Bookshelf v8.1/8.2: Network Zones and Firewalls

Siebel Security Hardening Guide > Securing the Network and Infrastructure > About Securing the Network Infrastructure >

Network Zones and Firewalls

A firewall separates a company’s external Siebel Web Clients (those accessing applications over the Internet) from its internal network and controls network traffic between the two domains. A firewall defines a focal point to keep unauthorized users out of a protected network, prohibits vulnerable services from entering or leaving the network, and provides protection from various kinds of IP spoofing and routing attacks.

To secure a network, divide the network into zones of control by considering factors, such as the type of information contained in the zone and who needs access to that zone. Then place firewalls between the zones and implement access controls between the zones. As illustrated in Figure 2, an enterprise network for Siebel Business Applications typically comprises the following zones of control:

  • Internet zone. This zone is insecure and not trusted. External Siebel Web Clients reside in this zone.
  • Demilitarized zone. Publicly accessible servers are placed in this zone. Servers placed in this zone are called bastion hosts. Siebel Web servers and Web server load balancers reside in this zone. Clients outside the firewall access the Web server and the Siebel Server through a secure connection. This zone is where the external network first interacts with the Siebel environment.
  • Intranet zone. This zone consists of internal networks.

    Components that reside inside this zone include Siebel Servers, the Siebel Gateway Name Server, a third-party HTTP load balancer (if deployed) for Siebel Servers, and the authentication server (Lightweight Directory Access Protocol or Active Directory Service Interfaces directory server). In a deployment of Siebel employee applications, internal Web clients can also reside in this zone.

  • Internal highly secure zone. Business critical information and services are placed in this zone. The Siebel database and Siebel File System reside in this zone. Restrict access to this zone to system administrators and database administrators.

Figure 2 shows the recommended placement of firewalls in a Siebel Business Applications environment, that is, between the Internet and demilitarized zones, and between the demilitarized and intranet zones. For optimum performance, do not install a firewall between the intranet zone and the internal highly secure zone.

Figure 2. Recommended Firewall Deployment in a Siebel Business Applications Environment

For additional information on the recommended placement of firewalls, see Recommended Network Topologies. For information on assigning ports when setting up firewalls, see Guidelines for Assigning Ports on Firewalls.