First off - excellent book. This is now my new bible for WLS deployment.
I have a couple of questions regarding firewall layouts (in p. 750 and 751). I understand your assertion that companies have their own policies about how their network should be laid out. I wanted to get your opinions on the following
Our network security engineers, from past discussions with them, do not like the firewall layout as described in Figure 15-10. They claim that attacks (e.g., HTTP based attacks) from the Internet will simply proxy through the load balancer or plug-in proxy hence will have a clear path to the web application which resides in the trusted or internal network. As a result, attacks that use HTTP for example, that can compromise the web app would then have free reign inside the internal network. They instead would prefer to put the web app in the DMZ (for Internet facing applications) and the DB in the trusted network. The argument is that from the defense-in-depth security principle, an attack that compromises the web app would then only have access to resources in the DMZ and not the internal network. Unfortunately, that approach however forces us to open a wide range of ports in the internal firewall for the DB traffic.
So I was wondering, in your experience, do you see more of your customers going with the layout in Figure 15-10 or one where the web app server is in the DMZ and the DB in the trusted zone.
Thanks in advance. And again, great book.
Last edited by notsob; January 5th, 2010 at 10:09 AM.