1. The solution explained
Searching...

The solution explained

Centrally funded, free to use perimeter security; enabling better security for better patient outcomes.

The solution

NHS Secure Boundary comprises two main technology parts, protecting two types of internet traffic:

  1. Bi-directional traffic (initiated internally): traffic which is initiated from within the NHS perimeter. For example, the diagram below shows an NHS worker (left) accessing the internet from their NHS device. Their internet activity is protected by PaloAlto and Prisma Access technology.
  2. Inbound traffic (initiated externally): traffic which is initiated from outside of the NHS perimeter. For example, the diagram below shows a member of the public (right) accessing an NHS hosted site via the internet, from their own personal device. Their data is protected by Imperva Incapsula web application firewall on route to the NHS hosted service.

Secure Boundary solution

Components of the NHS Secure Boundary solution

Below are details of the different components which make up this leading-edge NHS Secure Boundary solution.

Palo Alto Prisma Access

Provides a software as a service (SaaS) based, modern next-generation firewall (NGFW) capability in the cloud, which can be used by NHS organisations to increase their digital security. Includes:

  • stateful High Availability (HA) pairs of VM-Series NGFW
  • hosted across availability zones
  • dedicated firewalls for each tenant
  • a bandwidth pool apportioned to tenants based on discovery bandwidth identified

Cortex Data Logging Service

Collates all logs from the firewalls and management platforms within the solution. Includes:

  • retention of traffic, configuration and systems logs for 6 months
  • forwarding of filtered logs to the Data Security Centre Cyber Security Operations Centre (CSOC), enabling the DSC to monitor cyber events across the NHS estate, and provide rapid protection as incidents and risks emerge.

WildFire

Sandboxing platform designed to identify zero-day threats. Includes:

  • file sandboxing for analysis of unknown threats
  • creation of signatures to block malware and block the other behaviours
  • dissemination of threat signatures to all Wildfire users, so detection by one can protect all
  • static and dynamic analysis over multiple operating systems and application versions

Panorama Management Console

Management of the Prisma platform will be done via the central management console, Panorama. Includes:

  • common Graphical User Interface (GUI) integrated with NHS Mail Single Sign On (SSO)
  • tenant in tenant approach to provide global and local control
  • Amazon Web Services (AWS) hosted Panorama with additional NGFWs and role-based access control

MineMeld

Platform which takes in threat data from sources outside of NHS Secure Boundary and allows that threat data to be used by the firewalls in the solution. Includes:

  • aggregation and correlation of threat intelligence feeds
  • enforcement of new prevention controls, including IP blacklists

Imperva Cloud Web Application Firewall (WAF)

SaaS based WAF solution to protect applications from malicious attacks via the internet. Includes:

  • protection against the most critical web application security risks such as Structured Query Language (SQL) injection, cross-site scripting, illegal resource access, remote file inclusion
  • multiple capability offerings to meet current and future requirements whilst being cost effective

Capabilities

The below are some of the capabilities offered by the NHS Secure Boundary solution.

Uniform Resource Locator (URL) filtering

Monitors and controls access to websites and website categories.

Application ID (APP ID)

Visibility of active applications.

Decryption

Selective decryption of traffic for the advanced detection of threats.

WAF

Protects publicly hosted web services from a wide range of internet based threats.

Back To Top