Oracle Application Server : Internet-Firewall-DMZ-Firewall-Intranet
All Internet Applications are generally deployed with the known accepted concept "Internet-Firewall-DMZ-Firewall-Intranet".
An overview of this concept is below;
What is a DMZ ?
A DMZ (Demilitarized Zone) is a zone which is lies between the Internet and the Intranet seperated by Firewall at both the ends. The firewall between the DMZ Zone and the Internet is called as an Internet Firewall and the firewall between the DMZ Zone and the Intranet is called as an Intranet Firewall. In Oracle Application Server environment , the firewall between the DMZ Zone and the Infrastructure Metadata Database is know as Infrstructure Firewall.
In DMZ Architecture Configration the following holds;
- All incoming trafic first crosses and gets processed by the DMZ Hardware and no site resouces are directly connected to the internet.
- The internet to DMZ firewall does not allow any incoming trafic that has sender address of the DMZ Hardware.
- The internet to DMZ firewall allows IP and Ports that are related to the site applications.
- The DMZ to intranet firewall allows only trafic that has a DMZ sender address
- The DMZ to intranet firewall allows only restricted access to IP and Port based on specific protocols.
What must DMZ zone satisfy ?
All internet trafic that comes in must be processed by the DMZ HTTP Server connected to the Internet.
The below picture explains the Oracle Application Server components that must reside in the DMZ Zone
Oracle WebCache
Oracle HTTP Server
Oracle Single Sign-On Server
HTTP Loadbalancer
Secured HTTP ( HTTPs )
Oracle Internet Directory ( If required )
Direct Access to the HTTP Server CPU should be avoided. Hackers focus on these servers to make a path way into the Intra net site from the DMZ Zone.
Secured Deployment of Oracle Application Server
Oracle application server components should be distributed well on the web tier and the database tier. Web application components (Identity Management components such as HTTP Server , Single Sign-On and Delegated Administration Services )
should reside on the external DMZ and the database components ( Oracle Internet Directory and Directory Integration Platform) should reside behind the internal or the external DMZ.
I will be discussing on the same in details in the upcomming topics.
The voice in my head may not be real , but they have some good ideas !!!
Fail Fast, Fail Forward, Fail Often, Fail Better , Standup Every Time
Every problem has at least one solution. Only some solutions are harder to find.
Popular Posts
-
FS_CLONE Phase It is a stand-alone command used for file system cloning. Standard cloning (using adcfgclone.pl) cannot be used to synch...
-
[oracle@testebsop3app01 ~]$ perl /u01/install/APPS/fs1/EBSapps/comn/clone/bin/adcfgclone.pl appltop /u01/install/APPS/fs1/inst/apps/SATURN_...
-
PRVG-2031 : Owner of file "/u01/app/oracle/diag/crs/rac01/crs/lck" did not match the expected value on node "HOST1". [Ex...
-
Abort Phase If for some reason either the prepare or apply phase failed or gave problems, you can abort the patching cycle. After runnin...
-
As a green field expert in data science, you would be responsible for designing and implementing data science projects from scratch. This i...
-
Suddenly all production reports in BI Publisher failed with message " ORA-01017: invalid username/password; logon denied" The da...
-
EBS 12.2 ADOP Cycle Errors During Validation Cannot open XML file for load ADOP cycle will have validation errors in some cases. *****...
-
ADOP patching on a downtime mode with [ERROR] Patch service is not exist or running Please note , if you get ADOP issues on PROD ple...
-
If you are an EBS administrator the first thing some asks you to do a health check of an environment , you return to him with a Request ID o...
-
Oracle EBS 12.2 - ADOP ad_zd_prep.create_patch_service exceptions Please note , if you get ADOP issues on PROD please read the logs and ...