How To Build A Network Security Network







Full text


Project Security

Prog. Director Mark Ferrar Status Approved

Owner James Wood Version 1.0

Author Mike Farrell Version Date 18/09/2009

Local Area Network Security

Good Practice Guideline


Amendment History:

Version Date Amendment History

0.1 02/08/2006 First draft for comment

0.2 15/09/2006 Second draft including comments and amendments 0.3 26/10/2006 Third draft including comments and amendments 0.4 19/03/2007 Fourth draft to place document in new template 0.5 16/06/2009 Document refreshed.

0.6 01/07/2009 Incorporating changes suggested by CfH Infrastructure Security Team 0.7 09/07/2009 Incorporating changes suggested by Matt Ballinger

1.0 18/09/2009 Incorporating changes suggested by James Wood. Approved for issue

Forecast Changes:

Anticipated Change When

Annual Review Nov 2010


This document must be reviewed by the following:

Name Signature Title / Responsibility Date Version

Infrastructure Security Team


Matt Ballinger Deployment Support Officer - Technology Office



This document must be approved by the following: <author to indicate approvers>

Name Signature Title / Responsibility Date Version

James Wood Head of IT Security 1.0


NHS Connecting for Health Information Governance Website


Document Status:

This is a controlled document.

Whilst this document may be printed, the electronic version maintained in FileCM is the controlled copy. Any printed copies of the document are not controlled.

Related Documents:

These documents will provide additional information.

Ref no Doc Reference Number Title Version

1 NPFIT-SHR-QMS-PRP-0015.13 Glossary of Terms Consolidated.doc 13 2 NPFIT-FNT-TO-INFR-SEC-0001 Glossary of Security Terms 1

Glossary of Terms:

List any new terms created in this document. Mail the NPO Quality Manager to have these included in the master glossary above [1].



1 About this Document ... 5

1.1 Purpose ... 5 1.2 Audience ... 5 1.3 Content ... 5 1.4 Disclaimer ... 6 2 Introduction ... 7 2.1 Background ... 7

3 Overview of Local Area Networks ... 8

3.1 Network Access Protection (NAP) ... 8

3.2 Network Admission Control (NAC) ... 9

3.3 802.1x Port-based Access Control ... 9

3.4 Quality of Service (QoS) ... 10

4 Key Aspects of a Local Area Network Infrastructure ... 11

4.1 A Modular and Layered Network Topology ... 11

4.2 Resilience and Redundancy ... 11

4.3 Security ... 11

4.4 Intelligent Services ... 12

4.5 Management ... 12

5 The Hierarchical Modular Layered Network Model ... 13

5.1 Access Layer Recommendations ... 15

5.2 Core and Distribution Layer Recommendations ... 16

5.3 Server Layer Recommendations ... 17

6 Network Infrastructure Availability ... 18

6.1 Physical Resilience and redundancy ... 18

6.2 Equipment Level Redundancy ... 18

6.3 Software resilience and redundancy... 19

7 Security Policy Management ... 21

8 Wide Area Network Link Considerations ... 22


1 About this Document

1.1 Purpose

The purpose of this guide is to address the major challenges associated with creating and maintaining secure Local Area Networks (LANs) connected to the New NHS Network (N3) or other network infrastructures such as Community of Interest Networks (CoINs), partner networks, or the Internet.

The following information covers all environments anticipated to interact with the NHS Care Records Service (NCRS). It includes information on suitable measures and controls for the most secure solutions that are in conformance with the Information Governance Statement of Compliance (IGSoC). It is however recommended that a full assessment of both threat and impact levels of potential security breaches be performed. This should incorporate partnering networks, including N3, in line with the ‘electronic Government Interoperability Framework’ ( e-GIF) recommendations.1

The information contained in this document should be used as an informed assessment of technologies that support LAN security. However it is the sole responsibility of network owners to ensure that any LAN solutions that they deploy are sufficiently secure to fully satisfy their own risk assessment.

1.2 Audience

This document has been written for readers who have a good level of experience and familiarity with firewalls, switches, routers and secure local area networking practices.

1.3 Content

This document comprises this following sections / topics: - • Introduction

• Overview of Local Area Networks

• Key aspects of a Local Area Network Infrastructure • The Hierarchical Modular Layered Network Model • Network Infrastructure Availability

• Security Policy Management

• Wide Area Network Link Considerations • Environmental Factors


See the GovTalk Schemas and Standards Website:


1.4 Disclaimer

Reference to any specific commercial product, process or service by trade name, trademark manufacturer, or otherwise, does not constitute or imply its endorsement, recommendation, or favouring by National Health Service Connecting for Health (NHS CFH). The views and opinions of authors expressed within this document shall not be used for advertising or product endorsement purposes.

Any party relying on or using any information contained in this document and/or relying on or using any system implemented based upon information contained in this document should do so only after performing a risk assessment. It is important to note that a risk assessment is a prerequisite for the design of effective security countermeasures. A correctly completed risk assessment enables an NHS organisation to demonstrate that a methodical process has been undertaken which can adequately describe the rationale behind any decisions made. Risk assessments should include the potential impact to live services of implementing changes.

This means that changes implemented following this guidance are done so at the implementers’ risk. Misuse or inappropriate use of this information can only be the responsibility of the implementer.


2 Introduction

The following information provides a knowledge-based framework that will help maintain good practice values within an organisation. The guidance within this document is written to reflect good practice, and, by following it, some of the consequences of non-compliance should be avoided.

The reader will find good practice guidance for the design and use of Local Area Networks within a network infrastructure. This includes: -

• Minimum standards for LAN Security.

• The methods by which a LAN infrastructure can be supported efficiently and safely.

• Guidance to ensure maximum network uptime and reliability.

• Procedures and mechanisms for the control of access to LANs in an NHS or other healthcare environment.

2.1 Background

N3 is a private Wide Area Network (WAN) and access is therefore strictly limited to authorised endpoints. Any organisation wishing to connect to N3 is responsible for ensuring that their N3 connection does not compromise the security measures already in place within the WAN.

N3 is a private network accommodating thousands of PCs, servers, printers and other items of equipment all acting as the nodes or endpoints within the network. The confidentiality of sensitive information transmitted unencrypted within N3 is not assured. However all National Applications encrypt data using Transport Layer Security (TLS)2

N3 faces numerous potential threats to security, possibly from inadequately protected partner networks, or connections to uncontrolled external networks such as the Internet. These threats are continually evolving in both strength and frequency. Therefore ongoing vigilance against these threats, and the maintenance of strict security standards, are essential to the continuing success of N3.

or an equivalent security standard. It is therefore advisable that the appropriate measures are taken with existing systems to ensure that sensitive data is secure before connecting to N3.



3 Overview of Local Area Networks

A LAN is a network of computers and other components located relatively close together in a limited area. LANs operate at layer-2 of the Open Systems Interconnect (OSI) model, and can vary widely in size. They can consist of only two computers in a home office or small business, or include hundreds of computers in a large corporate or healthcare environment.

Various LAN types are available, such as Ethernet, Token Ring, ARC Net and FDDI. The Ethernet-based technologies are by far the most prevalent within the modern network. This is partly due to the low cost of the technology, coupled with the performance it offers, and the general ease of deployment and maintenance in comparison to some of the legacy technologies.

The guidance within this document covers good practice for implementing LANs comprising multiple layers and components. All organisations should endeavour to apply the generic good practice detailed in Sections 2, 3, 6 and 8 of this document. The information in Sections 4 and 5 is aimed at larger infrastructures, and is therefore broken down into distinct network layers or components. Smaller organisations, such as GP Surgeries and Clinics, may find that only the guidance within the ‘Access Layer’ and ‘Server Layer’ sections apply to their network infrastructure.

3.1 Network Access Protection (NAP)

Network Access Protection3

NAP allows the creation of customised health policies to validate computer health before allowing access or communication. Automatic update of non-compliant computers is used to ensure ongoing compliance, with optional confinement of non-compliant computers to a restricted network until they become non-compliant.

(NAP) is a policy enforcement platform, built into the Microsoft Windows Vista, forthcoming Windows 7 and Windows Server 2008 operating systems, which allows an organisation to better protect network assets, by enforcing compliance with system health requirements.

Administrators can configure Internet Protocol Security (IPSec) enforcement, IEEE 802.1X enforcement, virtual private network (VPN) enforcement, Dynamic Host Configuration Protocol (DHCP) enforcement, or all four, depending on their network needs.



3.2 Network Admission Control (NAC)

A Network Admission Control (NAC) solution compares the security state of a device, which is attempting to connect to a network, to a set of policy attributes that define what security conditions must be met to allow network access. The scope of a NAC solution must encompass external and internal network connections by managed and unmanaged devices.

Examples of unmanaged devices include ‘rogue’ systems and servers that are deployed outside central Information Technology (IT) management control, in addition to contractor PCs and employees' home machines. The NAC solution should cover the following network connection scenarios:

• VPN —IPsec and Secure Sockets Layer (SSL) • LAN — wired and wireless connectivity

• Dial-in via remote access servers

Any NAC solution should ensure that when a system does not meet the criteria of the policy controls, it is added to a quarantine network and remedial action is taken. This could include the application of patches and anti-x updates,4

The quarantine network should be separate from the rest of the internal infrastructure, and should be connected to a firewall with a restrictive access policy. The quarantine network should only allow the minimum access required to apply patches and updates from the centralised management servers.

or simply the restriction of device access to other parts of the network infrastructure.

3.3 802.1x Port-based Access Control

IEEE 802.1X5 is a standard for port-based Network Access Control and is part of the IEEE 802.1 group of protocols. It provides authentication to devices attached to LAN ports, establishing a point-to-point connection or preventing further access from that port if authentication fails. It is based on the Extensible Authentication Protocol (EAP).6

802.1X functionality is available on enterprise grade network switches from most vendors, and can be configured to authenticate host systems that are equipped with supplicant software, denying unauthorized access to the network at the data link layer. This means that only 802.1x frames can be transmitted through the switch port, and all other data frames are dropped until the connection is successfully authenticated.


Anti-X refers to the anti-virus, anti-spyware, anti-spam and anti-phishing solutions. 5



This 802.1x authentication can be bound to a number of authentication services, such as Active Directory (AD), Remote Authentication Dial-In User Service (RADIUS) service or Lightweight Directory Access Protocol (LDAP) directory of the organisation.

3.4 Quality of Service (QoS)

Quality of Service (QoS) is a traffic engineering term, which is based on the concept that transmission rates, error rates and other characteristics can be measured, improved and guaranteed prior to transmission. The application of QoS functionality is often a requirement for the use of Voice over IP (VoIP), Video Streaming and other protocols sensitive to latency, jitter and timing issues.

The use of QoS is particularly important for production and ‘non-stop’ networks, as it provides predictive performance and availability. This functionality can be useful for providing assured access to clinical applications during all network conditions. For example during busy periods during the working day, such as lunchtime, or extended periods of high throughput resulting from network based data backup.

The N3 QoS architecture7


is outside the scope of this document.


4 Key Aspects of a Local Area Network Infrastructure

The key aspects of a secure and robust network infrastructure design are described in the following subsections.

4.1 A Modular and Layered Network Topology

The benefits of a modular approach to network design are: - • Improved scalability with deterministic service delivery. • Reduced operational costs.

• Ease of maintenance.

A modular approach also allows the allocation of network services to specific modules of the network infrastructure, enabling organisations to focus their network infrastructure expenditure where most appropriate.

4.2 Resilience and Redundancy

There is increasing reliance on distributed IT based solutions within the NHS for the delivery of clinical care. The availability of clinical applications can have a direct impact on patient care and safety.

The importance of minimising all single points of failure within cable plant, power systems, environmental and network infrastructure equipment is discussed in terms of expenditure against risk, or cost and benefit realisation. Recommendations for network level protocol design good practice, specifically for optimising network convergence times under failure conditions, are also provided.

4.3 Security

A layered approach to security is recommended. This approach provides a defence in depth posture, which reduces the scope of any security breaches. The recommendations will also assist organisations in meeting the Department of Health Information Governance (IG) requirements for the protection of Person Identifiable Data (PID) whilst in transit, and the requirements of the Confidentiality NHS Code of Practice.8



4.4 Intelligent Services

The networking industry has converged on standard processes for creating quality of service policies for enforcement by network infrastructure devices. An organisation’s investment in a network infrastructure can be maximised through the use of these network based intelligent services, whilst ensuring that the shared resources are allocated according to the organisation’s business requirements.

4.5 Management

Increasing the intelligence of a device generally increases its complexity. To reduce the complexity of management, suitable tools are required for device management, fault diagnosis, device configuration, performance management, and to aid with the relatively complex tasks of deploying consistent network-wide QoS and security policies.


5 The Hierarchical Modular Layered Network Model

This model uses a layered architecture of distinct modules or building blocks, with each layer responsible for a specific role in the support of the end-to-end delivery of information. The benefits of a layered architecture are: -

• Scalability.

• Ease of implementation. • Ease of troubleshooting. • Predictability.

• Manageability.

Each of the layers supports distinct functionality or requirements. Layers can be added to the model to support additional functionality. As an example, an Internet or public access layer can be added to complement an existing layered infrastructure. The hierarchical network design model is comprised of four basic layers: -

Core Layer: This provides high-speed IP connectivity between the distribution, access and server layer LAN switches via two or more high availability core switches.

Distribution Layer: This layer is where elements such as security and QoS policies are enforced to control how the network will service individual information flows. This layer can be a physically separate layer of switches, or a logical layer located within the core switches. This will be dependent on the size of an organisation’s network infrastructure.

Access Layer: This layer provides connectivity for systems such as end user workstations and printers. The access layer enforces admission and control policies, and provides the logical segmentation of devices into groups – Virtual LANs (VLANs) – which share common functional requirements. The access layer also provides a ‘trust’ boundary where application traffic can be identified and classified for appropriate servicing by the distribution and core layers.

Server Layer/Module: This layer provides high-performance connectivity and resilience, and secures access to the application servers. The server module is distinct from an access layer module because of the differing requirements between user and server connectivity. For example, availability is much more of an issue within the server module than typically within access modules supporting general network users.


Fig 1 below shows the recommended modular design for larger organisations. Distribution Layer Distribution Layer Distribution Layer Core Layer Core Layer Core Layer Server Layer Server Layer Server Layer Access Layer Access Layer Access Layer Si Si SiSi Si Si SiSi SiSi SiSi Si Si Si Si Server Module

Connectivity Module Connectivity Module

Fig 1 - Modular Design for Larger Organisations

Larger organisations are typified by a combination of a large numbers of users, and many buildings and departments within a large campus or geographically dispersed campus sites.

Access layer switches should be connected with dual up-links to separate distribution layer switches, providing resilience against link or distribution switch failure. Distribution switches should be deployed in pairs, in order to provide resilient paths to different core switches. The core layer should consist of inter-connected high availability switches, to provide resilience against any single core layer link or switch failure.

The use of modules within the network architecture enables additions, moves and changes to be less disruptive and more deterministic. It creates a coalition between the connectivity requirements of the organisation and the infrastructure bandwidth required to support that connectivity. As the network connectivity requirements increase, additional connectivity modules can be added to the infrastructure, scaling the bandwidth in line with connectivity growth. It also modularises a large infrastructure into smaller domains, aiding fault diagnosis and fault containment.


Fig 2 below shows the recommended modular design for small and medium sized organisations. This design collapses the core and distribution layers into an aggregate layer more suited to smaller user populations, fewer buildings and departments and smaller campuses.

Collapsed Distribution and Core Layers

Collapsed Distribution

Collapsed Distribution

and Core Layers

and Core Layers

Server Layer Server Layer Server Layer Access Layer Access Layer Access Layer Si Si SiSi

Fig 2 - Modular Design for Small and Medium Sized Organisations

As connectivity modules are added to the small / medium size design, it naturally scales into a larger design when a physically separate layer of distribution switches are implemented. The functionality provided by the distribution layer is then migrated from the core switches onto the physically separate distribution layer switches.

5.1 Access Layer Recommendations

• Physical locations and wiring closets for active equipment deployment should be physically secured against unauthorised access.

• The network devices should support 10/100Mb switched Ethernet connectivity, with 10/100/1000Mb switched Ethernet being desirable.

• Equipment level redundancy and redundant / backup power should be provided to access layer devices that are supporting critical clinical areas and users.


• The network devices should support the provisioning of 802.3af Power over Ethernet (PoE).9

• The access layer should use at least two resiliently configured fibre or copper uplink trunk connections to two separate distribution / core layer locations. • The access layer should provide the ‘organisational boundary’ for the

classification / marking of application traffic for subsequent prioritisation and scheduling across the organisation’s network infrastructure.

• The network devices should support intelligent security services and features to help maintain the confidentiality of PID whilst in transit.

• The network devices should support intelligent security services and features to help mitigate unauthorised connections to the network infrastructure.

• The access layer should include comprehensive management tools for device, fault and performance management. In particular the tools should support network-wide software and configuration updates, and network-wide deployment of QoS and security policies.

• The network devices should support secure management protocols such as Hypertext Transfer Protocol Secure (HTTPS), Simple Network Management Protocol Version 3 (SNMPv3), Secure File Transfer Protocol (SFTP) and Secure Shell (SSH).

5.2 Core and Distribution Layer Recommendations

• The Core and Distribution layers should support Ethernet connectivity at speeds up to 1Gbps, with 10Gbps being desirable.

• Distribution and Core inter-switch links should be a minimum speed of 1Gbps. • Core / Distribution Layer inter-switch links (trunks) should be logically bundled

for additional resilience and performance. It is preferable to utilise bundling and channelling technologies that are transparent to the link and network layer protocols.

• Links or trunks between core and distribution switches should be controlled by a layer 3 routing protocol.

• The Layer 3 protocol controlling network convergence should be tailored to minimise failover times, and hence minimise application interruption.

• The Distribution layer should provide the capability to enforce the organisational QoS policy through intelligent queuing, scheduling and congestion avoidance mechanisms.

• The Distribution layer should support intelligent security services and features to help maintain the confidentiality of PID whilst in transit.



• The Distribution layer should support intelligent security services and features to help mitigate against unauthorised connections to the Network Infrastructure.

• The Core and Distribution layers should provide comprehensive management tools for device, fault and performance management. Specifically the tools should support network-wide software and configuration updates, and network-wide deployment of Quality of Service and security policies.

• The Core and distribution layer should support secure management protocols such as HTTPS, SNMPv3, SFTP and SSHv2.

5.3 Server Layer Recommendations

The availability of Server resources is often critical to large organisations, and the design of the server layer should therefore reflect the higher level of resilience and performance that is required.

It is recommended that: -

• The Server layer should support 1Gbps Ethernet connectivity. It is desirable that the infrastructure offers support for 10Gbps Ethernet where possible. • The infrastructure should utilise equipment level redundancy, and offer

redundant or backup power services.

• Support should be provided for dual attaching servers. Note this may not be possible with some operating systems and some applications, therefore dialogue with server and application suppliers is essential.

• The server layer should utilise dual uplink connections to the Core layer.

• The server layer should provide the organisational boundary for application traffic, and should support the capability to classify and mark application traffic for subsequent prioritisation.

• Intelligent security services and features should be provided to help maintain the confidentiality of PID whilst in transit.

• Intelligent security services and features should be utilised to help mitigate against unauthorised connections to the Network Infrastructure.

• Comprehensive management tools for device, fault and performance management should support the server layer. In particular the tools should support network-wide software and configuration updates, and network-wide updates for QoS and security policies.

• The Server layer should support secure management protocols such as HTTPS, SNMPv3, SFTP and SSHv2.


6 Network Infrastructure Availability

High availability can be achieved by the use of a well-designed network infrastructure to support the enforcement of a strong security policy, and the implementation of resilience and redundancy features within the network infrastructure components. The resilience features can be grouped into two basic categories – Physical resilience and Software resilience.

The supporting infrastructure, cable plant, physical environment and active component all fall into the physical category. Network control plane features, such as layer two and layer three routing protocols, DHCP, and Domain Name System (DNS) services fall into the software category.

6.1 Physical Resilience and redundancy

It is essential that fundamental knowledge of the physical layout of the network is known and documented. Node points for the Core and Distribution elements of the network should be identified, in addition to wiring closet locations for distribution to network endpoints.

It is recommended that multi-core single mode fibre-optic cable is used between core layer switch sites, and between uplinks from wiring closets to distribution layer / core layer switches, as a minimum standard.

Distances between network locations should be determined before laying cables - both for fibre-optic cabling and structured copper wiring. The measured distance for fibre optic cabling may dictate the mode of cable used, whilst structured copper wiring has a fixed maximum distance.

• It is recommended that fibre-optic cable connecting Core layer infrastructure components should be laid within diverse routing paths. Such connections may be bundled together to create aggregated links.

• It is recommended that cables are laid from wiring closets to a minimum of two distribution / core layer switch locations.

6.2 Equipment Level Redundancy


The provision of redundant or load sharing equipment in a network is a trade off between budget constraints and pragmatism over the likelihood of an outage. The financial impact of such measures has often dictated that specific areas of the network are prioritised for redundancy. However as the IP network becomes the single vehicle for delivery of local and national healthcare applications, greater emphasis should be placed upon providing heightened levels of redundancy across the whole of the network infrastructure.



• It is recommended that the organisation’s network infrastructure should have two or more core switch node locations. Each wiring closet / Distribution layer switch should have at least two uplinks to separate Core / Distribution layer switches.

• Core switches should be deployed with redundant management engines, switching fabrics and power supplies. Where there is a heightened level of dependency on one core switch, e.g. where cable plant restrictions result in distribution / wiring closet uplinks being terminated by a single core switch, the distribution of the uplinks across separate line cards within the core switch should be considered essential.

• It is recommended that where a single chassis is utilised in the wiring closets, the uplinks are distributed across line cards within the chassis in order to decrease the risk of an outage in the event of a failure of any one card in the chassis.

• It is recommended that where stackable switches are used in the wiring closets, these should be stacked together to create a single logical access layer switch. This should be achieved either through the uplink ports or optimally via dedicated bus connections if available. The uplinks from the switch stack to core / distribution node locations should be via separate switches in the stack wherever possible.

• Where stackable switches are used, the insertion and removal of switches in the stack without disruption to network traffic is desirable.

6.3 Software resilience and redundancy

Software features within the infrastructure devices to converge around physical failures perform a vital role in ensuring an application’s availability. For example, the capability to create one logical link from two or more physical links, and “hide” individual link failures from higher layer networking protocols, enables the infrastructure to re-route traffic around link failures transparently to the end user / application.

The use of layer three routing protocols enables a more scalable approach to alternative path switching around failures. When considering the choice of Layer 3 routing protocol, flexibility, convergence capabilities, and scalability should be considered. Link state protocols, such as Open Shortest Path First (OSPF)11 and Intermediate System-to-Intermediate System (IS-IS),12

Both OSPF and IS-IS offer enhanced security features. Passwords can be set to prevent unauthorized routers from forming adjacencies with routers in the network, and MD5 Authentication is an option.

are the preferred options. OSPF is found to be the most common protocol in use and has the added advantage of being an accepted industry standard suitable for multi-vendor networks.




Some vendors support proprietary layer 3 routing protocols such as Cisco’s Enhanced Interior Gateway Routing Protocol (EIGRP),13

At the layer 3 / layer 2 boundaries, a first-hop routing protocol should be used to provide a virtual default gateway. The standards based first-hop routing protocol is Virtual Router Redundancy Protocol (VRRP).

which are often less complex and are able to provide faster convergence times. These protocols should only be considered for single vendor networks or if the vendor also provides layer 3 routing protocol intercommunication capabilities. This is usually achieved through route re-distribution between the layer three routing protocols. The transfer of routing information between routing processes should be treated as an autonomous boundary point in terms of security posture. For example, route re-distribution should be secured against unauthorised route injection and spoofing.


Whilst Layer 3 is recommended for the network core, it may be necessary for Layer 2 traffic to traverse the network to support legacy non-routable protocols. Whilst some vendors have introduced their own proprietary enhancements to the Spanning Tree Protocol (STP),

Vendors who provide proprietary first-hop routing protocols can provide enhancements such as awareness of upstream network events and active / active uplinks concurrently. Vendor proprietary solutions should only be considered where the first hop routing protocol is intended to be utilised between devices from a single vendor that are performing the virtual default gateway function.


there are two standards based enhancements to STP available: -

• The IEEE 802.1s standard allows several VLANs to be mapped to a reduced number of spanning-tree instances.

• The IEEE 802.1w standard provides the mechanisms to allow faster spanning tree convergence after a topology change.

13 14 15


7 Security Policy Management

The security posture of a network has a significant impact on the availability of that network infrastructure. A malicious worm or virus outbreak has the potential to consume all available resources, starving legitimate clinical applications of bandwidth and processing power. The effect to the end user is a lack of availability. Policy management tools are required to create and implement an organisational security policy in a consistent manner. The tools should additionally be capable of proactive monitoring, the correlation of generated events and the ability to generate notifications and intelligent responses to those events. For example, the appropriate action for intrusion attempts that are stopped at the perimeter is generally to simply log the event, whereas intrusion attempts that are arriving on servers require further investigation. The number of events generated can be significant, to the extent of becoming impractical for events to be processed by human analysis alone. Policy management tools should therefore support automated processes for the filtering and prioritising of events.

Network infrastructure devices should be capable of actively participating in the security policy in terms of access authorisation, legitimate usage, audit and accounting.

• All security events should be logged and assessed against the security policy for appropriate action.

• The use of active monitoring and auto-processing of events is highly recommended, especially where behavioural based anti-virus software for end user workstations is deployed.

• It is recommended that organisations deploy network based Intrusion Detection Systems (IDSs) and Intrusion Prevention Systems (IPSs), and utilise behavioural based anti-virus technologies on end systems

• It is recommended that organisations deploy centralised anti-virus and patch management systems to enable better management, control and reporting. • It is recommended that security management tools are used to manage all

security devices and processes within the network. It is desirable that event correlation and analysis from multiple sources is supported by the security management platform.

The Antivirus and Malware Good Practice Guideline16 provides further information on good practice applicable to these technologies.



8 Wide Area Network Link Considerations

Where NHS organisations have a responsibility to facilitate connections to other sites, either within their organisation or as connections to 3rd Parties, there are further considerations. Though these are mostly variations of the descriptions above. An additional consideration is back-up circuits. These could be either lower speed back up lines or identical N3 access links that are load balanced. If a lower speed backup service is chosen, the effect on applications during the back-up period should be carefully considered.

• It is recommended that back-up circuits and equipment should be provided for WAN links that carry critical application data.

• QoS policies and controls can be critical in WAN environments where the change is made from high speed LAN connectivity to comparatively low WAN bandwidth. This can dictate a need for prioritisation of latency sensitive traffic and for mechanisms such as rate limiting and fair sharing techniques.

• It is recommended that an organisation’s QoS schema accounts for WAN link failure scenarios, and ensures that sufficient resources are allocated to critical applications across WAN back-up links.

• All WAN links which are not wholly and exclusively within the control of the organisation should be viewed as being insecure, and therefore would require appropriate measures to ensure confidentiality is maintained for PID whilst in transit.

• Where 3rd Party connections are established, strict control of access must be in place that is in accordance with local NHS organisation and Governmental security policies.


9 Environmental Factors

Vendor data sheets should provide information on heat output for equipment, in addition to the upper and lower tolerances for environmental requirements such as temperature and humidity.

Potential shutdown of equipment, or gradual degradation leading to equipment failure, can occur if the equipment is not housed in a suitable environment. The main environmental considerations for network infrastructure devices are the provision of adequate air conditioning, clean enclosures and suitable ventilation.

Some vendors provide Redundant Power Supply (RPS) units, which are able to provide back-up power in the event of failure of a switch’s main power supply unit. This should not be confused with an Uninterruptible Power Supply (UPS) that provides temporary back-up power in the event of a mains power outage.

UPS power is usually provided by either a standalone unit for individual systems, or from a building central unit. Careful consideration should be given to UPS power ratings, particularly if Power over Ethernet (PoE) is being used within the network.

• UPS protection is recommended for core and distribution layer locations, computer rooms and for Access layer locations that require high availability. • All network infrastructure equipment locations, such as computer rooms,

wiring closets and network cabling distribution points, should be physically secured.