Network Security Policy

Field	Value
Document ID	POL-003
Version	1.0
Effective Date	2026-04-08
Next Review Date	2027-04-08
Classification	Internal
Owner	Information Security Officer
Approved By	CEO, Paylithix Inc.
Parent Policy	Information Security Policy (POL-001)

1. Purpose

This policy defines the network security controls that protect the Gatelithix Gateway Cardholder Data Environment (CDE). It governs VPC segmentation, firewall rules, encryption in transit, and the process for making network changes, in compliance with PCI DSS 4.0.1 Requirements 1 and 4.

2. Scope

This policy applies to all network infrastructure supporting the Gatelithix Gateway:

PCI VPC (pci-vpc, 10.1.0.0/20) in gatelithix-pci GCP project
Core VPC (core-vpc, 10.0.0.0/20) in gatelithix-core GCP project
VPC Peering between PCI and Core VPCs
Cloud Run ingress/egress settings for all services
Cloud NAT gateways on both VPCs
Cloud SQL network connectivity (Private IP, Cloud SQL Auth Proxy)
External connections to payment processors (Stripe, NMI, FluidPay; TSYS planned)
Cloudflare DNS and DDoS protection layer (api.gatelithix.com, dashboard.gatelithix.com)

3. Roles and Responsibilities

Role	Responsibility
Information Security Officer	Approves network architecture changes to CDE; leads semi-annual NSC review
Engineering Lead	Implements network controls via Terraform IaC; reviews firewall rule changes
All Engineers	Submit network changes through the PR process; do not modify network rules directly

4. Policy Statements

4.1 Network Segmentation Architecture

The CDE shall be isolated in a dedicated GCP project (gatelithix-pci) with its own VPC, IAM boundary, billing account, and audit logging.
Non-CDE workloads (gateway API, connectors, dashboard, docs site) shall run in a separate GCP project (gatelithix-core) with a separate VPC.
No non-CDE workload shall be deployed to the PCI GCP project.
The only network path into the PCI VPC is via VPC peering from the Core VPC, restricted by firewall rules.

4.2 Firewall Rules (Default-Deny)

Both VPCs shall implement a default-deny posture: all ingress and egress traffic is denied at priority 65534 unless explicitly allowed by a higher-priority rule.
The following firewall rules are authorized for the PCI VPC:

Rule Name	Direction	Source/Destination	Protocol/Port	Purpose
`allow-core-to-pci`	Ingress	`10.0.0.0/20` (Core VPC)	TCP 443	Gateway-to-vault API calls over VPC peering
`allow-psp-egress`	Egress	Payment processor IPs	TCP 443	Vault-to-processor PAN transmission
`allow-restricted-apis-egress`	Egress	`199.36.153.4/30`	TCP 443	Access to GCP restricted APIs (KMS, Cloud SQL Admin)
`allow-cloudsql`	Egress	PCI Cloud SQL private IP	TCP 5432	Vault-to-database connections
`deny-all-ingress`	Ingress	`0.0.0.0/0`	All	Default deny (priority 65534)
`deny-all-egress`	Egress	`0.0.0.0/0`	All	Default deny (priority 65534)

No firewall rule shall permit direct internet ingress to CDE systems. The vault service is not publicly accessible.
Firewall rules are defined exclusively in Terraform (infra/terraform/pci/network.tf) and must not be modified through the GCP Console.

4.3 Core VPC Firewall Rules

The Core VPC implements similar default-deny rules with explicit allows for:
- Cloud Run services receiving HTTPS traffic from Cloudflare (TCP 443)
- Egress to payment processor APIs (TCP 443)
- Egress to PCI VPC via peering (TCP 443)
- Egress to GCP restricted APIs (TCP 443)
- Cloud SQL connectivity (TCP 5432)

4.4 VPC Peering

VPC peering between Core and PCI VPCs is the only authorized cross-zone network path.
Peering does not grant transitive access — only directly peered VPCs can communicate.
Peering configuration is defined in Terraform and requires PR review to modify.
Traffic over the peering connection is restricted to TCP 443 (HTTPS) by firewall rules on both sides.

4.5 Cloud NAT

Both VPCs use Cloud NAT for outbound internet access, providing:
- Consistent source IP addresses for allowlisting with payment processors
- NAT logging for auditable egress records
- No public IP addresses assigned to any Cloud Run service or Cloud SQL instance
Cloud NAT logs shall be retained for at least 12 months.

4.6 Encryption in Transit

All network connections carrying cardholder data or authentication credentials shall use TLS 1.2 or higher (PCI DSS 4.2.1).
Specific encryption requirements:

Connection	Encryption	Enforcement
Client to Gateway API	TLS 1.2+	Cloud Run default (no plaintext HTTP)
Gateway to Vault (cross-VPC)	TLS 1.2+	Cloud Run-to-Cloud Run over VPC peering
Vault to Cloud SQL	TLS 1.2+ with `sslmode=require`	Cloud SQL `ssl_mode=ENCRYPTED_ONLY`
Vault to Cloud KMS	TLS 1.2+	GCP API default
Connectors to Processors	TLS 1.2+	Stripe, NMI, FluidPay all require TLS
Dashboard to API	TLS 1.2+	HTTPS only (Cloudflare enforces)
CI/CD to GCP	TLS 1.2+	GCP API and gcloud CLI default

SSL/TLS certificates for public endpoints (api.gatelithix.com, dashboard.gatelithix.com) are managed by Cloudflare with automatic renewal.
Weak cipher suites (RC4, DES, 3DES, MD5-based MACs) are prohibited. Cloud Run and Cloud SQL use GCP-managed cipher suites that exclude these by default.
The cryptographic inventory (protocols, cipher suites, certificate authorities) shall be reviewed at least annually (PCI DSS 12.3.3).

4.7 Cloudflare Configuration

Cloudflare provides DNS, DDoS protection, and TLS termination for public-facing endpoints.
Minimum TLS version on Cloudflare is set to TLS 1.2.
HSTS (HTTP Strict Transport Security) is enabled with a minimum max-age of 1 year.
Cloudflare does not cache, store, or inspect request/response bodies containing cardholder data — it operates as a pass-through proxy.
Cloudflare’s PCI DSS AOC shall be maintained on file and reviewed annually.

4.8 Wireless Networks

Gatelithix Gateway infrastructure is entirely cloud-based. No wireless networks are in scope for the CDE.
Development occurs on personal devices connecting to cloud services over the internet (TLS-encrypted). No local development environment processes real cardholder data.

4.9 Network Change Process

All network configuration changes (firewall rules, VPC settings, peering, Cloud NAT, DNS) shall be made through Terraform IaC and the standard Change Management Policy.
Network changes affecting CDE require:
- A pull request with Terraform plan output showing the exact changes
- Review and approval by the ISO or Engineering Lead
- terraform plan verification before terraform apply
- Post-deployment verification that firewall rules match the intended state
Emergency network changes (e.g., blocking an active attack) may bypass normal review but must be documented retroactively within 24 hours.

4.10 Semi-Annual Network Security Control (NSC) Review

All firewall rules and network configurations shall be reviewed at least every six months (PCI DSS 1.2.7).
The review shall confirm:
- Each firewall rule has a documented business justification
- No unnecessary or overly permissive rules exist
- Default-deny rules are in place and active
- VPC peering configuration is correct
- Cloud NAT logging is enabled
- TLS versions and cipher suites meet policy requirements
The review is conducted by the ISO with input from the Engineering Lead.
Findings and remediations are documented and retained for at least 12 months.
Review schedule: April and October of each year.

5. Compliance and Enforcement

Unauthorized network changes to CDE infrastructure shall be treated as a security incident.
Direct modification of firewall rules through the GCP Console (bypassing Terraform) is prohibited and detectable via GCP Admin Audit Logs.
Violations shall be investigated per the Incident Response Plan.

Information Security Policy (POL-001) — Parent policy
Change Management Policy (POL-006) — Change process for network modifications
Key Management Policy (POL-004) — Encryption key controls
infra/terraform/pci/network.tf — PCI VPC firewall rules (source of truth)
infra/terraform/core/network.tf — Core VPC firewall rules
PCI DSS 4.0.1 Requirements 1 and 4

7. Document History

Version	Date	Author	Changes
1.0	2026-04-08	Information Security Officer	Initial policy creation