Kevin,
it is a common practice to place pages on Web servers which users from the
'outside of the company world' can hit into a demilitarised zone (DMZ),
which is a separate exposed fragment of the network. This is rather
semi-secure layer which is left open for hackers to snoop into, I think its
called 'victim host' or something similar. I believe a good description of
what is DMZ and why it is used can be found on www.whatis.com.
The practice for securing data in such situation is to encrypt immediately
gathered form data prior to sending it to the application which resides
behind the firewall. Such an application would protect front-end forms with
HTTPS, protect data by submitting only encrypted data till it reaches the
end-point inside the firewall, protect all the passwords and database
communications that they are stored only inside the firewall, thus relying
on robust firewall protection.
I presume if your main server is not in such DMZ but behind the firewall,
these complications are probably irrelevant, as firewall protection is as
best as it gets in security. But a large scale commercial application might
require DMZ to function effeciently. Having architected a large-scale
security project in recent past and being forced by Risk Management Group
into similar security demands, I just anticipate problems with this group if
I just implement model 2 as described.
Vadim Shun.
-----Original Message-----
From: Kevin Duffey [mailto:[EMAIL PROTECTED]]
Sent: Monday, April 03, 2000 12:59 PM
To: Shun, Vadim; [EMAIL PROTECTED]
Subject: RE: Model 2 and security
Hi,
Im sorry, but I think I am missing something. You keep saying the
servlet/jsp stuff doesn't reside behind the firewall? I am not sure if you
are saying this, but your step 1 says the controller servlet forwards (maybe
via XML) some stuff to the RemoteControllerServlet which is inside the
firewall.
My confusion lies in the fact that all of our stuff is done behind a
firewall. Unless you mean a firewall in the sense that its not open to Http,
Ftp, etc. We block everything but Http and FTP, and at that our FTP server I
assume is semi-safe, and Http is to our web server. I don't know how safe it
is yet, I would love to know if anyone knows of someone who is for hire to
"test" the security, see if they can download stuff like our database, etc,
so that we can beef it up.
Is there anyone out there like this?
So..is the firewall your talking about a "second" firewall that sits inside
the sites first firewall?
Please clarify to me exactly what you mean by your use of firewall.
Thanks.
===========================================================================
To unsubscribe: mailto [EMAIL PROTECTED] with body: "signoff JSP-INTEREST".
Some relevant FAQs on JSP/Servlets can be found at:
http://java.sun.com/products/jsp/faq.html
http://www.esperanto.org.nz/jsp/jspfaq.html
http://www.jguru.com/jguru/faq/faqpage.jsp?name=JSP
http://www.jguru.com/jguru/faq/faqpage.jsp?name=Servlets
