Using a Three-Firewall Configuration

  • Article

This configuration is like the two-firewall configuration, with the addition of a firewall that separates the internal network from the database servers and Commerce Server Business Desk computers. For a figure showing a three-firewall configuration, see Large Site Configuration.

Advantages of the three-firewall solution include the following:

  • The Web site (Web servers, database servers, and Business Desk server) is separated physically from the other networks, providing maximum protection from intruders.

  • It is easier to prevent an Internet browser from impersonating an authorized user. For example, a Web server can be configured to fulfill requests only for database server requests from one specific IP address. Because both connections are controlled with a firewall, these addresses cannot be used improperly.

  • A layer of protection is implemented to protect the database servers from vulnerabilities that are not dependent upon the relationship between the Web servers and database servers. Such vulnerabilities can result in denial-of-service attacks.

  • Adding three firewalls minimizes the number of computers that are accessible directly through the Internet. It is more difficult to disrupt or abuse the database servers and the Business Desk server.

  • The database and Business Desk servers are protected from intruders residing in the internal network.

Disadvantages of the three-firewall solution include the following:

  • It is more difficult and costly to maintain three firewalls with different configurations.

  • Communication between Web servers and database servers is unprotected within the ISP network. Additional security is needed to protect this communication.

  • Any traffic that is allowed between the internal network and the Internet is also allowed between the ISP network and the Internet, and between the database server and the Internet. The security ramifications are determined by which protocols are allowed by the default security policy of the user.

  • This is a more difficult configuration to set up and manage.

See Also

Deploying Your Site

Migrating from Site Server 3.0

Migrating the Membership Directory


All rights reserved.