To comply with the HSCN Connection Agreement and the national information governance and security standards one of the following network perimeter security options must be adopted.
Customer premises equipment (CPE) router with context-based access control (CBAC)
As a minimum, the HSCN CPE router shall be deployed with a whitelist CBAC policy applied. In general terms this means that the router configuration should begin with a 'deny all traffic' principle and apply controls to allow only specific network traffic types to and from authorised network locations.
CBAC is an extension of standard access controls whereby the traffic’s application-layer protocol data is inspected to determine the state of a given Transmission Control Protocol (TCP) or User Datagram Protocol (UDP) session.
Note - if the consumer organisation already has a managed connection on the Transition Network (TN) then the redacted TN CPE router configuration should provide the context-based access controls currently applied.
CPE router with built in stateful firewall capabilities
Whilst an access control list (ACL) and a firewall have some similar aspects they are significantly different. An access control list is a configuration with a type of network logic that can permit or deny certain network packets through a network interface. A firewall will inspect the network traffic passing through and make decisions about what to let through and what to block. The most important difference is that an ACL is stateless, so it will accept or deny each individual packet without knowledge of what came before or afterwards. A firewall is stateful, which means it is capable of not only understanding each packet but also has the capability of understanding the entire session.
CPE router with separate firewall
A consumer organisation may wish to acquire a CPE router from their HSCN supplier but provide a separate stateful firewall device that can be acquired as either a managed service or managed locally.
Bespoke – for example, aggregated connections with centralised perimeter security
This option covers opportunities not discussed in the three above and is not intended to be prescriptive. For example, a HSCN supplier may choose to aggregate consumer connections by providing private connectivity to centrally hosted perimeter controls before breaking out onto HSCN (and the internet).