All web applications should consider security to be an absolute priority.
A vital part of security is the use of firewalls.A firewall is, in effect, a router. It is a dual (or more) homed device that connects two (or more) networks. It accepts connection requests from addresses on one network interface and forwards them to addresses on another network interface. But whereas a standard router will forward all requests, a firewall will be configured with rules.
Using several layers of firewall and placing different servers behind the different firewalls can make hacking a web site virtually impossible.
Web Cache can significantly enhance that security of a web site. A possible scenario is illustrated below
The external firewall is configured to accept only one protocol on one port: HTTP, typically on port 80. It is further configured to route HTTP to only one port on one address, that of the Web Cache. Any other protocol, or any requests for any other addresses, will be rejected.
The Web Cache can be configured to forward requests only to the Apache web listeners,behind a second firewall. This firewall will be configured to accept requests from only one address and only one protocol: HTTPS from the Web Cache. It will route these requests only to the Apache web listeners in the next protected firewall zone on the appropriate port.
The third firewall can be configured to accept only requests from the Apache listeners’ addresses; furthermore, these requests would have to be using the AJP protocol, to invoke Java processes in the OC4J instances in the next protected zone, on whatever ports they
are monitoring.
Yet another firewall could transmit only Oracle Net requests to Oracle database servers, or LDAP requests to OID servers. Both the database and OID servers, which contain sensitive data rather than providing only processing capability, are thus protected by several layers of security.
The Web Cache is an integral part of the security structure and can indeed replace the first two firewalls.If the Web Cache is installed on a dual-homed device, it can be considered to be a router configured with rules that will allow it to monitor only one or two protocols (HTTP or HTTPS) on one network interface, and to forward them only to a nominated list of addresses (the Apache web listeners) on the other network interface.The Apache web listeners will themselves be configured to reject all traffic that does not come from the Web Cache.
No comments:
Post a Comment