System Deployment
Network Security in OIPA Environment
When deploying OIPA on a network there are many security issues to take into consideration, especially the use of firewall and VPN technologies. A firewall will permit or deny network permissions based on configured rules, to protect the internal network from unauthorized access while permitting legitimate communications. Firewalls perform the following functions in a typical OIPA environment:
- Guard the company Intranet from unauthorized outside access.
- Separate Intranet users accessing the OIPA system from internal sub-networks where critical corporate information and services reside.
- Protect from IP spoofing and routing threats.
- Prohibit unauthorized users from accessing protected networks and control access to restricted services.
The OIPA user interface is browser-based and allows home-office users to access the application services. It is recommended that the users access the application from within the company network, secured behind the outside firewall. Virtual Private Network (VPN) technology should be used to allow employees working remotely to access the OIPA application. A VPN tunnels outside traffic through the firewall, placing outside clients virtually inside the firewall.
It may be required to provide access to the OIPA web services for external clients that are not allowed inside the company firewall. In that case, the web services must only be accessed through HTTP secured with SSL. OIPA web services support WS-Security standards, enabling web service user authentication using OIPA user accounts.
Please make sure that the firewalls used to secure an OIPA environment support the HTTP 1.1 protocol. This enables browser cookies and inline data compression for improved performance.
Firewalls in the OIPA environment
Typical OIPA environment usually has the following security zones:
- Internet - External web service clients may come from outside of the company network.
- Intranet - A company network separated by the external firewall that gives home users access to the OIPA user interface. This is also where OIPA web servers and load balancers may be placed. Alternatively, for additional protection, web and load balancing servers may be placed in a separate demilitarized zone (DMZ) where external and internal clients first interact with the OIPA environment.
- OIPA application server and database zone - OIPA application servers, including Cycle Web servers, database servers and possibly authentication servers (for example, if a customer chooses to implement a single sign-on using LDAP servers) reside in this zone. Access to the database that holds critical client information must be secured, with access restricted to system and database administrators only.
Database
Appropriate database users for the OIPA application should be set up as per the instructions in the associated version of the OIPA Database Install Instructions, which is located on the Oracle Technology Network. OIPA expects a Read-Only database user to be set up so that additional restrictions can be enforced on certain operations.