Introduction
This policy is part of the medDigital ISMS and must be fully complied with.
This policy ensures the protection of information in networks.
medDigital has two VPCs,
containing 6 subnets.
VPC/Subnet |
CIDR |
Ingress Traffic |
Production/PUBLIC-EU-WEST-2A |
10.0.0.0/24 |
TCP/80 (HTTP) from Load Balancers only
TCP/22 (SSH) from INTERNAL-EU-WEST-2A
TCP/6556 (Monitoring Agent) from INTERNAL-EU-WEST-2A
ICMP from INTERNAL-EU-WEST-2A
|
Production/PUBLIC-EU-WEST-2B |
10.0.1.0/24 |
TCP/80 (HTTP) from Load Balancers only
TCP/22 (SSH) from INTERNAL-EU-WEST-2A
TCP/6556 (Monitoring Agent) from INTERNAL-EU-WEST-2A
ICMP from INTERNAL-EU-WEST-2A
|
Production/DB-EU-WEST-2A |
10.0.100.0/24 |
TCP/3306 (RDBMS) from PUBLIC-EU-WEST-2A, PUBLIC-EU-WEST-2B, DB-EU-WEST-2B & INTERNAL-EU-WEST-2A
|
Production/DB-EU-WEST-2B |
10.0.101.0/24 |
TCP/3306 (RDBMS) from PUBLIC-EU-WEST-2A, PUBLIC-EU-WEST-2B, DB-EU-WEST-2A & INTERNAL-EU-WEST-2A
|
Management/INTERNAL-EU-WEST-2A |
10.100.0.0/24 |
None.
|
Management/EXTERNAL-EU-WEST-2A |
10.100.10.0/24 |
TCP/443 (HTTPS) from 0.0.0.0/0
UDP/1194 (VPN) from 0.0.0.0/0
TCP/943 (VPN Management) from INTERNAL-EU-WEST-2A
TCP/22 (SSH) from INTERNAL-EU-WEST-2A
TCP/6556 (Monitoring Agent) from INTERNAL-EU-WEST-2A
ICMP from INTERNAL-EU-WEST-2A
|
All VPCs must have flow logs enabled, including logging rejected traffic, and these logs should be stored in the md-fw-logs S3 bucket.
Any change to the above configuration must be controlled by the Change Management System.
Public Networks (PUBLIC-EU-WEST-2A & PUBLIC-EU-WEST-2B)
Servers on these subnets are limited to application servers intended for use by the public. Requests
must only be accepted from the load balancers - direct connections to servers are not permitted.
Load balancers must be configured to only handle secure connections that are using TLS 1.2 and higher.
Servers should be provisioned equally across both networks to distribute load and to provide high availability.
Applications on this network must have no single point of failure, receive a grade of A+ from Qualsys
and be supported internally 24x7.
Database Networks (DB-EU-WEST-2A & DB-EU-WEST-2B)
These subnets must not be reachable from the Internet.
Servers on these subnets contain services necessary to deliver applications, such as database servers.
Services on this network must have no single point of failure.
Applications on this network must be supported internally 24x7.
External Management Network (EXTERNAL-EU-WEST-2A)
This subnet is dedicated to VPN access servers and are used by authorised employees to authenticate
and gain access to the Internal Management Network.
Internal Management Network (INTERNAL-EU-WEST-2A)
This subnet must not be reachable from the Internet.
This subnet is for internal systems only. Access is restricted to authorised medDigital
employees.
All internal applications are required to use SAML2 to ensure users are authenticated with Active
Directory.