SUPPORTED MOBILE BROWSERS
ANDROID AND IOS	Chrome Firefox
ANDROID ONLY	Android v5.0+
IOS ONLY	Safari
WINDOWS 10 MOBILE	Edge
SUPPORTED DESKTOP BROWSERS
WINDOWS AND MAC	Chrome 12+ Firefox 16+ Opera 15+
MAC ONLY	Safari 6+
WINDOWS ONLY	Edge Internet Explorer 10+

Compliance ISO 27001

Network Security Policy

Classification	Public
Location	https://www.medcrowd.com/compliance/iso27001/policies/NetworkSecurity
Author	Paul Gardner
Approver	Felix Jackson
Approved	16th February 2017

Date	Author	Changes
19th June 2023	Paul Gardner	Periodic review
6th June 2022	Paul Gardner	Periodic review
16th February 2021	Paul Gardner	Periodic review
12th February 2020	Paul Gardner	Periodic review
20th November 2019	Paul Gardner	Traffic flowing in and out of both VPCs, whether permitted or denied, is now logged
15th May 2018	Paul Gardner	Periodic review
16th February 2017	Paul Gardner	Updated to reflect migration from Dublin to London
13th December 2016	Paul Gardner	Detail permitted traffic on each subnet
5th December 2016	Paul Gardner	Initial

Introduction

This policy is part of the medDigital ISMS and must be fully complied with.

This policy ensures the protection of information in networks.

medDigital has two VPCs, containing 6 subnets.

VPC/Subnet	CIDR	Ingress Traffic
Production/PUBLIC-EU-WEST-2A	10.0.0.0/24	TCP/80 (HTTP) from Load Balancers only TCP/22 (SSH) from INTERNAL-EU-WEST-2A TCP/6556 (Monitoring Agent) from INTERNAL-EU-WEST-2A ICMP from INTERNAL-EU-WEST-2A
Production/PUBLIC-EU-WEST-2B	10.0.1.0/24	TCP/80 (HTTP) from Load Balancers only TCP/22 (SSH) from INTERNAL-EU-WEST-2A TCP/6556 (Monitoring Agent) from INTERNAL-EU-WEST-2A ICMP from INTERNAL-EU-WEST-2A
Production/DB-EU-WEST-2A	10.0.100.0/24	TCP/3306 (RDBMS) from PUBLIC-EU-WEST-2A, PUBLIC-EU-WEST-2B, DB-EU-WEST-2B & INTERNAL-EU-WEST-2A
Production/DB-EU-WEST-2B	10.0.101.0/24	TCP/3306 (RDBMS) from PUBLIC-EU-WEST-2A, PUBLIC-EU-WEST-2B, DB-EU-WEST-2A & INTERNAL-EU-WEST-2A
Management/INTERNAL-EU-WEST-2A	10.100.0.0/24	None.
Management/EXTERNAL-EU-WEST-2A	10.100.10.0/24	TCP/443 (HTTPS) from 0.0.0.0/0 UDP/1194 (VPN) from 0.0.0.0/0 TCP/943 (VPN Management) from INTERNAL-EU-WEST-2A TCP/22 (SSH) from INTERNAL-EU-WEST-2A TCP/6556 (Monitoring Agent) from INTERNAL-EU-WEST-2A ICMP from INTERNAL-EU-WEST-2A

All VPCs must have flow logs enabled, including logging rejected traffic, and these logs should be stored in the md-fw-logs S3 bucket.

Any change to the above configuration must be controlled by the Change Management System.

Public Networks (PUBLIC-EU-WEST-2A & PUBLIC-EU-WEST-2B)

Servers on these subnets are limited to application servers intended for use by the public. Requests must only be accepted from the load balancers - direct connections to servers are not permitted.

Load balancers must be configured to only handle secure connections that are using TLS 1.2 and higher.

Servers should be provisioned equally across both networks to distribute load and to provide high availability.

Applications on this network must have no single point of failure, receive a grade of A+ from Qualsys and be supported internally 24x7.

Database Networks (DB-EU-WEST-2A & DB-EU-WEST-2B)

These subnets must not be reachable from the Internet.

Servers on these subnets contain services necessary to deliver applications, such as database servers.

Services on this network must have no single point of failure.

Applications on this network must be supported internally 24x7.

External Management Network (EXTERNAL-EU-WEST-2A)

This subnet is dedicated to VPN access servers and are used by authorised employees to authenticate and gain access to the Internal Management Network.

Internal Management Network (INTERNAL-EU-WEST-2A)

This subnet must not be reachable from the Internet.

This subnet is for internal systems only. Access is restricted to authorised medDigital employees.

All internal applications are required to use SAML2 to ensure users are authenticated with Active Directory.