In-Depth: Demilitarized Zones and the E-Business Suite

If you've been wondering how to support end-users who'd like connect to your E-Business Suite environment from outside of your corporate firewall, a combination of a demilitarized zone and a reverse proxy might be an alternative to traditional VPN-based solutions. 

The E-Business Suite is Not A War Zone

The term demilitarized zone (DMZ) is said to have been coined following the Korean War armistice.  After the cessation of overt military engagements, a 4 km buffer zone was established between North and South Korea, each side of the border bristling with armaments and troops watching the other warily.

Although major upgrades can sometimes feel like a battle, Apps sysadmins thankfully don't have to worry about armed attacks.  Military security concepts are still useful, though:  Oracle's Chief Security Officer, Mary Ann Davidson, is a former military officer and frequently draws lessons from military history for IT security.

DMZs For Civilians

In the IT industry, a demilitarized zone is a single or multi-segment perimeter network that demarks the portion of the corporate network that lies between the intranet and outside networks.  Corporate DMZ borders are enforced by firewalls and other dedicated networking devices. 

Generic DMZ Concept:

DMZs for the E-Business Suite

AutoConfig supports the use of DMZs with the E-Business Suite Release 11i, and an increasing number of our customers have either already implemented them or are planning to do so.  This is a common configuration:

DMZ Internal External Servers:

In the configuration above, there are two different E-Business Suite application servers, each with its own unique domain name and setup.  External users access the E-Business Suite via the external "acme.company.com" address, and internal users access it via the "staff.acme.com" address.

Different Responsibilities for Internal and External Servers

It's possible (and recommended) to restrict the general set of Applications Responsibilities based on the application server that you're using. 

For example, there should be no reason to allow external users to modify your company's Chart of Accounts, so that responsibility can't be used if the end-user is logging in from outside the corporate intranet.

Possible Weak Points

There are two possible weaknesses with the first configuration shown above:
  1. If your external firewall is compromised, your external application server is also compromised, exposing an attack on your E-Business Suite database.
  2. There's nothing to prevent your internal users from attacking your internal application server, also exposing an attack on your E-Business Suite database.
Reverse Proxies and DMZs

If you're concerned about your external firewall being hacked, one possible countermeasure is to use layered DMZs and put a reverse proxy in the first DMZ. 

DMZ Reverse Proxy:

The reverse proxy has restricted capabilities and and the authority only to speak with the external application server.  It's possible to use the following as reverse proxies with the E-Business Suite:
  • Oracle Web Cache
  • Oracle HTTP Server
  • Other third-party reverse proxy servers, including Apache and Microsoft Proxy Server
An Inside Job

I'm a big fan of heist and con artist movies.  According to Hollywood, you can't pull off a big job without someone on the inside. 

It seems a lot of IT security analysts are fans, too, since they regularly publish surveys that suggest that the majority of security breaches are the result of employees with their hand in the till.  If we're to learn anything from movies, it's this:  trust nobody, not even your internal end-users.

That's why the second configuration above shows the E-Business Suite database server protected by its own firewall.  Even if your internal application server is compromised by an industrious but disgruntled fellow employee, your database is still protected.

Scratching the Surface

There are a number of other interesting DMZ-related architectural options for the E-Business Suite.  If you'd like to get more details, the following document is recommended reading:

Comments:

Steve,How to monitor for hacks/attacks
in a DMZ setup, is monitoring Apache logs
the place to start ? Can u suggest any tools/open source tools which we can scan the logs and alert in real time? We have a DMZ setup without the reverse proxy configuration ...Appreciate any inputs

-TIA,Sam

Posted by sam on May 17, 2006 at 10:09 PM PDT #

Sam,Monitoring your Apache logs is always a good start, but this is a branch of the network security industry that has a tremendous number of tools and products available.  I'm not familiar enough with the tools firsthand to recommend something specific, unfortunately.If you Google this area, you'll find references to intrusion detection,  intrusion countermeasure enhancements (ICE) and lately, intrusion prevention.  Most major networking hardware providers such as Cisco and Juniper have extensive tools for monitoring firewall attacks.It would be worthwhile your having a discussion with your corporate networking team; they may already have something in place today that you can use.I asked a few of our security architects about Oracle tools, but it appears that we don't have any at present.  I did manage to find an interesting whitepaper on data mining for intrusion detection here:http://www.oracle.com/technology/products/bi/odm/pdf/odm_based_intrusion_detection_paper_1205.pdfRegards,Steven

Posted by Steven Chan on May 18, 2006 at 03:48 AM PDT #

Steve, Thanks for the update.
I had one another question on the DMZ setup,does Distributed caching
work well between the DMZ node and the internal node?
we were told via tar some time back it does not yet...

I would like to see some notes/writeup on Jserv memory usuage and load balancing,
we tweak the nprocs parameter in the jserv.properties to increase the process for the different Jserv mounts and we get profiles/classnot found error ..when nprocs is more than 1..and the fix suggested was to set DCACHEMODE to local..

Hope to hear from you

Posted by sam on May 19, 2006 at 04:40 AM PDT #

Sam,

Can you elaborate on what you mean by distributed caching between the DMZ and the internal node? If you have the old TAR number, I can take a quick look at that, too.

Thanks for the suggestion on JServ optimization; I've added it to the list of possible future blog articles. That's a rich field, and I know we have a number of presentations at OpenWorld each year on this. If you're interested in doing your own research in the interim, feel free to search our OpenWorld presentation archives for sessions with Ahmed Alomari, our performance architect for the E-Business Suite. Ahmed is our foremost performance expert, and his session materials tend to be filled with loads of practical tips on managing and tweaking JServ performance.

Regards,
Steven

Posted by Steven Chan on May 19, 2006 at 10:03 AM PDT #

steve,I would like to see some write ups on the
url_fw.conf file, handling customizations in it etc...

Posted by sam on June 13, 2006 at 02:16 AM PDT #

Thanks for the suggestion -- what types of customisations, specifically, would you like more information on?In the meantime, Appendix E of Note 287176.1 covers the URL firewall to a certain level of detail.Regards,Steven 

Posted by Steven Chan on June 13, 2006 at 03:28 AM PDT #

I have question not comment, I'm going to implement a DMZ for the responsibility iRecruitment, and I will using the simple implementation, means i will clone the middle tier and put it in another area, i dont have a problem with that, but I'm thinking is how:
1- How i can manage the external users, means what is the mechanism should I followed for the external users, means when the external middle tier will published how the external users can register their username and passowrd and access the iRecruitement through the inter.
2- For exmple the URL for the current application is http://hostname.domainname.com:8000, thats the new node will be the same with different port http://hostname.domainname.com:8001.
My question on this point can I change the URL for the external server, means to be the same URL but without the port http://hostname.domainname.com

Thank you,

Posted by Murad Abushaikha on April 01, 2008 at 05:38 PM PDT #

Murad,1. I would presume that your iRecruitment page is linked off your corporate website.  iRecruitment has its own user self-registration pages.  If you have the latest version of iRecruitment (check their documentation directly for their latest patches), those self-registration pages should be compatible with your Oracle Single Sign-On and Oracle Internet Directory configuration.2. I'd recommend forwarding this question to your own networking group; they'll have more insight than I into how your DNS entry aliases back to your E-Business Suite environment.Regards,Steven 

Posted by Steven Chan on April 07, 2008 at 05:06 AM PDT #

Hi Steven,

I have configured one project with iSupplier Portal in a DMZ Configuration (it was with "Reverse Proxy with a External Web Tier" and i felt pretty comfortable configruing with the help of the Networ Admin) but there's another project wherein the client says that he would like to have a COMMON URL to access the iSupplier Portal and iRecruitment within the same DMZ.

My doubt/query is, is it possible to do so?

After going through the Note# 287176.1(DMZ Configuration with Oracle E-Business Suite 11i), i understand that we can't do but we need to configure 2 different URLs for the 2 modules.

Could you please clarify whether it is possible to do so? If so, how can we do it (the same note says about integrating with SSO and OID for using a common URL).
And if not, could you please advise the procedure?

Kind Regards,
Sudhakar

Posted by P.V. Sudhakar on November 05, 2008 at 08:55 PM PST #

Hi, Sudhakar,

You can run as many EBS products as you wish on your externally-facing EBS application tier server, as long as those applications are certified for external deployment (Note 287176.1 has the list of certified apps).

For example, it's technically feasible to run both iSupplier Portal and iRecruitment on the same DMZ-based external application tier.

Presuming that you'd want your iSupplier users to go to a URL like, "suppliers.company.com", you can register that in your DNS to point to the appropriate iSupplier homepage on your external application tier.

Likewise, you can register a different URL for your iRecruitment users like, "jobs.company.com" and point that to the iRecruitment homepage on your external application tier.

Good luck with your implementation.

Regards,
Steven

Posted by Steven Chan on November 06, 2008 at 04:30 AM PST #

Hi Steven,

Sorry to bother you again, but i think i have posted it in a different terminology rather than putting it straight.

Actually i wanted to know whether there is any way that i can use a COMMON URL for accessing all the internet related modules in the same DMZ (for example, if my client is looking to configure iSupplier and i Recruitment) can i do so?
If i can do it, how to proceed with the same.

And the client is using BIG-IP as the Hardware Load Balancer

Kind Regards,
Sudhakar

Posted by P.V. Sudhakar on November 06, 2008 at 07:10 PM PST #

Hi Steven,

Let me put it straight, is it possible to have a COMMON URL to access all the Internet related products, for example, accessing iSupplier Portal and iRecruitment in the same DMZ.

Also we are having BIG-IP configured for Hardware Load Balancing.

Hence, i would request you to please help me by advising a procedure to do the above.

Kind Regards,
Sudhakar

Posted by P.V. Sudhakar on November 06, 2008 at 08:17 PM PST #

Hi, Sudhakar,

iSupplier has its own homepage. iRecruitment has its own homepage.

If your customer clicks on a "common URL" such as "external.company.com", the challenge is figuring out which homepage to show the user. Obviously, there's no way of discerning the user's goal simply by their arrival at a given URL.

One method is to create a custom webpage that functions as a "landing page" for the "external.company.com" common URL. That landing page can contain links for the iSupplier and iRecruitment homepages. The user can then select the link for the external application that they'd like to access.

If you need assistance with deploying this type of customized front-end for these applications, I'd recommend contacting someone in Oracle Consulting.

Regards,
Steven

Posted by Steven Chan on November 07, 2008 at 03:31 AM PST #

Hi Steven,

Is there a possibility of hosting/configuring the iRecruitment and iSupplier Modules in ONE Single Server with DMZ Setup.

Kind Regards,
Sudhakar

Posted by P.V.Sudhakar on December 29, 2008 at 12:04 AM PST #

Hi, Sudhakar,

Sure, that's possible, as far as I'm aware. Have you seen documented warnings that indicate that this isn't the case?

Regards,
Steven

Posted by Steven Chan on December 30, 2008 at 07:27 AM PST #

Hi Steven,

"Have you seen documented warnings that indicate that this isn't the case?" -- No, but we had a small doubt as we heard about hosting them on 2 different servers.

One more doubt, Steve, is it all defined in the 'url_fw.conf' regarding the URL addressses when we try to access these modules form outside the DMZ? Could you please put some light on how to do and/or define this, as i am bit confused at this point.

Thanks in advanse and Wish you A Happy New Year 2009

Regards,
Sudhakar

Posted by P.V.Sudhakar on January 01, 2009 at 02:34 PM PST #

Hi, Sudhakar,

The URL firewall for Release 11i is documented in Appendix E of Metalink Note 287176.1.

Please don't hesitate to log a formal Service Request via Metalink if you're having trouble configuring this. One of our EBS DMZ specialists will help you out.

Regards,
Steven

Posted by Steven Chan on January 02, 2009 at 04:22 AM PST #

Hi Steven,
We are using iStore and trying to access pdf files behind DMZ by adding an entry in url_fw.conf.We put the correct entry by creating a rewriterule allowing access to .pdf but no luck. Is there any other place we need to make an entry to allow pdf file type ?
Thank You,
Sanjay

Posted by Sanjay Goswami on March 06, 2009 at 08:10 AM PST #

Hi, Sanjay,

You're on the right track, but there could be a number of places where this kind of request might be blocked.

I'd recommend logging a formal Service Request via Metalink to have one of our our ATG DMZ specialists help you isolate the root cause. Feel free to drop me an email with the SR number if it gets stuck for some reason.

Regards,
Steven

Posted by Steven Chan on March 09, 2009 at 07:47 AM PDT #

HI Steven,

Can I make my EBSO web node as Reverse proxy server?
My requirement is I cannot afford for another box for DMZ

My archecture is
Node 1 : Apache
Node 2 : CM and DB

Can I make Node 1 as reverse proxy

Thanks
Cuckoo Susan

Posted by Cuckoo Susan Sunny on December 21, 2009 at 02:20 AM PST #

Hi, Cuckoo Susan,

Yes, this is a supported architecture. See Figure F4 in Note 287176.1 for an example.

Regards,
Steven

Posted by Steven Chan on December 29, 2009 at 05:10 AM PST #

Hi,

Have a question here ..we wanted to implement istore R12 Oracle E-Business suite module in the DMZ enviornment..

At a very high level we clone another machine/server and make this as the external facing EBS application tier/external web tier..
and then deploy this relevant E-Business suite module iStore only on this external web tier.

This external web tier now talks to the internal oracle database which is in the internal/intranet network.

Now is there any way to handle the scenario wherein the external users over the internet are trying to access this iStore module but the internal database is down for planned/unplanned outage..is there way this could be handled...

2. Is there any concept of Standalone mode for the Oracle E-Business suite - R12 modules as to what happens when the db couldn't be accessed.

Thanks
sachin

Posted by Sachin on October 24, 2010 at 08:02 PM PDT #

Hi, Sachin,

If your database is down, all requests from an EBS application tier server will fail. This is true regardless of where those EBS application tier servers live -- either in your DMZ or internally.

Regards,
Steven

Posted by Steven Chan on October 28, 2010 at 07:09 AM PDT #

How do you configure your application help if the help files are inside the DMZ. We are implementing iExpense so that salesreps can enter expense reports from public access. How can we get them to see the help/UPK Content

Posted by Erik on June 05, 2012 at 12:44 PM PDT #

Hi, Erik,

I don't have a lot of visibility into UPK. As far as I'm aware, our generic DMZ setup instructions should support this content, since it's permitted via the iExpenses responsibility.

If you're having trouble with that, your best bet would be to log a formal Service Request via My Oracle Support (formerly Metalink) to get one of our iExpenses (or UPK) specialists engaged.

Please feel free to forward your Service Request number to me if it gets stuck in the support process for some reason.

Regards,
Steven

Posted by Steven Chan on June 06, 2012 at 01:25 PM PDT #

Steven,

Thanks a lot for such a elaborated explanation about the configuration.

I am new to this kind of configuration and learning the same.

I need a clarification here:
We do have iStore module setup in external tier in DMZ zone for external usage. Now we would like to extend the same to iRecruitment, iPayable and iReceivables. As we have limitation on the external node which is only one. We would like to deploy on all 4 on the same node.

Could you please let me know how to setup the port re-direction in this case? I mean external users might access the modules as
iStore.domain.com
iRec.domain.com
iPay.domain.com
iReceive.domain.com

How to handle these request re-direction to respective modules.

Regards,
Raja.

Posted by Raja on May 21, 2013 at 03:51 AM PDT #

Hi Raja,

As you have questions about a very specific setup, the best solution will be for you to log a service request and discuss the issue with one of our specialists in this area.

Regards,

Robert.

Posted by Robert Farrington on May 23, 2013 at 09:27 AM PDT #

Post a Comment:
  • HTML Syntax: NOT allowed
About

Search

Categories
Archives
« April 2014
SunMonTueWedThuFriSat
  
1
4
5
6
7
8
9
10
11
12
13
14
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
   
       
Today