Cabinet Office PSN
Project team. You are able to book your proposed transition slot through the PSN mailbox at
psna.compliance@cabinet-office.gsi.co.uk or by speaking directly with your PSN Transition Project
Manager who will assist you with your organisations transition to PSN.
3.6 Step 6 – PSN Connectivity Circuit Installation & Onward GCN Connectivity
Physical installation and configuration of the PSN connectivity service is the responsibility of the
Customer’s chosen Connectivity Supplier. Customers should be aware of lead times of circa 50 days
from point of a circuit order being received. Customers should confirm with their supplier that onward
GCN connectivity is in place..
In order to retain access to GCF services, the customer will need to complete and return an RFC to
Vodafone. The RFC needs to be completed and returned to Vodafone no later than 6 weeks prior to
your selected transition date. You will need your PSN IP address for the RFC form.
3.7 Step 7 - Central Government & Local Partners IP Changes
The PSNA are centrally managing the allocation and distribution of IP addresses across all PSN
transitions. The PSN transition team will co-ordinate the IP address changes with those Central
Government application hosts.
3.8 Step 8 – Testing the GCF / PSN Interconnect & Transition
3.8.1 Firewall Configuration
You will be required to configure your firewall to enable the new IP address scheme and provide
connectivity to the New Service Provider.
V2.0
UNCLASSIFIED
Page 15 of 23
UNCLASSIFIED
3.8.2 Firewall Rules Set
The IA guidance sets out the recommended rule set. For ease of use the current version is below.
From
Your proxy/NAT
To
PSN
Protocol
HTTP (TCP/80)
HTTP
(TCP/8080)
HTTPS
(TCP/443)
Action
Allow
PSN
Your
applications/Web
servers
HTTP (TCP/80)
HTTPS
(TCP/443)
Allow
PSN
Your mail
servers
PSN
SMTP (TCP/25)
Allow
SMTP (TCP/25)
Allow
Your DNS
Server(s)
PSN DNS
servers
DNS (UDP/53)
DNS (TCP/53)
Allow
Your NTP
servers
PSN NTP
Servers
NTP (UDP/123)
Allow
Any
Any
Any
Block
Your mail
servers
3.8.3
Comment
Enable outbound
access to
applications
within the PSN
using HTTP &
HTTPS
Enable inbound
requests from
the PSN to your
Web Servers/
Applications
Enable inbound
email from PSN
Enable outbound
email from your
network to the
PSN
Allow queries to
the PSN DNS
servers
Allow queries to
PSN NTP
servers
Default rule for
all other traffic.
Domain Name Service (DNS)
3.8.4 PSN DNS Servers
PSN will provide the primary DNS servers and resolvers for all PSN domains. The addresses for the
servers are available from PSN Project Team upon request. (The actual addresses are restricted so
inclusion in this document would raise the security classification.) These servers will act as the
primary DNS for all resolutions, passing requests to the Internet root DNS servers where resolution in
non .gov.uk (or other internal DNS servers for other PSN hosted domains) is required.
You will need to implement your own DNS resolvers (servers or proxies) which resolve requests from
your clients. These resolvers should then point to the PSN primary DNS servers. There will be
different PSN primary servers and resolvers at each impact level (IL2 and IL3).
You will need to ensure that all DNS requests from your network are directed at your local DNS
resolvers, and that all proxies point to the new servers.
3.8.5 DNS changes
As more organisations migrate there may be changes both to IP address ranges that are visible and
to the DNS servers that are used as the PSN primary resolvers by the organisation. You should use
names rather than IP addresses to refer to hosts to minimise your DNS changes.
It is important that you make a plan for the before and after state of the DNS entries that are
published in the PSN resolvers. This plan should include any publically visible interfaces and
services (e.g. email) so that the organisation can still be found by others; it should also include the
gateway entries for the organisation to find the primary resolvers and mail servers on PSN.
V2.0
UNCLASSIFIED
Page 16 of 23
UNCLASSIFIED
3.8.6 MX Records
The Mail eXchange (MX) records in the DNS point to the mail servers for each domain that is
subordinate to the .gov.uk domain.
Organisations should ensure that their mail servers’ MX records are correctly referenced in the
primary DNS servers and their mail servers can see the service provider mail servers and where
applicable; the Internet. [How do they do that?]
3.8.7
DNS Actions
Identify all systems which will be impacted by the DNS changes. Develop a plan to
migrate. Develop test scripts to ensure changes are implemented correctly.
Implement DNS resolvers to point to the PSN DNS servers.
Ensure that all DNS requests from your network are directed at your local DNS
resolvers, and that all proxies point to the new servers.
3.8.8 Public Key Infrastructure, Encryption and Impact Levels
The PSNA will provide guidance on the necessary procedures and contacts to ensure that you are
able to meet the requirements for Public Keys, Encryption and Impact Levels.
In particular the organisation will need to identify at least two people, who will need to be civil
servants or public servants, to act as crypto custodians. They will deal with the Certificate Authority
to obtain the necessary key material (keymat) and ensure policy is followed, including compliance
with CESG IA Standard 4 and CESG IA Standard 5. Security standards, guidance and strategy, and
PKI strategy, policy and requirements are available on the PSN Website.
3.8.9
PKI, Encryption and Impact Level Actions
Contact PSNA and obtain the guidelines for working with secure data.
Identify at least two people (one main person and a backup, for example) to be the
crypto custodian. Obtain the necessary clearances for those people.
3.8.10 Internet Access and Web Services
Internet access from PSN connected organisations can be bought from the PSN services catalogue.
It is likely that most DNSP’s will provide Internet access as part of their offering, but there are also
likely to be value-add offerings such as those that include Remote Access or web hosting.
3.8.11 Inter-domain and Interoperability Gateways
As mentioned above, you will need to identify all services and other organisations that you
communicate with and ensure that this communication is not interrupted by migration. As part of your
requirements gathering for your PSN procurement, you will need to identify the connection
requirements. Some of these organisations will be outside the PSN and may therefore require an
Interoperability Gateway. Others that have already migrated to PSN will require Inter-domain
gateways which will be provided by your PSN Provider.
3.8.12 GSI/GCSx Gateways (Legacy Access)
If you use GSI services you may wish to continue to use them through the PSN/GSI gateway. It is
likely that as the first few customers transition onto PSN, that this will be the case. In due course,
these services will be transitioned themselves, and they will become PSN services. Additionally, new
service providers will begin to offer competing services to those on the GSI, and you will have the
option to procure those services instead.
V2.0
UNCLASSIFIED
Page 17 of 23
UNCLASSIFIED
3.8.13 GCSx Connectivity
You should configure your environment to forward requests for DNS name resolution of GCSXrelated systems names to the GCSX DNS resolvers (this is often referred to as ‘conditional
forwarding’ or ‘forward zones’).
3.8.14 Gateway Actions
Identify connection requirements for third party organisations and detail gateway
requirements.
Specify gateway requirements in the PSN Order that you place with your chosen
DNSP.
3.8.15 NTP and Time Synchronisation
Government services need to work on the same time. You will need to ensure that when you migrate
to PSN, you continue to obtain an NTP service. In some cases, authorities have built their own NTP
service, to address this issue in the past. Many authorities currently obtain the service from GSX. In
the future, you will be able to obtain an NTP service from a PSN Service Provider.
3.8.16 NTP Actions
Determine your NTP solution, and ensure that it is in place and working before
commissioning the New Service Provider.
3.8.17 Voice over IP and Telephony
There are two scenarios for migration of currently contracted telephony facilities.
If you have a contract with a service provider to provide telephony services, and that
provider has a PSN accredited service, then you can buy this off the PSN framework
in future, and there is no additional work to be done,
If you have a have a contract with a service provider, and it is not an accredited
service, then you might be able to persuade your service provider to get a CoP for that
service. Once again, there is little work required by you.
If you don’t want to keep your current service and plan to buy a telephony service from a new
provider once you are on the PSN, then you can buy from any accredited telephony service provider.
These service providers are listed on the PSN web site.
If you own your own and manage your own equipment and you wish to connect it to the PSN, then
you will be required to have that equipment accredited by the PSN. Please contact the PSN Project
Team for assistance with this aspect.
In the event that you are moving to new telephone numbers, then this will have to be designed and
communicated widely. Any key numbers that are published to the public or third party services need
to be carefully managed and either forwarded or handled by a termination or call handling service.
3.8.18 Voice over IP and Telephony Actions
Develop a migration plan for telephony service which ensures that any PSN
connected services are PSN Accredited.
Identify key numbers which need to be migrated and develop a communications plan
for changes.
3.8.19 Pre Transition Testing
It is your responsibility to start testing no later than 2 weeks prior to transition. For testing to occur,
your RFC will need to be completed by Vodafone and your PSN circuit installed. Testing must cover
the following:
V2.0
UNCLASSIFIED
Page 18 of 23
UNCLASSIFIED
End to End Connectivity between Local Authority and your PSN circuit provider
o
o
o
o
Ping your gateway from the Internal LAN
Ping PSN DNS Servers
Ping a test address provided by the PSNA
Test DNS resolution using nslookup
Secure Mail Relay Testing
Central Govt applications
3.8.19.1
Testing Actions
Request a PSN test email domain on Vodafone RFC
Configure access from stand alone machine to Secure Mail Relay based on
Vodafone provided instructions
Develop a test plan for each area of your PSN transition. Provide test scripts to the
New Service Providers.
Manage the execution of the tests and sign-off as appropriate.
3.8.20 Day of Transition Testing
Once you have made full network changes on your transition day, then you must test the following:
End to End Connectivity between Local Authority and your PSN circuit provider
o
o
o
o
Ping your gateway from the Internal LAN
Ping PSN DNS Servers
Ping a test address provided by the PSNA
Test DNS resolution using nslookup
Secure Mail Relay Testing
Central Govt applications
Please refer to PSN GCF Transition IL2 Inter-Connect Test Plan for further detail
3.9 Step 9 – Cease Order
We would advise putting a Cease Order in with Vodafone for your GCF circuit 2 days following your
transition. This may not apply to some customers that use an aggregate connection as this cease
will not be able to be completed until last partner organisation is transitioned
V2.0
UNCLASSIFIED
Page 19 of 23
UNCLASSIFIED
4. References, contacts, useful reading and web resources
The PSN Project Team points of contact are
Karen Cleale
Email: Karen.Cleale@cabinet-office.gsi.goiv.uk
Stephen Hoban (Local Authorities)
Email: Stephen.Hoban@cabinet-office.gsi.gov.uk
Conan Gibney (Local Authorities)
Email: Conan.Gibney@cabinet-office.gsi.gov.uk
Iain Attree (Central Government)
Email:Iain.Attree@cabinet-office.gsi.gov.uk
The PSN Website is the authoritative site where original source documents for the PSN are found is
here:
http://www.cabinetoffice.gov.uk/content/public-services-network and at
http://www.cabinetoffice.gov.uk/resource-library/public-services-network
V2.0
UNCLASSIFIED
Page 20 of 23
UNCLASSIFIED
5. Appendix 1 – Example List of Applications
Name
DWP Customer Information System (CIS)
LAID/LACI
DTA
ETD/LAWS
ATLAS
CIS Prompts (Effectively subsumed by ATLAS)
i-Works
Data MSHBEatching
HB/CTB Interest Maintenance
Benefit Cap
HBCS/ HBSDC
JARD (Joint Asset Recovery Database)
Libra (Libra.lcd.gsi.gov.uk; Libra-cms.lcd.gsi.gov.uk; Libra-infonet.lcd.gsi.gov.uk)
TellUsOnce
NHS Spine Application Portal
NHS Intranet Homepage
SWIFT
Blue Badge
Activa
ePIMS
NCRS Reliable messaging (NHS)
NCRS ETP (NHS)
Choose and Book (NHS)
Webmail (NHS)
Directory updates (NHS)
NHS websites (NHS)
TPP Systm1
Government Gateway EAS Service (
http://www.gateway.gsi.gov.uk/)
Government Gateway EAS Service - Registration Authority Page (https://ra.gateway.gsi.gov.uk/SSMS/en)
LoCTA Service
CESG IA Policy Portfolio
Sunguard Aspiren Service (sftp.aspiren.gse.gov.uk)
National Resilience Extranet (NRE) https://www.resilience-extranet.gse.gov.uk
Free School Meals Eligibility Checking
Free School Meals Eligibility Checking (Web Service)
Electronic Property Information Mapping Service (e-PIMS)
Secure Bulk File Transfer (Data Transport Applicance)
Paymaster (Xafinity) GSI)
CJX online. National Roads Policing intelligence Forum (PNN)
Passport Office - Omnibase (GSI)
V2.0
UNCLASSIFIED
Page 21 of 23
UNCLASSIFIED
Name
West Lothian eCare (GSX)
PLOD (PNN)
Home Office web services (GSI)
Tachonet (TESTA)
ePayfact (GSE)
DVLA DRP (GSI)
CASWEB (PNN)
TESTA
Government Gateway (GSi)
Knowledge Network (GSI)
Lothian and Borders Police (PNN)
Cabinet Office – Security Matters web site
Group Web Space (GSI)
Dept. of Health (DOH)
Epayfact
Epayfact
Epayfact
Bank of England
Dept. of Trade & Industry
GSI1
Banner Online
Epayfact
e-Government Unit (eGU)
Scottish Criminals Record Office (SCRO) CJX
SCRO CJX
CJX Scottish Police Information Site (SPIS)
CJX Scottish Drugs Enforcement Agency (SDEA)
www.gsi.gov.uk
Epayfact
www.gsi.gov.uk
HM Court Service (HMCS) Public & Intranet Sites
Cable & Wireless Hosting
CJX Police
CJX GENESIS
CJX Police
Epayfact
CJX Online
RedDot Content Management System
Eplanner
statutelawdatabase.dca.gse.gov.uk
Message broker
PLOD
DCA hosting
V2.0
UNCLASSIFIED
Page 22 of 23
UNCLASSIFIED
Name
Epayfact
Testa II
Knowledge Network
Buying Solutions website
Forensic Science CJX
eGU RSA
CJX Police
CJX Customer
Police Information Technology Organisation (PITO)
Knowledge Networks
DCA Hosting
NOMS (Hendon)
Testa II
Knowledge Network
Inverclyde Council (GSX)
Airwave (CJX)
VISOR (PNN) CONFIDENTIAL
File & Print Services
Health - IA Client and smartcard enabled devices
IAPTUS
EDRMS
OfficeBase
In house financial system - such as Cambridgshire 'CRIP'
Legacy email and file storage
Epex Clinical System
IPM
SCR – Summary Care Record
Choose & Book
SBS Financials
Caretrack - Continuing Healthcare system
CommCare - Continuing Healthcare system
SQL Server - Datawarehouse
SQL Server Reporting Services
Combined Predictive Modelling
Housing Benefit Applications
Payroll
Shared CRM across two LAs
National Non Domestic Rates Service
Traffic Management Database
V2.0
UNCLASSIFIED
Page 23 of 23