Firewalls and demilitarized zone configurations

Firewalls protect backend resources, such as databases in multiple machine systems. You can also use firewalls to protect Application Servers and Web servers from unauthorized outside access. A demilitarized zone (DMZ) configuration involves multiple firewalls that add layers of security between the Internet and critical data and business logic.

A wide variety of topologies are appropriate for a DMZ environment. Although WebSphere Application Server provides great flexibility in configuring DMZ topologies, the basic locations of elements in a simple DMZ topology follow:

Demilitarized zone

The main purpose of a DMZ configuration is to protect the business logic and data in the environment from unauthorized access. A typical DMZ configuration includes:

The area between the two firewalls gives the DMZ configuration its name. Additional firewalls can further safeguard access to databases holding administrative and application data.

Comparison of DMZ configurations

Somehow, requests for applications that WebSphere Application Server manages must get from the Web server to the Application Servers, passing through firewalls. You can implement DMZ configurations for a wide variety of multitiered systems. WebSphere Application Server offers many configuration choices for accomplishing this goal. The following table summarizes benefits of each DMZ configuration option supported by the product. Criteria for each topology are described after the table.

An X represents an advantage.


Benefit (X) or statistic Remote HTTP Reverse proxy
Compatible with product security X X
Avoids data access from DMZ X X
Supports Network Address Translation (NAT) X X
Avoids DMZ protocol switch

X
Allows encrypted link between Web server and Application Server X Depends on Web server
Avoids single point of failure X

Minimum firewall holes One per Application Server, plus one if WebSphere Application Server security is used on the Web server machine One



Some solutions are faster than others, in terms of the number of client requests they can process per unit of time. Some solutions require little or no maintenance after you establish them, while others require periodic administrative steps, such as stopping a server and starting it again after modifying resources that affect the configuration. To learn about the necessary maintenance for a topology, review the instructions for setting up and maintaining that topology. Of course, if you can automate the necessary administrative steps through command line clients and scripting, this might not concern you.


Related concepts
Multimachine topology concepts
Related reference
Port number settings in WebSphere Application Server versions
Default coexistence settings for port numbers



Searchable topic ID:   cins_firewall
Last updated: Jun 21, 2007 8:07:48 PM CDT    WebSphere Business Integration Server Foundation, Version 5.0.2
http://publib.boulder.ibm.com/infocenter/wasinfo/index.jsp?topic=/com.ibm.wasee.doc/info/ee/ae/ctop_firewall.html

Library | Support | Terms of Use | Feedback