Wrox Programmer Forums

Need to download code?

View our list of code downloads.

Register | FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read
BOOK: Professional Oracle WebLogic Server
This is the forum to discuss the Wrox book Professional Oracle WebLogic Server by Robert Patrick, Gregory Nyberg, Philip Aston with Josh Bregman, Paul Done; ISBN: 978-0-470-48430-2
Welcome to the p2p.wrox.com Forums.

You are currently viewing the BOOK: Professional Oracle WebLogic Server section of the Wrox Programmer to Programmer discussions. This is a community of tens of thousands of software programmers and website developers including Wrox book authors and readers. As a guest, you can read any forum posting. By joining today you can post your own programming questions, respond to other developersí questions, and eliminate the ads that are displayed to guests. Registration is fast, simple and absolutely free .
DRM-free e-books 300x50
Reply
 
Thread Tools Display Modes
  #1 (permalink)  
Old January 5th, 2010, 10:02 AM
Registered User
 
Join Date: Jan 2010
Location: boston
Posts: 2
Thanks: 0
Thanked 0 Times in 0 Posts
Default Firewall Layouts

First off - excellent book. This is now my new bible for WLS deployment.

I have a couple of questions regarding firewall layouts (in p. 750 and 751). I understand your assertion that companies have their own policies about how their network should be laid out. I wanted to get your opinions on the following

Our network security engineers, from past discussions with them, do not like the firewall layout as described in Figure 15-10. They claim that attacks (e.g., HTTP based attacks) from the Internet will simply proxy through the load balancer or plug-in proxy hence will have a clear path to the web application which resides in the trusted or internal network. As a result, attacks that use HTTP for example, that can compromise the web app would then have free reign inside the internal network. They instead would prefer to put the web app in the DMZ (for Internet facing applications) and the DB in the trusted network. The argument is that from the defense-in-depth security principle, an attack that compromises the web app would then only have access to resources in the DMZ and not the internal network. Unfortunately, that approach however forces us to open a wide range of ports in the internal firewall for the DB traffic.

So I was wondering, in your experience, do you see more of your customers going with the layout in Figure 15-10 or one where the web app server is in the DMZ and the DB in the trusted zone.

Thanks in advance. And again, great book.

Boston
__________________
Boston

Last edited by notsob; January 5th, 2010 at 10:09 AM.
Reply With Quote
  #2 (permalink)  
Old January 5th, 2010, 03:08 PM
Authorized User
Points: 42, Level: 1
Points: 42, Level: 1 Points: 42, Level: 1 Points: 42, Level: 1
Activity: 0%
Activity: 0% Activity: 0% Activity: 0%
 
Join Date: Nov 2009
Posts: 12
Thanks: 0
Thanked 0 Times in 0 Posts
Default

I would say its dubious to allow direct access to database connections from the DMZ.

Broadly, there are two classes of attacks:

1. Cross-site scripting attacks where the attacker uses an HTTP message to fool the web server into carrying out an unexpected action.

2. Attacks that lead to direct network access to a machine - where the user gains full control of the machine.

If you are vulnerable to attacks of class 1, you are at risk no matter how you configure the firewalls.

DMZ configurations are intended to make attacks of class 2 harder. The DMZ exists so that the attacker has to first compromise a "sacrificial" component before breaking through the second firewall. The idea is to buy enough time to identify that an attack is in progress.

If you put the application server in the DMZ, you effectively give anyone who compromises the first firewall the same rights as the code running on the application server. This typically includes a high level of access to the database.

The vast majority of WebLogic Server customers prefer the configuration shown in 15-10. Some go further, and add a further firewall in front of the database, but in most cases I don't think this adds much additional protection.

- Phil
Reply With Quote
  #3 (permalink)  
Old January 6th, 2010, 08:10 AM
Registered User
 
Join Date: Jan 2010
Location: boston
Posts: 2
Thanks: 0
Thanked 0 Times in 0 Posts
Default

Phil -
Many thanks. I will run your comments by our network security engineers especially the comment that, as you see it, most WLS customers prefer the layout in Figure 15-10.

Boston
__________________
Boston
Reply With Quote
Reply


Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off
Trackbacks are Off
Pingbacks are On
Refbacks are Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
firewall polofson BOOK: Professional SQL Server Reporting Services ISBN: 0-7645-6878-7 1 November 10th, 2008 12:45 PM
same application different report layouts hit69 BOOK: Professional Crystal Reports for VS.NET 0 February 8th, 2005 07:29 AM
firewall blocking cookies olambe BOOK: ASP.NET Website Programming Problem-Design-Solution 1 June 9th, 2004 08:40 PM
Getting authentication past firewall johndove Classic ASP Basics 1 December 21st, 2003 12:41 PM



All times are GMT -4. The time now is 10:09 AM.


Powered by vBulletin® Version 3.7.0
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
© 2013 John Wiley & Sons, Inc.