DMZs For Civilians
In the IT industry, a demilitarized zone is a single or multi-segment perimeter network that demarks the portion of the corporate network that lies between the intranet and outside networks. Corporate DMZ borders are enforced by firewalls and other dedicated networking devices.
DMZs for the E-Business Suite
AutoConfig supports the use of DMZs with the E-Business Suite Release 11i, and an increasing number of our customers have either already implemented them or are planning to do so. This is a common configuration:
In the IT industry, a demilitarized zone is a single or multi-segment perimeter network that demarks the portion of the corporate network that lies between the intranet and outside networks. Corporate DMZ borders are enforced by firewalls and other dedicated networking devices.
DMZs for the E-Business Suite
AutoConfig supports the use of DMZs with the E-Business Suite Release 11i, and an increasing number of our customers have either already implemented them or are planning to do so. This is a common configuration:
In the configuration above, there are two different E-Business Suite application servers, each with its own unique domain name and setup. External users access the E-Business Suite via the external "acme.company.com" address, and internal users access it via the "staff.acme.com" address.
Different Responsibilities for Internal and External Servers
It's possible (and recommended) to restrict the general set of Applications Responsibilities based on the application server that you're using.
For example, there should be no reason to allow external users to modify your company's Chart of Accounts, so that responsibility can't be used if the end-user is logging in from outside the corporate intranet.
Possible Weak Points
There are two possible weaknesses with the first configuration shown above:
Different Responsibilities for Internal and External Servers
It's possible (and recommended) to restrict the general set of Applications Responsibilities based on the application server that you're using.
For example, there should be no reason to allow external users to modify your company's Chart of Accounts, so that responsibility can't be used if the end-user is logging in from outside the corporate intranet.
Possible Weak Points
There are two possible weaknesses with the first configuration shown above:
- If your external firewall is compromised, your external application server is also compromised, exposing an attack on your E-Business Suite database.
- There's nothing to prevent your internal users from attacking your internal application server, also exposing an attack on your E-Business Suite database.
Reverse Proxies and DMZs
If you're concerned about your external firewall being hacked, one possible countermeasure is to use layered DMZs and put a reverse proxy in the first DMZ.
If you're concerned about your external firewall being hacked, one possible countermeasure is to use layered DMZs and put a reverse proxy in the first DMZ.
The reverse proxy has restricted capabilities and and the authority only to speak with the external application server. It's possible to use the following as reverse proxies with the E-Business Suite:
- Oracle Web Cache
- Oracle HTTP Server
- Other third-party reverse proxy servers, including Apache and Microsoft Proxy Server
An Inside Job
I'm a big fan of heist and con artist movies. According to Hollywood, you can't pull off a big job without someone on the inside.
It seems a lot of IT security analysts are fans, too, since they regularly publish surveys that suggest that the majority of security breaches are the result of employees with their hand in the till. If we're to learn anything from movies, it's this: trust nobody, not even your internal end-users.
That's why the second configuration above shows the E-Business Suite database server protected by its own firewall. Even if your internal application server is compromised by an industrious but disgruntled fellow employee, your database is still protected.
Scratching the Surface
There are a number of other interesting DMZ-related architectural options for the E-Business Suite. If you'd like to get more details, the following document is recommended reading:
I'm a big fan of heist and con artist movies. According to Hollywood, you can't pull off a big job without someone on the inside.
It seems a lot of IT security analysts are fans, too, since they regularly publish surveys that suggest that the majority of security breaches are the result of employees with their hand in the till. If we're to learn anything from movies, it's this: trust nobody, not even your internal end-users.
That's why the second configuration above shows the E-Business Suite database server protected by its own firewall. Even if your internal application server is compromised by an industrious but disgruntled fellow employee, your database is still protected.
Scratching the Surface
There are a number of other interesting DMZ-related architectural options for the E-Business Suite. If you'd like to get more details, the following document is recommended reading:
- Oracle E-Business Suite 11i Configuration in a DMZ (Metalink Note 287176.1)
- DMZs, SSL & RAC for OracleAS 10g + Release 11i