Guidance

PSN Inter-Provider Encryption Domain obligations

Published 21 March 2018

As a PSN Protected (PSN-P) network service provider, you must follow these obligations to keep your network secure. The obligations apply to any network service provider within the PSN Inter-Provider Encryption Domain (IPED).

You should follow these principles alongside the NCSC guidance on Using IPsec to protect data.

Acquiring network devices

Obligation IPED.001 mandatory for PSN-P providers

PSN-P providers must ensure PSN-P network devices are:

• procured through channels you trust
• secured against unauthorised access during transportation, storage, delivery and installation
• secured against unauthorised access to configuration files and data

They must also have endpoint certificates to ensure only devices expected to enrol are allowed to do so.

Managing network devices

Obligation IPED.002 mandatory for PSN-P providers

PSN-P providers must ensure management of PSN-P network:

• is via a management network
• only allows remote access to devices via the management network
• uses management terminals only for management of network devices
• prevents management terminals from accessing any other network or content
• ensures auditing of network management activity

Obligation IPED.003 mandatory for PSN-P providers

PSN-P providers must ensure PSN-P management traffic is:

• encrypted
• authenticated at least as well as the user data it protects
• separated from data traffic by physical or cryptographic mechanisms

It must also have its integrity protected.

Obligation IPED.004 mandatory for PSN-P providers

PSN-P providers must ensure the PSN-P management network can defend against common attacks.

Obligation IPED.005 mandatory for PSN-P providers

PSN-P providers must ensure PSN-P network management staff are cleared to at least BPSS level BS7858:2012.

Obligation IPED.006 mandatory for PSN-P providers

PSN-P providers must ensure PSN-P engineers are only given access to the devices and the credentials for the devices they are responsible for maintaining.

Obligation IPED.007 mandatory for PSN-P providers

PSN-P providers must not give PSN-P vendors direct remote access to endpoint devices.

Obligation IPED.008 mandatory for PSN-P providers

Before providing a vendor with a returned device or diagnostic information, PSN-P providers must:

• revoke all certificates associated with a PSN-P device
• make sure customers have agreed that appropriate mechanisms are in place to protect their data

Obligation IPED.009 mandatory for PSN-P providers

PSN-P providers must ensure PSN-P management connections to endpoint devices are to authentic devices only and not subject to interference.

Disposing of network devices

Obligation IPED.010 mandatory for PSN-P providers

PSN-P providers must ensure:

• no recoverable user information is left on the PSN-P device after disposal • the device will not be able to reconnect to the encrypted network

Follow cryptographic profiles

Obligation IPED.011 mandatory for PSN-P providers

PSN-P providers must ensure their PSN-P service uses the Foundation Profile for IPsec. NCSC does allow some exceptions to the Foundation Profile.

Using public keys

Obligation IPED.012 mandatory for PSN-P providers

It’s acceptable to use shared public keys, rather than PKI X.509 certificates, for PSN-P.

PSN-P providers must ensure private keys associated with these public keys:

• are protected in a similar fashion to the end-entity private keys in a PKI
• never leave the device
• are never transferred unencrypted

Obligation IPED.013 mandatory for PSN-P providers

PSN-P providers must ensure any device holding a private key for PSN-P must be:

• physically secured in line with NCSC guidance
• configured to prevent access to or export of the private key

Obligation IPED.014 mandatory for PSN-P providers

PSN-P providers must document a response procedure in case a PSN-P private key is compromised.