34 Enterprise Business Portals with IBM Tivoli Access Manager
2.1 Typical Internet Web server security characteristics
Perhaps the best place to begin the discussion of Access Manager architecture
is with the issues typically encountered by organizations as they begin to address
Web security requirements.
It is a generally accepted practice for organizations to place Internet-facing Web
servers in a protected zone [also known as a demilitarized zone (DMZ)], which is
generally firewalled and separated from the Internet. There are many ways of
doing this, depending on the needs of the business. For example, many
organizations do not even maintain their Web servers in-house; instead they rely
on hosting services to provide the appropriate network infrastructure to support
their Web content. Other organizations, especially large ones with significant
Web content and application infrastructure, maintain protected zones within the
context of their own network infrastructure. In any case, it is generally recognized
that it is not a good idea to place Web servers in an organization’s internal
network directly on the Internet. A typical Internet Web server architecture is
shown in Figure 2-1.
Figure 2-1 A typical basic Internet Web architecture
Web Server
Internet DMZ
Firewall
Internet
Browser
Network Firewall,
often specialized
hardware, such
as Cisco PIX.
Web servers provide static
content and support basic
application functions (such
as simple CGIs).
Chapter 2. Access Manager Web-based architecture 35
In Figure 2-1 on page 34, note that the Web server(s) directly serves content and
may perform substantial application processing. Obviously, there is some level of
security risk, depending on the sensitivity of the content and applications
provided by the Web server.
In more advanced scenarios, where content is increasingly driven by complex
applications, there are usually back-end components in the environment. For
example, an application may rely on a large mainframe database, or substantial
portions of the application may execute on back-end systems.
Direct Internet access to such components may present a significant security
risk. Even assuming the Internet-facing firewall uses appropriate filtering to
prevent access, compromise of the firewall could prove disastrous. For this
reason, back-end components may be placed in an internal network, firewalled
from the Internet DMZ, leaving only the Web server component exposed to direct
browser access, as illustrated in Figure 2-2. This “double firewall” architecture
has become common, not only for Internet application access, but increasingly
for internal organization access to critical computing resources as well.
Figure 2-2 Typical advanced Web application architecture
While such architectures successfully address security from a network
perspective, they do not address a larger set of concerns, including:
Security-sensitive information may reside in the static content of Web servers
(for example, human resources, sales, and personal information).
Authentication/authorization may be driven by platform-specific mechanisms.
Internal Network
Data/
Application
Server
Firewall
Web Server
Internet DMZ
Firewall
Internet
Browser
Network Firewall,
often specialized
hardware, such
as Cisco PIX.
Web servers provide
static content and
support application
"front-end" functions.
Often a software
firewall, such as IBM
Firewall or CheckPoint
Firewall-1.
Databases, such as IBM
DB2 or application
servers, such as IBM
WebSphere Application
Server.
Get Enterprise Business Portals with IBM Tivoli Access Manager now with the O’Reilly learning platform.
O’Reilly members experience live online training, plus books, videos, and digital content from nearly 200 publishers.
