A Wetpaint Site

Chapter 3 - Firewall Application Server

Firewall Application Server

After the web server has been adequately secured by one of the setups described earlier, a firewall can be used between the web server and the application server for additional security. In this setup, firewalls C and D are added for this purpose. The new firewall policies allow JOLT requests to originate from the web servers only. Additionally, all outbound requests to the forward proxy server are limited to HTTP/HTTPS and can only originate from one of the application servers. No other outbound/inbound requests are allowed.

Physical Layout

The following diagram includes these elements:

Additional infrastructure to communicate to webservers 1 and 2 not shown in the diagram.
Redundant inside firewalls C and D that provide additional security by separating application servers 1 through 4 from webservers 1 and 2.
Load balancers 3 and 4 load-balance requests from application servers 1 through 4 to forward proxy servers 1 and 2 via inside firewalls C and D.
Application servers 1 through 4 communicate to database servers not shown in the diagram.

Logical Layout

Application Server Firewall Setup

Unit	Firewall C (Active)	Firewall D (Active)
IP Address 1	10.0.1.6	10.0.1.7
Subnet Mask 1	255.255.255.0	255.255.255.0
Shared Address 1	10.0.1.5	10.0.1.5
Default Route 1	10.0.1.11	10.0.1.11
IP Address 2	10.1.1.2	10.1.1.3
Subnet Mask 2	255.255.255.0	255.255.255.0
Shared Address 2	10.1.1.1	10.1.1.1
Default Route 2	None	None

Access to Application Server from Web Server Only:

Protocol	Transport Protocol	Source IP	Source Port	Destination IP	Destination Port	Action
JOLT	TCP	10.0.1.10	Any	10.1.1.100	*	Allow
JOLT	TCP	10.0.1.20	Any	10.1.1.100	*	Allow
JOLT	TCP	10.0.1.10	Any	10.1.1.110	*	Allow
JOLT	TCP	10.0.1.20	Any	10.1.1.110	*	Allow
JOLT	TCP	10.0.1.10	Any	10.1.1.120	*	Allow
JOLT	TCP	10.0.1.20	Any	10.1.1.120	*	Allow
JOLT	TCP	10.0.1.10	Any	10.1.1.130	*	Allow
JOLT	TCP	10.0.1.20	Any	10.1.1.130	*	Allow

* This is a port range starting from the JOLT listener port number up to the total number of handlers. For example, if the JOLT listener is 9000 and there are 5 JOLT handlers, the port range to allow is 9000 – 9005. If a JOLT relay is used, then allow the JOLT relay port rather than the port range for each server.

Access to Outside from Application Messaging Service:

Protocol	Transport Protocol	Source IP	Source Port	Destination IP	Destination Port	Action
HTTP	TCP	10.1.1.100	Any	10.0.1.50	Proxy HTTP Port (7080)	Allow
HTTPS	TCP	10.1.1.100	Any	10.0.1.50	Proxy HTTPS Port (7443)	Allow
HTTP	TCP	10.1.1.110	Any	10.0.1.50	Proxy HTTP Port (7080)	Allow
HTTPS	TCP	10.1.1.110	Any	10.0.1.50	Proxy HTTPS Port (7443)	Allow
HTTP	TCP	10.1.1.120	Any	10.0.1.50	Proxy HTTP Port (7080)	Allow
HTTPS	TCP	10.1.1.120	Any	10.0.1.50	Proxy HTTPS Port (7443)	Allow
HTTP	TCP	10.1.1.130	Any	10.0.1.50	Proxy HTTP Port (7080)	Allow
HTTPS	TCP	10.1.1.130	Any	10.0.1.50	Proxy HTTPS Port (7443)	Allow
HTTP	TCP	10.1.1.140	Any	10.0.1.50	Proxy HTTP Port (7080)	Allow
HTTPS	TCP	10.1.1.140	Any	10.0.1.50	Proxy HTTPS Port (7443)	Allow

gregkelly	Latest page update: made by gregkelly , Feb 25 2009, 2:57 PM EST (about this update About This Update Edited by gregkelly 311 words added 2 images added view changes - complete history)
	Keyword tags: None More Info: links to this page

Threads for this page

Post a new thread

There are no threads for this page. Be the first to start a new thread.

JavaScript must be enabled in order for you to contribute to this site.
To start contributing, enable JavaScript by changing your browser options, then try again.

Home