First off - excellent book. This is now my new bible for WLS deployment.

I have a couple of questions regarding firewall layouts (in p. 750 and 751). I understand your assertion that companies have their own policies about how their network should be laid out. I wanted to get your opinions on the following

Our network security engineers, from past discussions with them, do not like the firewall layout as described in Figure 15-10. They claim that attacks (e.g., HTTP based attacks) from the Internet will simply proxy through the load balancer or plug-in proxy hence will have a clear path to the web application which resides in the trusted or internal network. As a result, attacks that use HTTP for example, that can compromise the web app would then have free reign inside the internal network. They instead would prefer to put the web app in the DMZ (for Internet facing applications) and the DB in the trusted network. The argument is that from the defense-in-depth security principle, an attack that compromises the web app would then only have access to resources in the DMZ and not the internal network. Unfortunately, that approach however forces us to open a wide range of ports in the internal firewall for the DB traffic.

So I was wondering, in your experience, do you see more of your customers going with the layout in Figure 15-10 or one where the web app server is in the DMZ and the DB in the trusted zone.

Thanks in advance. And again, great book.

Boston

__________________
Boston

I would say its dubious to allow direct access to database connections from the DMZ.

Broadly, there are two classes of attacks:

1. Cross-site scripting attacks where the attacker uses an HTTP message to fool the web server into carrying out an unexpected action.

2. Attacks that lead to direct network access to a machine - where the user gains full control of the machine.

If you are vulnerable to attacks of class 1, you are at risk no matter how you configure the firewalls.

DMZ configurations are intended to make attacks of class 2 harder. The DMZ exists so that the attacker has to first compromise a "sacrificial" component before breaking through the second firewall. The idea is to buy enough time to identify that an attack is in progress.

If you put the application server in the DMZ, you effectively give anyone who compromises the first firewall the same rights as the code running on the application server. This typically includes a high level of access to the database.

The vast majority of WebLogic Server customers prefer the configuration shown in 15-10. Some go further, and add a further firewall in front of the database, but in most cases I don't think this adds much additional protection.

- Phil

Phil -
Many thanks. I will run your comments by our network security engineers especially the comment that, as you see it, most WLS customers prefer the layout in Figure 15-10.

Boston

__________________
Boston