REOL SERVICES

Network Design

Last Updated: Tuesday, 01 January 2017 02:43AM v091bh12

Network Design Security designed by REOL Services draws heavily from the Manageable Network Plan V4 from NSA/CSS and AWS Best Practices white-papers published by Amazon (2012-2017).

  • We provide full account isolation on root level, followed by ground-up CloudFormation design with multiple AZ and segregated subnet ranges.

  • Redundant (n+1) Public subnets expose ELB endpoint connectors only, while we prefer to terminate SSL (SNI) on the Amazon Application Load Balancer level.

  • Isolated Private subnets host application servers and various secondary (non-AWS) managed systems. All access is locked down using AWS provisioned ACL network groups and EC2 resources in the Private segment do not receive external IP assignments.

  • Fortinet/CISCO or AWS AMI bastion hosts are deployed in each zone with double-logging capabilities (flow-logs dispatch to S3 and SSH pass-through recording), thus, all access by REOL Services and clients is monitored and recorded. We also employ system agents and AWS Lambda + SNS notifications to immediately provide multiple alert notifications to our security personnel in case of unauthorized access or unsanctioned data retrieval.

  • To enable routing from client resources, we use both AWS NAT Gateways and hardened NAT instances with flow-logs enabled.

  • We strictly enforce IAM role rotation per client and further segment IAM role usage per project role (REST, RDS, EC2)

  • All IAM roles and user accounts have minimum password strength enforcing enabled, and ALL access to AWS space must be backed by 2FA tokens.

  • IAM users with dashboard provisioned access are segregated to user groups with specific resource policies enforcement. As such, Application teams have no visibility into client RDS data, or other private resources.

  • All IAM changes are recorded and analyzed using CloudTrail delivery with segregated S3 private bucket

  • We manage private, offline central SSH authority (Netflix BLESS - Bastion's Lambda Ephemeral SSH Service) to quickly disable access or rotate multiple keys to multiple instances and resources in case of compromised private key leaks.

  • We may elect to enable temporary VPC peering between customer VPCs when data-migration services are required.

  • While we support hosting and migration of client's existing resources (existing Wordpress or other, less secure OSS applications), a special fully isolated and quarantined VPC will be provisioned for such installations.

  • All access to Internet facing Bastion hosts is IP restricted to REOL Services IP space. Clients may request temporary, providing static IP availability.

  • REOL Services DEVOPs team entry point to Client network is through point-to-point VPN only (established from REOL Services office) and all VPN activity is recorded.