In the systems I've been involved with there are three tiers: 1) The Internal network (sometimes called the "stockade" or some other military term representing a secure area). This area is the most protected: everything requires authentication and nothing can directly touch the outside. This area contains full corporate databases, employee records and the like.
2) The middle area, or "Bastion", is semi-protected. It contains things like web application database servers, webapplication engines and so forth. 3) The open area, or "Demilitarized Zone (DMZ)" is accessible from the open Internet and contains all the public facing machines: web servers, presentation servers, etc. Tiers can speak only in order: the Stockade and DMZ can speak only to the Bastion and the Bastion to either. Every tier is surrounded by firewalls enforcing these rules. Consider this, in your case you would might place a database machine in the Bastion that replicated just that information needed for the website. You could also have an application server in the Bastion request information from a DB server in the stockade. In any case your public customers only access the DMZ and CAN'T EVER access the Bastion, much less the Stockade directly. Jim Davis > -----Original Message----- > From: Ian Skinner [mailto:[EMAIL PROTECTED] > Sent: Tuesday, July 08, 2003 5:43 PM > To: CF-Talk > Subject: RE: placing program logic away from web server? > > With the ever increasing predictability, this topic came up here. We are > finally upgrading our external website. One of the features, of course, > will be an employment section listing currently available positions. > > We already have an internal application that allows our HR department to > list positions as the become available on out intranet. Ideally, we would > use this same data on the external site. But they are very, Very, VERY > protective of our LAN and Databases. Something to do with us having lots > of > very personal medical information on these computers about lots of people. > So they are very cautious about opening holes in our protective shielding. > > Also, thanks to his over qualifications our IT/Network manager recently > moved onto greener pastures and has not yet been replaced. > > I would appreciate any good overview information understandable to myself, > a > simple ColdFusion developer, and other even less technically minded types > on > how one sets up these zones and the connections between them. Their > vulnerabilities, safety, concerns, ect. > > Thank You > > -------------- > Ian Skinner > Web Programmer > BloodSource > Sacramento, CA > > > -----Original Message----- > From: William Bowen [mailto:[EMAIL PROTECTED] > Sent: Tuesday, July 08, 2003 12:34 PM > To: CF-Talk > Subject: Re: placing program logic away from web server? > > > > I don't know about SQL Server but Oracle uses 1521. > > 1433 for SQL Server, but I was actually referring to which port the Web > Server to App Server connection through the firewall would be (I've > already > got the Web/App Server connected to the SQL Server through the firewall > part > working). > > will > > > ----- Original Message ----- > From: "Sean A Corfield" <[EMAIL PROTECTED]> > To: "CF-Talk" <[EMAIL PROTECTED]> > Sent: Monday, July 07, 2003 10:42 PM > Subject: Re: placing program logic away from web server? > > > > On Monday, Jul 7, 2003, at 13:35 US/Pacific, William Bowen wrote: > > > well, since it is the CFMX server that calls the SQL server in a > > > standard > > > setup situation, I would assume that it would still be able to talk to > > > the > > > SQL Server in this configuration too, no? > > > > Correct. > > > > > I also have some questions regarding this scenario: What port would > > > one use? > > > > I don't know about SQL Server but Oracle uses 1521. > > > > > 1st web server group in Internet DMZ has application/web server > > > installed > > > and calls SQL Server group through firewall. > > > 2nd web server group in local DMZ (our campus only, essentially) has > > > web/application server installed, calls same SQL Server group as above > > > for > > > data. > > > 3rd web server group in third DMZ (company wide (and international) > > > but not > > > accessible from Internet) same setup as above. > > > > > > My question: Can web server groups in three different DMZs call same > > > application server group (in 4th DMZ) which then calls SQL Server > > > group? > > > > Yes. Example: we have a load-balanced set of web servers in one 'zone' > > connecting to a load-balanced set of app servers in a second 'zone' > > connecting to Oracle DB servers in a third 'zone'. We also - for > > testing purposes - have various web servers in various internal zones - > > connecting to those app servers and we also have various DB tools > > (again in different zones) connecting to those DB servers. > > > > Sean A Corfield -- http://www.corfield.org/blog/ > > > > "If you're not annoying somebody, you're not really alive." > > -- Margaret Atwood > > > > > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Archives: http://www.houseoffusion.com/cf_lists/index.cfm?forumid=4 Subscription: http://www.houseoffusion.com/cf_lists/index.cfm?method=subscribe&forumid=4 FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Signup for the Fusion Authority news alert and keep up with the latest news in ColdFusion and related topics. http://www.fusionauthority.com/signup.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
