Java Reference
In-Depth Information
Host
Firewall
Web and app
servers
DMZ
Firewall
Routers,
bridges,
etc.
Public Internet
DNS
Mail
News
Internet service
provider
ISP
“Last mile”
Modem
Home
Figure 2.2 The Internet can have many layers between clients and their ultimate destination.
The enterprise layers are typically broken into two zones, separated by firewalls, called the DMZ.
The web server, and sometimes the web application server, resides in the DMZ.
2.2.2
Enterprise layers add security and overhead
Most enterprises use firewalls and proxies to shield them from basic security
problems. A
firewall
is simply a machine placed between the Internet and the
HTTP
servers of a corporation so that hackers cannot attack directly. Most
modern architectures call for two firewalls, placed on either side of the web
servers, to create an area called the
DMZ
(
demilitarized zone
). The
DMZ
defines an area between the internal intranet and the external Internet. The
Internet includes both benevolent customers and malevolent hackers. The
DMZ
provides a necessary compromise: access is open enough for meaningful
communication and security is tight enough to protect assets. Each firewall
enables different protocols, so hackers must coordinate two different types of
attacks to reach the systems on the private intranet. The systems in the
DMZ
are more vulnerable to attack but are perfectly situated to provide access to
corporate resources from the public Internet so that effective commerce can
take place.
