This guidance is for service providers or government departments who install networking technologies in government shared buildings, known as hub buildings.
You must follow this guidance if you are refurbishing an existing office space, building new office space or moving to a hub building.
Refer to the Government Property Agency (GPA), part of the Office of Government Property (OGP) for more details on the Government Hubs programme.
Installing your network
To maintain the flexibility and security of the building’s network infrastructure you must treat it as a zero trust network and a separate environment to your IT systems. When installing your IT system assume that:
external and internal threats always exist on the network
you should not trust a network based on its locality
You must only allow authorised and authenticated devices to access network management interfaces. Also, make sure devices are set up to encrypt their data traffic or that encryption occurs at the entry point to a network rather than on the network.
This guidance explains how to install:
shared building wide area networks (WANs)
shared building firewalls
shared building local area networks (LAN)
shared building wireless networks
network access control systems (802.1x)
Installing external connectivity to a shared building
You should install a resilient high speed internet link of 10Gbps. Use a bearer with the required maximum bandwidth, but is flexible enough to support actual use. Smaller hubs could use a 1Gbps bearer, but this will reduce future expansion options. The internet link must have:
2 bearers (fibre links installed into the building)
2 customer premises equipment (CPE) devices that connect the bearers to the customer network, using a first hop redundancy protocol (FHRP) such as Virtual Router Redundancy Protocol (VRRP) to provide failover capability
routing protocols such as border gateway protocol (BGP) and open shortest path first (OSPF) to learn the default route depending on ISP capability and service options
available public routed IP space (IPv4 and IPv6)
a switch that allows the internet link to connect to multiple devices
An example of a shared internet link would involve the internet coming through two ISP routers to create an internet VLAN. There are then two firewall options, a shared firewall and a department firewall. The shared firewall links to wifi and a departmental VLAN. The department firewall links straight to a separate departmental VLAN.
You can adjust the shared internet link depending on the:
capabilities of the ISP
available IP addresses
types of equipment connecting
Connecting firewalls in a shared building
Connect two highly available firewalls to the internet link. This helps to prevent a single point of failure on your network. You can use virtual systems to separate services from each other, and from general system management. This reduces the scope of the changes you’ll need to make when adjusting the configuration of each virtual network’s own firewall context.
For example, services and departments in the cloud can connect via the internet VLAN through a shared firewall to the services in the building. The internet comes through ISP routers to create the internet VLAN.
Choosing the capacity for your firewalls
You must size the firewall appropriately. You should make sure that:
throughput and processing capacity meets the anticipated maximum usage for the hub building
the firewall exceeds the maximum total speed of all the active WAN bearers installed
You can mitigate against device failure when using high availability firewalls by making sure the capacity of the remaining equipment exceeds the maximum required to run the building. Do not depend on Active/Active to provide the minimum throughput capacity for a building.
Consider how much capacity your Layer 2 addresses need
All network equipment has a maximum addressing database capacity for Layer 2. For example, Media Access Control (MAC) tables are often listed with a maximum:
for the device
per broadcast domain
per Address Resolution Protocol (ARP) database
The maximums must exceed the anticipated number of connected devices to the network. This applies to both firewalls and switches.
Estimating firewall capacity needs based on concurrent or new sessions
Make sure you know the per second capacity of your firewall’s maximum concurrent and new sessions. When you’re estimating how many sessions a user device generates, remember that the session count increases with:
client/server or cloud applications
multiple browser tabs
system applications such as antivirus software or management tools
smaller ‘branch’-sized equipment often only support tens of thousands of connections
larger equipment can support millions of connections
Use IPsec capabilities to protect data
Most modern firewalls support the cryptographic standards for using IPsec to protect data, set by the National Cyber Security Centre (NCSC). You should buy any extra licensing your chosen firewall vendor may need.
You should use dual stack network interfaces that work with both IPv4 and IPv6 addresses. The industry standard for IPv6 network allocation (/56 for a building/location and /64 per VLAN) provides enough capacity for an occupier’s connected devices, and extra capacity for privacy addresses.
Use stateless address auto-configuration (SLAAC) on network devices configured for IPv6. SLAAC is a service where the Layer 3 device (firewall, router or switch) advertises its addressing capabilities. SLAAC is the interface that connects to a broadcast domain via router advertisements (RA). There is a limit to the amount of information available in RA packets sent to the all-nodes multicast address. This limit is the recursive DNS server (RDNSS) information. The open standard RFC8106, and Windows 10 in the 2017 Creators Update, supports the RDNSS feature.
It’s common for organisations to use RFC1918 addresses in 10.0.0.0/8 or 172.16.0.0/12 for their internal networks.
When you provide IP subnets to guest networks, use the 192.168.0.0/16 range for address space. This will prevent overlaps or conflicts when devices use VPNs to connect back to their organisational networks.
When using additional guest isolation concepts, it’s common practice to provide a 192.168.0.0/18 (16,384 addresses) or 192.168.0.0/17 (32,768 addresses) subnet allocation to the guest network.
Add a Domain Name System proxy on your firewall
You should use a Domain Name System (DNS) proxy on the firewall and forward all traffic to the NCSC Public Sector DNS service.
The NCSC Public Sector DNS service provides IPv4 and IPv6 DNS resolvers. When setting this up you must:
not pass the resolvers directly onto the connected devices
point the DNS configuration in the Dynamic Host Configuration Protocol (DHCP) services to a local DNS Proxy service (this forwards all queries to the NCSC service)
You should consider blocking all other outbound DNS traffic that is not directed at the local DNS proxy.
Network client configuration with DHCP
When connecting to a network the client will:
broadcast a DHCP request to the connected broadcast domain
receive a response from a DHCP server with an IP address and the relevant settings, such as a default gateway and DNS servers
There is no need for you to run separate DNS/DHCP servers in the building as the dedicated network devices (for example, core routers) you select should support running DNS and DHCP services.
Separating organisations from each other using firewall virtual systems
Modern firewalls can use virtual systems to separate data traffic and the configuration of the firewall.
If needed, you can use this separation to:
reduce the configuration management you need to do for each separate virtual network
make it possible for a tenant organisation to control how they delegate configuration or administrative access
separate the Layer 3 routing and IP address configuration so you have the option for overlapping subnets
Setting up LANs in a shared building
The local area network (LAN) should meet the capacity needs of your users. It should follow the network vendor’s best practice.
An example of a main equipment room in a shared building would contain internet routers, internet edge switches, firewalls and core switches. These would link together through to the satellite equipment room with access switches.
Selecting your network controllers
Two models provide different benefits or constraints for distributed or controller-based traffic routing. Distributed routing has more flexible architecture and is the recommended option.
Controller-based routing uses the switches and access points to send all data traffic to the central controller for authentication and authorisation. This method simplifies the complexity of VLAN sprawl to the access switches as you only need to put the VLANs used by the wifi client on the core switch that connects to the controllers. The controller can also:
inspect all traffic
enforce client isolation
use extra firewall capabilities
The constraints are that the network may experience a slowdown in data traffic if the controller:
is not the right size for the number of users in the building
aggregates all traffic regardless if the firewall outbound options
Distributed routing (or local breakout) uses the access points to send the data traffic from any connected device to the local switch on the correct VLAN. The benefits are that you have a reduced chance of network slowdown, and an increase in the network’s scalability. The constraints are that you will need to do more configuration on the access switches to extend any access VLANs across the building.
Make sure core switches have the right capacity
You must make sure the core switch stack at the centre of the network has enough capacity for the anticipated bandwidth use in the building. Create a stack on each switch using high bandwidth links and configure them so you can manage them as one. The core switches must also connect at least 2 links to all access switches.
The links should be:
at least 10Gbps in size
configured in an aggregated ethernet link, such as link aggregation control protocol (LACP)
Setting up the access switches
To allow greater flexibility so you can add more ports, you should make sure that:
each access switch stack has at least 2 member switches, and each unit contains one of the two 10Gbps links linking to the core switches
the access switches support Power over Ethernet (PoE) and has enough power for all ports on each switch
There are 4,096 virtual local area networks (VLANs) available, which should be enough for the number of networks required in the building. Be aware that smaller switches support fewer VLANs with a variable limit of about 64 active VLANs.
You are not required to use physical switches to separate organisation’s traffic. VLANs separate different organisation’s traffic on a shared Layer 2 switched network.
Using and sizing IP Subnets
When subnets use an access port setup to receive pre-assigned VLANs, you must make sure that the size of the subnet can accommodate the anticipated number of connected devices.
Using private VLANs
Private virtual local area networks (PVLANs) allow switches to use a single VLAN for multiple devices, but stops those devices from communicating with each other. This is useful in shared buildings and for guest networks as it will prevent:
peer to peer networking between devices
devices connecting to services that use automatic discovery protocols
any services running on the devices from being automatically visible to other devices
Using PVLANs makes sure that devices are protected from malware as they are not at risk from probing by other users’ machines.
You should install PVLANs on network equipment. You must put devices that need to communicate, such as meeting room audio and visual, in the same PVLAN community.
Using an automatic Quality of Service configuration
Most modern switches support a basic automatic Quality of Service (QoS) configuration. If you use an automatic QoS configuration you should consider that QoS tags in a shared building are rarely supported across the internet. You may find exceptions when the internet service provider has a separate service element that supports a VoIP (voice over internet protocol) service.
Using multicast to support network-connected devices
You will need to enable multicast on your network to support items such as meeting room technologies or network-connected TVs.
Large buildings with core and multiple access switches will have a distributed switch setup. In this situation, you may need to setup an IGMP Querier for each VLAN that requires multicast.
Setting up administrative access to network devices
When configuring your network devices you should:
use secure access methods such as SSHv2 or HTTPS
disable less secure protocols such as Telnet
make sure devices use trusted certificates by managed terminals or use SSH keys to connect to devices
install a unique root/management password on each device
limit the number of staff with access to route/management passwords as they are for emergencies such as a large service outage
follow the NCSC principles for network management interfaces
use 2 factor authentication (2FA) where possible to access the network management layer
To manage and monitor network equipment and devices you should provide a dedicated VLAN and network range. For example, store the network credentials in a bastion host or jump box away from regular workstations and work email access.
You should follow the zero trust network model as outlined in the section ‘Installing your network’. You can also restrict emergency access used through console over IP servers to emergency out-of-band networks that provide physical access controls from trusted networks through an IPsec VPN.
Log administrative access to network devices and record any commands in the logging system. You can use the separation of roles and responsibilities to make sure administrator accounts do not have access to both the network management interfaces and the logging system. Where this is not possible, those individual administrators should separate accounts with different passwords and 2FA tokens.
Doing your configuration management
Most modern network devices support free open source configuration management tools. You can use these to configure network devices in a structured and repeatable pattern. This allows you to detect unexpected configuration changes made against your recorded baseline.
You should regularly backup your network device configuration if you are not using automation tools. Make sure you record any configuration changes against approved change control events.
Setting up the date and time
Use the Network Time Protocol (NTP) to configure network devices. To do this you can either use a central NTP server run by the service provider, or an internet-based NTP server. Use the NTP to keep accurate security logs and synchronise data across devices.
All network devices must:
send event logs to the central log collection service
generate approved events so that the security monitoring tool can act on or report unexpected events
Installing a wireless network in a shared building
The wireless network must meet the capacity needs of the building and follow the network vendor’s best practice.
An example satellite equipment room for a wifi network in a shield building would contain access switches and links to the core equipment and wifi.
Planning the wifi coverage
For staff areas, you will need to use 2.4GHz and 5GHz from at least 2 access points (APs) to provide enough coverage. Areas of the building used by facilities management may still need wifi, but this can be at a lower density.
The access points you use should be capable of operating in both 2.4GHz and 5GHz bandwidths. This will give you 2 radio transmitters on each AP and provide better coverage for your wifi. In areas with high density usage, you should alternate the configuration of the devices so that every second AP is set up with both radios operating at 5GHz and the others as dual 2.4GHz and 5GHz.
Make sure you enable a dynamic frequency selection (DFS) on the radios so they can use more of the 5GHz bands.
Configure the channel width to 20MHz, 40MHz, 80MHz or 160MHz. The wider the channel the more throughput a wireless client can get from the access point. However, this reduces the number of clear frequencies an AP can use against neighbouring APs. For high density office deployments, 20MHz or even 40MHz is enough. Adjust the radio power specifications based on density and occupancy.
Cabling - backhaul connection from APs to access switches
Most enterprise APs have 2 ethernet ports. One is generally used for Power over Ethernet (PoE) and the second is for data only. Together they provide enough bandwidth for you to fully use the radios. Configure the AP with an aggregated ethernet connection to provide a 2Gbps link. This can be faster if the AP and switch support 2.5GBASE-T or 5GBASE-T ethernet.
How to control network access
Users (staff or guests) should use wifi to access the network, but you should also provide a wired ethernet connection as an alternative. You should use the GovWifi authentication service to install GovWifi SSID and authenticate users.
Switch access ports
To help protect your network, use the LAN to install an 802.1x policy. This policy means the default action is to give an unauthenticated user internet only access by placing the port on the same VLAN as GovWifi.
When you need to configure devices with an 802.1x policy, check if this policy is turned on by default. If it is, check if you need to set the credentials as well. When 802.1x is not required you must turn it off for the device to function. It is important to test all devices before going ‘live’ in a building.
By using a zero trust networking model you can make sure that:
you use certificates to authenticate and authorise all devices on the network
the devices are responsible for encrypting traffic to and from their destination services
you configure unused ports to accept 802.1x authentication and not leave them on the default VLAN or another open VLAN
If you cannot use certificates to authenticate devices then you should configure your fixed access ports or use MAC authentication. Document the certificates and authentication and monitor the network for changes in link status or MAC addresses connecting to the port. In the event of suspicious activity the monitoring system should generate an alert.
Adding non-portable or uncertificated devices to the network
Where devices are not portable, use an ethernet cable to connect them to the network. This includes CCTV systems, building access control systems, meeting room devices, printers and fixed computer workstations.
Printers, TVs and other network accessories often do not have authentication certificates. In these cases, it’s up to the hosting organisation to decide whether they make an exception to allow open ports or MAC authentication. Where the device only requires wired (with PoE) internet access, use the default 802.1x profile.
Setting up legacy or corporate network access over a LAN and wifi
You’ll need to:
if necessary, use the agreed exception process to justify any deviation in your network installation and gain permission from the building management
install WAN links or establish IPsec connections from the shared firewalls to connect to the legacy or corporate network
establish an agreed method that uses PKI to authenticate the network - the hosting organisation should accept the necessary certificates once they are in the RADIUS system
configure appropriate policies to use online certificate status protocol (OCSP) or certificate revocation list (CRL)
When you need a VLAN ID it is the hosting organisation’s responsibility to select it. You should make sure that VLAN IDs are appropriate for the ranges used by the building’s IT system. There are no plans to create a central list of allocated VLANs for corporate networks across hub buildings.
When you provide devices with access to legacy or corporate networks, you can use a fixed-open switch port on the correct VLAN or a MAC list to assign the correct VLAN.
Government Hubs Policy (available on request from GPA) email@example.com
NCSC risk management guidance
Please email firstname.lastname@example.org for more information.