How GDS cut PSN connection costs by using a VPN
Find out how GDS uses a VPN to allow users to get access to services on the Public Services Network (PSN).
This case study is part of guidance on moving away from legacy networks.
Objective
The Government Digital Service (GDS) needed to provide staff with a way to access services that still use the PSN.
GDS used its office move as the opportunity to start its migration away from the PSN. The IT team did not want to install any physical connections to the PSN at the new building because they knew it would:
-
be expensive
-
need building permission
-
not be ready in time
-
provide no long term benefits as most staff members were not using the PSN
Checking services and traffic on the PSN
The GDS IT team knew that they would not need to run all traffic through the PSN. The team started by identifying the 3 services that still needed the PSN. These included:
-
The Single Operating Platform (SOP) - used by all staff to check payslips, claim expenses and manage personal information
-
Zimbra Mail - provided staff with *.gsi accounts
-
Brixworks - provided management information about PSN
At GDS, all traffic was being sent through an internal proxy server and then through a Vodafone Proxy server before going out to the internet. Before the office move, the IT team checked how much traffic was internet-based and how much traffic was PSN-specific.
The team used the open source tool SquidAnalyser to check domain names. We identified the domain names by DNS suffixes like gsi.gov.uk.
Using an open source monitoring tool Zabbix, we knew total monthly GDS traffic using the internet was 17TB whereas total traffic running across the PSN was 11GB.
To reduce PSN traffic, the IT team started by routing traffic through the internet in stages. The team started by routing all Google Hangouts traffic through the internet as video and instant messaging was not working through the PSN proxy connection.
Choosing to use a Virtual Private Network and a provider
GDS needed a way to connect users to the PSN without a physical connection at the new office. When GDS moved offices in 2017, there were no vendors on the Digital Marketplace offering remote connectivity to the PSN.
GDS chose Carrenza to help with the building migration and the provider could set up a secure remote connection to the PSN.
The Digital Marketplace now has providers offering a remote connection to the PSN to help departments.
How users access PSN services at GDS
Staff at GDS are split into 2 user groups and this affects how they connect to the PSN remotely.
Users with administrator access
To make sure that remote connections to the PSN are secure, MacBooks with administrator access use a jumpbox to connect to a PSN service like SOP.
-
The user connects to the VPN using 2-factor authentication.
-
The user connects to a jumpbox, which launches a sandboxed Firefox session using X2Go. This automatically starts up and connects to SOP on the PSN network.
The IT team customised the X2Go client package to help restrict access from the jumpbox. Users can only use the jumpbox to connect to SOP. This is a benefit of using open source software as it can be tweaked to provide extra security.
Users with no administration access
Users who do not have administrator access on their MacBooks do not use the jumpbox.
-
The user connects to the VPN using 2-factor authentication.
-
Send a request to connect to SOP - this is then captured by a proxy auto configuration file (PAC), which forwards the request to our proxy servers.
-
When the request hits the proxy server, this is then forwarded to our PSN-facing proxy server and then it connects to SOP via our third-party PSN supplier.
The legacy way of connecting to PSN was slow and required a physical underground connection. The new method connects the GDS network to a VPN and then to the PSN without the need for a physical network.
Challenges of using the VPN
The challenge of using a remote connection is that GDS is dependant on the technology used by its supplier.
GDS is waiting for Carrenza to update some of its hardware so that they can support the latest protocols like Internet Key Exchange version 2.
Cost saving benefits of the VPN
GDS no longer has to pay for a direct PSN connection or a Vodafone Core Services contract. Since migrating, GDS saves up to £42,000 per year in PSN connection costs.