Network Security in ODS Environment
When deploying ODS on a network there are many security issues to take into consideration, especially the use of firewall and VPN technologies. A firewall will permit or deny network permissions based on configured rules, to protect the internal network from unauthorized access while permitting legitimate communications. Firewalls perform the following functions in a typical ODS environment:
- Guard the company Intranet from unauthorized outside access.
- Separate Intranet users accessing the ODS system from internal sub-networks where critical corporate information and services reside.
- Protect from IP spoofing and routing threats.
- Prohibit unauthorized users from accessing protected networks and control access to restricted services.
The ODS user interface is browser-based and allows home-office users to access the application services. It is recommended that the users access the application from within the company network, secured behind the outside firewall. Virtual Private Network (VPN) technology should be used to allow employees working remotely to access the ODS application. A VPN tunnels outside traffic through the firewall, placing outside clients virtually inside the firewall.
Please make sure that the firewalls used to secure an ODS environment support the HTTP 1.1 protocol. This enables browser cookies and inline data compression for improved performance.
Fig: Firewalls in the ODS environment
A typical ODS environment usually has the following security zones:
- Internet - External web service clients may come from outside of the company network.
- Intranet - A company network separated by the external firewall that gives home users access to the ODS user interface. This is also where ODS web servers and load balancers may be placed. Alternatively, for additional protection, web and load balancing servers may be placed in a separate demilitarized zone (DMZ) where external and internal clients first interact with the ODS environment.
- ODS application server and database zone - ODS application servers, database servers and possibly authentication servers (for example, if a customer chooses to implement a single sign-on using LDAP servers) reside in this zone. Access to the database that holds critical client information must be secured, with access restricted to system and database administrators only.