Firewall Wizards mailing list archives

Re: Access to backend systems

From: George Capehart <capegeo () earthlink net>
Date: Thu, 19 Oct 2000 21:35:10 -0400

Ellis Luk wrote:


What I want to discuss here is not 100% firewall related but it probably
concern most of the firewall wizards here.


<snip body of message>

1) have you encounter similar situation before?


Yes.  'Most everyone doing real transaction processing over the Web has
encountered this . . .

2) how would you use your resource (firewall and/or other servers) to
protect it ?


One way is to partition the application and the DMZ into layers . . .

- - -   Outside firewall - - -

     Presentation Layer - Web servers, static pages, etc.

- - -  Proxy firewall - - - 

    Application Logic Layer - Servlets that implement whatever
superficial logic is necessary - style sheets, etc.

- - - Proxy firewall - - -

    Data(base) layer - local databases that store non-business-critical
data and servlets that talk to internal databases that house
business-critical data and business transactions

- - - Internal firewall - - -

  Internal network


By doing things this way, the proxy firewalls between the layers can
examine the traffic that passes between the layers for inappropriate
data, requests, etc.  The outside firewall performs the traditional
function of protecting the DMZ from the crazies on the outside (as well
as it can).  The internal firewall protects the DMZ from the crazies on
the inside (as well as it can).  This way, the data access layer only
has to trust the servlets in the application logic layer and the proxies
(really, only the proxies).  The back firewall only has to trust the
servlets in the data access layer.

Note that in the real world, one might want the conversation between
processes in the different layers to happen over mutually authenticated
SSL connections . . .


--
Ellis

_________________________________________________________________________
Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com.

Share information about yourself, create your own public profile at
http://profiles.msn.com.

_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://www.nfr.com/mailman/listinfo/firewall-wizards


--
George W. Capehart                            phone:  +1 (704) 277-4561
                                              fax:    +1 (704) 853-2624

"I'd rather have a bottle in front of me than a frontal lobotomy."
Anonymous

_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://www.nfr.com/mailman/listinfo/firewall-wizards

Current thread:

Access to backend systems Ellis Luk (Oct 19)
- Re: Access to backend systems Stephen P. Berry (Oct 20)
- Re: Access to backend systems George Capehart (Oct 20)
- Re: Access to backend systems horio shoichi (Oct 24)
- <Possible follow-ups>
- Re: Access to backend systems Jeffery . Gieser (Oct 20)