Mayden House Ltd provides dynamic web services, bespoke internet applications and strategic management consultancy to the healthcare sector, focusing primarily on the NHS.
NETWORKS AND HOSTING
Technical Information
Mayden Health develops and hosts web applications for access over the internet or the National NHS Network (N3). Our aim is to provide our services using state of the art technology together with the most robust software environment. To this end our networks are continually being upgraded and expanded to provide maximum flexibility and security for our client's systems.
Our networks
All our applications and data are hosted in a primary data centre in Bracknell with replica data centre operations for disaster recovery failover. The primary site is a major facility run by Viatel which sits on the internet superhighway and hosts thousands of web applications including those for Vodafone UK and the University JANET network. The data centre has built-in redundancy for power and internet connectivity.
Within this data centre Mayden Health runs two segregated networks: one provides web applications on the internet for general access, the other hosts more secure applications over N3 with access also available via the internet through a secure proxy server. In each network we employ separate application and data servers.
Network configuration and security
The following elements of hardware are currently employed though it should be noted that improvements and upgrades are continually being applied to our network so that following constitutes a minimum standard specification that will not be diminished in terms of performance or security.
Together these network components provide all the elements required for a secure web hosting operation including EAL4 compliant firewalls utilising Intrusion Prevention and Detection backed up by penetration testing, military standard data encryption and two factor authentication.
- Managed Cisco PIX 515E Failover Firewall pair (EAL4 compliant) and dedicated network segment
- Managed Cisco PIX 515E Failover Firewall pair (EAL4 compliant)
- Microsoft ISA edge server
- SSL reverse proxy to F5 Big IP LTM virtual server (default deny all devices), BIG IP GTM incorporated for global traffic failover to remote site
- Cisco ASA5510 edge to dedicated network, multi-homed to N3
- ISA IDS software option
- Cisco ASA IPS software
- Cisco IDS hardware module on ISA edge server external network router
- Trunked GE switches
- Twin Blade Servers, Quad Core 1.87Ghz, RHEL5, PHP5, MySQL5, RHEL Updates, IP tables and software firewall
- Local Mirrored SAS drives 73GB, failover GE interfaces
- LeftHand Networks 2-Way Network RAID volumes spanning 3-Way Storage cluster, RAID 5 per module. Volumes 100GB and 250GB per blade according to purpose. eg 250GB docs, 100GB db
- Dedicated N3 connection and router (supplied and managed by BT)
In addition, we are now able to provide RSA SecurIDR two-factor authentication across a Cisco Client VPN using AES 256 bit encryption. Both hardware and software tokens are available including use of keyfobs, emails and SMS texts.
Data Storage
Depending on the specific configuration required, segregated data can be stored via ISCSI LUN and encrypted CHAP authentication on our Storage Area Network or locally on our dedicated web servers. All data is striped in redundant hardware RAID to allow the application to continue in the case of a disk failure.
In addition to hardware RAID the Storage Area Network can deploy clustered RAID per LUN ensuring two copies of all data are written for every write process.
The Storage Area Network also utilises snap shot technology for recovery from smaller human errors such as accidental document deletion.
Availability
All our web applications are available 24 hours a day, 365 days a year except for occasional periods of planned downtime for upgrades which are normally performed out of hours. To date, our N3 access has achieved 100% availability and internet access 99.97%.
Backup Arrangements
Our application sits on an application server with the database on a data server both of which employ RAID.
As the database records are updated a copy is mirrored on the application server in real time. If the data server then fails, the app server will continue alone using the mirror database. In this scenario we would expect a slower performance while the data server issue is fixed. Each night the mirror database (exactly the same as the main database) is isolated while a backup is taken to a separate Storage Area Network (SAN) volume in the secure network. Snapshots are then taken from the SAN to a remote location on a regular basis.
Shortly, a mirror database will also be established in a mirrored secure network in another location with this data transmitted over a secure link. In the event of a total failure of our main data centre this would provide the potential to run from a second location with an up to date database.
Redundancy
Our redundancy and disaster recovery arrangements are seeing improvements on an ongoing basis. Already, we have redundancy built into power circuits with an additional backup generator in case of total power failure. There are also failover switches on the incoming internet connection with a backup line entering the opposite side of the building. Our servers employ RAID operating over the hard disks so that web applications will continue to run in the event of hard disk failure. The server power supplies also have triple redundancy. Our internet servers also now enjoy a clustering arrangement with a mirror in Geneva to allow fail-over and load-balancing.