Wrox Programmer Forums
|
BOOK: Professional Oracle WebLogic Server
This is the forum to discuss the Wrox book Professional Oracle WebLogic Server by Robert Patrick, Gregory Nyberg, Philip Aston with Josh Bregman, Paul Done; ISBN: 978-0-470-48430-2
Welcome to the p2p.wrox.com Forums.

You are currently viewing the BOOK: Professional Oracle WebLogic Server section of the Wrox Programmer to Programmer discussions. This is a community of software programmers and website developers including Wrox book authors and readers. New member registration was closed in 2019. New posts were shut off and the site was archived into this static format as of October 1, 2020. If you require technical support for a Wrox book please contact http://hub.wiley.com
 
Old January 5th, 2010, 11:02 AM
Registered User
 
Join Date: Jan 2010
Posts: 2
Thanks: 0
Thanked 0 Times in 0 Posts
Default Firewall Layouts

First off - excellent book. This is now my new bible for WLS deployment.

I have a couple of questions regarding firewall layouts (in p. 750 and 751). I understand your assertion that companies have their own policies about how their network should be laid out. I wanted to get your opinions on the following

Our network security engineers, from past discussions with them, do not like the firewall layout as described in Figure 15-10. They claim that attacks (e.g., HTTP based attacks) from the Internet will simply proxy through the load balancer or plug-in proxy hence will have a clear path to the web application which resides in the trusted or internal network. As a result, attacks that use HTTP for example, that can compromise the web app would then have free reign inside the internal network. They instead would prefer to put the web app in the DMZ (for Internet facing applications) and the DB in the trusted network. The argument is that from the defense-in-depth security principle, an attack that compromises the web app would then only have access to resources in the DMZ and not the internal network. Unfortunately, that approach however forces us to open a wide range of ports in the internal firewall for the DB traffic.

So I was wondering, in your experience, do you see more of your customers going with the layout in Figure 15-10 or one where the web app server is in the DMZ and the DB in the trusted zone.

Thanks in advance. And again, great book.

Boston

Last edited by notsob; January 5th, 2010 at 11:09 AM..
 
Old January 5th, 2010, 04:08 PM
Authorized User
 
Join Date: Nov 2009
Posts: 12
Thanks: 0
Thanked 0 Times in 0 Posts
Default

I would say its dubious to allow direct access to database connections from the DMZ.

Broadly, there are two classes of attacks:

1. Cross-site scripting attacks where the attacker uses an HTTP message to fool the web server into carrying out an unexpected action.

2. Attacks that lead to direct network access to a machine - where the user gains full control of the machine.

If you are vulnerable to attacks of class 1, you are at risk no matter how you configure the firewalls.

DMZ configurations are intended to make attacks of class 2 harder. The DMZ exists so that the attacker has to first compromise a "sacrificial" component before breaking through the second firewall. The idea is to buy enough time to identify that an attack is in progress.

If you put the application server in the DMZ, you effectively give anyone who compromises the first firewall the same rights as the code running on the application server. This typically includes a high level of access to the database.

The vast majority of WebLogic Server customers prefer the configuration shown in 15-10. Some go further, and add a further firewall in front of the database, but in most cases I don't think this adds much additional protection.

- Phil
 
Old January 6th, 2010, 09:10 AM
Registered User
 
Join Date: Jan 2010
Posts: 2
Thanks: 0
Thanked 0 Times in 0 Posts
Default

Phil -
Many thanks. I will run your comments by our network security engineers especially the comment that, as you see it, most WLS customers prefer the layout in Figure 15-10.

Boston





Similar Threads
Thread Thread Starter Forum Replies Last Post
firewall polofson BOOK: Professional SQL Server Reporting Services ISBN: 0-7645-6878-7 1 November 10th, 2008 01:45 PM
same application different report layouts hit69 BOOK: Professional Crystal Reports for VS.NET 0 February 8th, 2005 08:29 AM
firewall blocking cookies olambe BOOK: ASP.NET Website Programming Problem-Design-Solution 1 June 9th, 2004 08:40 PM
Getting authentication past firewall johndove Classic ASP Basics 1 December 21st, 2003 01:41 PM





Powered by vBulletin®
Copyright ©2000 - 2020, Jelsoft Enterprises Ltd.
Copyright (c) 2020 John Wiley & Sons, Inc.