343
edits
Changes
From All n One's bxp software Wixi
no edit summary
=Overview=
[[File:stacks_001.png|right|300px]]The bxp software (bxp) infrastructure is a multi-tier design to delivery high availability with our own private infrastructure within Amazon Web Services. [[Bxp_software_in_AWS_Cloud_Services]]
bxp is built on a WAMA WIMA stack (Windows, AWSIIS, MySQL, ASP).
=Physical Infrastructure=
bxp software is hosted from the AWS data facility hosted within Ireland (eu-west-1)
=Secure Design=
AWS performs initial environmental and geographic assessments. Data center locations are carefully selected to mitigate environmental risks, such as flooding, extreme weather, and seismic activity. AWS Availability Zones are built to be independent and physically separated from one another.
=Redundancy=
Data centers are designed to anticipate and tolerate failure while maintaining service levels. In case of failure, automated processes move traffic away from the affected area. Core applications are deployed to an N+1 standard, so that in the event of a data center failure, there is sufficient capacity to enable traffic to be load-balanced to the remaining sites
bxp has disaster recovery support contract with AWS to move bxp software's operations to our redundant offsite infrastructure hosted in AWS' France facility (eu-west-3). A simulation of this process is run annually.
AWS provide numerous high level interconnects to provide redundant Internet connectivity.
==Security==
The high available firewalls are implemented using AWS' network firewalls. This is a managed service with AWS. The Network Firewall includes features that provide protections from common network threats. AWS Network Firewall’s stateful firewall can incorporate context from traffic flows, like tracking connections and protocol identification, to enforce policies such as preventing bxp's metwork from accessing domains using an unauthorized protocol. AWS Network Firewall’s intrusion prevention system (IPS) provides active traffic flow inspection so bxp can identify and block vulnerability exploits using signature-based detection. AWS Network Firewall also offers web filtering that can stop traffic to known bad URLs and monitor fully qualified domain names.
==Load Balancing==
The load balancers are implemented using CentOS on a virtualised basishighly available AWS Application/Network Load balancers. This service allows us to protect our encrypted HTTPS connections ensuring the usage of strong TLS1.2 and cipher suite technology.
==Server Monitoring==
Live 24/7 monitoring from our AWS support team, with alerts and calls to bxp team if required.
An ISMS for our servers is monitored by Datadog HQ (https://www.datadoghq.com/product/)
==Web==
The web servers are implemented using Windows Server 2012 R2 x64 on a virtualised basis.
==Database==
The database web servers are implemented using Windows 2012 R2 x64 Server on a dedicated rack server virtualised basis.
=Logical Infrastructure=
Strong security and operational procedure controls ensure this segregation is maintained by all personnel with access. All interactions are auditable.
==Server Patching Process==
Servers are checked for patches and updates daily. These updates are downloaded and installed on Thursday evenings as soon as they are spottedpart of bxp' scheduled maintenance hours 22:30-00:30. The restart exception is made for the updates and patches to take effect is executed nightly. The database server is the one exception where as zero-day updates which are installed weekly and implemented weeklyconducted asap.
