Using a DMZ and Firewalls in a Web Deployment

Most secure Web deployments involve the use of a demilitarized zone (DMZ) for greater security. A DMZ is an isolated and protected network that is separate from the corporate network.

A DMZ-based Web architecture is the preferred structure for a Web deployment of WebLogic Server. Figure 13-3 shows the components of this architecture.

Client requests arrive from the Internet and are routed through firewall No. 1. This firewall is configured to support only HTTP connections originating from the Internet. WebLogic Server receives requests, processes them, and then responds directly. All of these components are connected via a standard LAN.

A Web architecture with a DMZ is suitable for basic e-commerce deployments of WebLogic Server. A more complex architecture using WebLogic Server clustering, firewalls, and other features is required for deployments that need greater scalability and reliability. See “Hardware Specifics for Clustering,” later in this chapter.

Firewalls

A firewall helps guarantee Internet security. If you are not familiar with the mechanisms by which a firewall protects Internet resources, you should visit the Web sites of some of the leading vendors of firewall software and hardware including Checkpoint, Axent, and Cisco.

Firewalls should be used to protect both the DMZ and your internal network. The DMZ is protected against non-HTTP traffic such as Telnet or other Internet protocols. Figure 13-4 shows how firewalls fit into the typical WebLogic Server security picture.

Internet traffic crosses the DMZ firewall to access a WebLogic Server residing in the DMZ. The corporate network is protected by another firewall.