Firewall Wizards mailing list archives
Re: Access to backend systems
From: George Capehart <capegeo () earthlink net>
Date: Thu, 19 Oct 2000 21:35:10 -0400
Ellis Luk wrote:
What I want to discuss here is not 100% firewall related but it probably concern most of the firewall wizards here.
<snip body of message>
1) have you encounter similar situation before?
Yes. 'Most everyone doing real transaction processing over the Web has encountered this . . .
2) how would you use your resource (firewall and/or other servers) to protect it ?
One way is to partition the application and the DMZ into layers . . . - - - Outside firewall - - - Presentation Layer - Web servers, static pages, etc. - - - Proxy firewall - - - Application Logic Layer - Servlets that implement whatever superficial logic is necessary - style sheets, etc. - - - Proxy firewall - - - Data(base) layer - local databases that store non-business-critical data and servlets that talk to internal databases that house business-critical data and business transactions - - - Internal firewall - - - Internal network By doing things this way, the proxy firewalls between the layers can examine the traffic that passes between the layers for inappropriate data, requests, etc. The outside firewall performs the traditional function of protecting the DMZ from the crazies on the outside (as well as it can). The internal firewall protects the DMZ from the crazies on the inside (as well as it can). This way, the data access layer only has to trust the servlets in the application logic layer and the proxies (really, only the proxies). The back firewall only has to trust the servlets in the data access layer. Note that in the real world, one might want the conversation between processes in the different layers to happen over mutually authenticated SSL connections . . .
-- Ellis _________________________________________________________________________ Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com. Share information about yourself, create your own public profile at http://profiles.msn.com. _______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://www.nfr.com/mailman/listinfo/firewall-wizards
-- George W. Capehart phone: +1 (704) 277-4561 fax: +1 (704) 853-2624 "I'd rather have a bottle in front of me than a frontal lobotomy." Anonymous _______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://www.nfr.com/mailman/listinfo/firewall-wizards
Current thread:
- Access to backend systems Ellis Luk (Oct 19)
- Re: Access to backend systems Stephen P. Berry (Oct 20)
- Re: Access to backend systems George Capehart (Oct 20)
- Re: Access to backend systems horio shoichi (Oct 24)
- <Possible follow-ups>
- Re: Access to backend systems Jeffery . Gieser (Oct 20)