CAS product description

The connection agreement system - A proven solution for the design and administration of sensitive networks

How does it work?

After the initial validation and authorization of participants to the networks, the CAS can be implemented either in a centralized or in a decentralized set-up.

The initial validation of participants:

Information about the individual participants has to be initially validated before new organisations and user accounts are set up in the CAS. The information which is available to the parties is designed in order to provide an easy overview of available services and for the creation and maintenance of connections agreed upon.

Technically, when a new stakeholder is registered in the CAS, it is assigned a small block of IP addresses which are routed only within this network. It is then up to the local administrator to register agreements in the agreement system, which can be accessed on the open Internet protected by an SSL certificate. After an agreement has been concluded via the web-based interface, it is forwarded electronically to both the data provider and the data user for acceptance in the CAS before the connection is opened. Every 10 minutes the approved agreements in the CAS are transferred to routers in the form of Access Control Lists allowing traffic between parties at the Network IP address level

The Connection Agreement System in a centralized infrastructure:

The CAS has primarily been implemented in networks consisting of a group of regional routers/gateways and a central hub – a cluster of routers – through which all traffic between different institutions is routed. This is the centralized version as it is used in the Danish Healthcare Data Network since 2003.
In this set-up, the CAS communicates with the central routers to manage the filter rules which block out irrelevant or hostile data traffic. To be connected to the network, stakeholders must either establish:

• a VPN connection from their own secure networks to the network hub;
• or have a fixed high capacity connection directly to the hub.

The Connection Agreement System in a centralized infrastructure

The CAS enables the data provider (service) and the data user (client) to create, authorize and maintain agreements made by the two parties, with information regarding involved organisations, appointed contact persons, which service may be accessed by which clients and by which protocols.

In short, the CAS offers several advantages:

• Everybody can find the services they need – and each other;
• The need for administering a huge number of VPN tunnels is eliminated;
• The documentation of who ordered a connection and how long it is supposed to exist is always available and up-to-date;
• The security administration is simplified and offers an overview of openings in the firewall at the institution level;
• There is complete administrative control of approval procedures for new organisations.

The Connection Agreement System in a decentralized infrastructure:

The CAS can also support a decentralized infrastructure. This is the solution chosen by the Swedish Healthcare Network. In this case, communication takes place between the different entities within the health data network, but without a central hub.

Instead of providing a centralised filtering, the filtering of data takes place on the users’ (clients and suppliers) own gateways to the network. This gives the users a direct access to the network, and also provides individual organisations to communicate with each other without having to use a central hub.

The Connection Agreement System in a decentralized infrastructure

When using the CAS in this way, the organisations administer their own router/firewall which enforces the filtering rules generated by the CAS. The local organisation chooses the mode of implementation of the filter rules generated by the CAS according to the approved agreements; either by user downloads or automatically imported to a local firewall/filter router.