Firewall Deployment for Multi-Tier Applications
This article examines considerations for deploying firewalls as part of a network perimeter around Internet-facing servers. The discussion focuses on situations that may warrant strict separation of network resources into dedicated subnets, and it explains how to enforce access restrictions using firewalls in a way that matches the company's business and technical requirements. The article introduces several network architectures that use a single firewall as well as firewalls deployed one behind another in series, and addresses the strengths and weaknesses of each approach.
Partitioned network architectures can be used to protect multitier applications accessible over the Web. Following the trend of designing applications in an expandable and scalable manner, these applications are often created by using modules that run on different servers and that typically form three distinct groups: presentation, middleware, and data tiers. Let's begin by examining how the architecture of such applications may influence the design the network's security perimeter.
By segmenting a Web-based application into several logical tiers, software architects isolate core functional areas into groupings that can be designed, developed, and maintained somewhat independently of each other. The following tiers are present in some way in most Web-facing applications of moderate complexity:
Presentation components are usually adjacent to the Internet and are the only modules directly accessed by end users. Such publicly accessible services are often implemented using Web, DNS, and mail servers. Software running on these servers, operating as part of a unified system, presents the application to users and handles interactions between users and back-end components. Programmable logic of the application at this tier is implemented using mechanisms such as CGI scripts, servlets, JavaServer Pages (JSPs), and Active Server Pages (ASPs) that are used to generate the application's user interface. In addition to interacting with human users, presentation systems may communicate with other hosts across the Web, frequently through the use of protocols such as SOAP, ebXML, and WSDL.
Middleware components execute business logic of the application in response to requests issued by presentation servers on the user's behalf; they are not directly accessed by end users. Such middleware components are usually implemented using application servers such as BEA WebLogic, IBM WebSphere, and iPlanet Application Server, as well as via custom daemon-style programs. Application servers provide an environment within which middleware components can operate. They are based on frameworks such as Enterprise Java Beans (EJBs), CORBA, and .NET. Other servers at the middleware tier provide auxiliary services that collaborate with the application server and may host application-level authentication and authorization mechanisms such as those implemented by Netegrity SiteMinder and Entrust GetAccess.
Data components are typically hosted by database and directory servers that run software such as Oracle Database and iPlanet Directory Server. They may also be implemented using custom programs and flat files. These are typically the most confidential resources of the application because they maintain sensitive data such as customer records, account information, and monetary transaction statements.
This article discusses applications that define three distinct tiers, but these concepts are expandable to four and more tiers as well. The logical view of a Web-based multitier application is presented in Figure 1. Sample workflow of an application built according to this architecture can be described as follows:
An Internet user issues a request via a Web browser to the Web server.
The Web server preprocesses the request and relays it to the application server.
The application server obtains necessary information from the database, processes the request, and responds to the Web server. The Web server, in turn, formats and displays the response to the user.
Figure 1 Multitier application architecture.
Multitier architecture of the application allows you to design the network in a way that mirrors the grouping of the application's components so that you can segment resources based on their exposure sensitivity and the likelihood that they can be compromised. Let's proceed by examining how to host a multitier application on one subnet behind a single firewall.