All Internet Applications are generally deployed with the known accepted concept "Internet-Firewall-DMZ-Firewall-Intranet".
An overview of this concept is below;
What is a DMZ ?
A DMZ (Demilitarized Zone) is a zone which is lies between the Internet and the Intranet seperated by Firewall at both the ends. The firewall between the DMZ Zone and the Internet is called as an Internet Firewall and the firewall between the DMZ Zone and the Intranet is called as an Intranet Firewall. In Oracle Application Server environment , the firewall between the DMZ Zone and the Infrastructure Metadata Database is know as Infrstructure Firewall.
In DMZ Architecture Configration the following holds;
- All incoming trafic first crosses and gets processed by the DMZ Hardware and no site resouces are directly connected to the internet.
- The internet to DMZ firewall does not allow any incoming trafic that has sender address of the DMZ Hardware.
- The internet to DMZ firewall allows IP and Ports that are related to the site applications.
- The DMZ to intranet firewall allows only trafic that has a DMZ sender address
- The DMZ to intranet firewall allows only restricted access to IP and Port based on specific protocols.
What must DMZ zone satisfy ?
All internet trafic that comes in must be processed by the DMZ HTTP Server connected to the Internet.
The below picture explains the Oracle Application Server components that must reside in the DMZ Zone
Oracle WebCache
Oracle HTTP Server
Oracle Single Sign-On Server
HTTP Loadbalancer
Secured HTTP ( HTTPs )
Oracle Internet Directory ( If required )
Direct Access to the HTTP Server CPU should be avoided. Hackers focus on these servers to make a path way into the Intra net site from the DMZ Zone.
Secured Deployment of Oracle Application Server
Oracle application server components should be distributed well on the web tier and the database tier. Web application components (Identity Management components such as HTTP Server , Single Sign-On and Delegated Administration Services )
should reside on the external DMZ and the database components ( Oracle Internet Directory and Directory Integration Platform) should reside behind the internal or the external DMZ.
I will be discussing on the same in details in the upcomming topics.
