For the best implementation of Forms Server, you need to determine:
This chapter describes the types of networking implementations upon which you can deploy Web applications, and the things you need to consider when deploying Web applications on each type.
There are a number of terms used to describe the various networking implementations upon which you can deploy applications. In general, networks can be grouped into the following categories:
The primary difference between the Internet, intranets, and extranets is that an intranet and extranet are well defined by the controlling organization(s) and have a known body of users. Conversely, the Internet has an unknown body of users. Computers and networks that communicate via the Internet are unknown to each other until the time of connection. This means that there can be no previous coordination of encryption standards, user authentication, authorization, and so on.
These implementations are discussed in greater detail in the following sections:
The Internet is a network that is open to anyone with access to an Internet Service Provider (ISP). By connecting to the Internet, a user has access to other networked computers all over the world. If a computer that is connected to the Internet is not secured using hardware or software security methods, data on that computer is potentially accessible to anyone on the Internet.
An intranet is a network that is "owned" by a single organization that controls its security policies and network management. Networked computers may be housed within a single physical location (for example, computers used for inventory control in a manufacturing plant), or they may be in different physical locations (for example, computers used at various branches of an insurance company).
Because the intranet is controlled by a single organization, all users who will attempt to access the network are known, and there is freedom in selecting the network structure, security policy, and software.
The following are examples of intranet-style networks:
An extranet is a network that is "owned" by multiple organizations, each of which may have their own network infrastructure, security policies, and users. The networked computers are usually housed in different physical locations. In most cases, the different organizations share portions of their network data with each other. For example, the travel industry uses an extranet that allows travel agents to book flights and make other travel arrangements using data from networks owned by airlines and tour operators.
Like an intranet, there is a known body of users in an extranet. However, because the extranet is controlled by multiple organizations, an integrated approach to network management and security is required. In the travel industry example, the travel agencies and airlines would have to coordinate networking and security issues in order for travel agents to access airline booking information.
The following are examples extranet-style networks:
Organizations sharing networked data and applications via an extranet must agree on the security protocols for user authentication, authorization, and data encryption. Security hardware, such as firewalls and routers, must be compatible.
After studying how the Forms Server functions and determining the type of network setup that would work best for your company, you can implement Forms Server on your network. The following five sections describe networking options and some associated risks:
Forms Server allows you to deploy your Forms applications over the Internet by encapsulating Forms messages in HTTP 1.1 packets. HTTP is one of the most widely used protocols for deploying applications on the Internet.
Many organizations have "locked-down" their firewalls by allowing only HTTP traffic, which greatly enhances the security of their private networks. (Most firewall companies support the HTTP standard in their products, and many organizations are willing to allow HTTP traffic in and out of their private networks.) Sites that allow only HTTP traffic will be able to easily deploy Forms Server through their existing firewall with little or no change to their configuration and with complete transparency to the client.
Although a strict security policy is still required to protect the internal company network, you can put application servers behind a firewall and in a demilitarized zone (DMZ) within the company network. The HTTP filter within the firewall is sufficient to restrict incoming traffic without the use of a VPN.
In addition, you can use SSL (secure sockets layer) with HTTP 1.1 for even more secure communications. SSL is a transport protocol that provides privacy, integrity, and authentication. SSL works at the transport level, which is one level below the application level. This means that SSL can encrypt and decrypt messages before they are handled by application-level protocols such as HTTP.
Deploying Forms Server on the Internet makes your application available to individual users on the Web, as well as to extranet customers, at a relatively low cost when compared to the other network deployment options. It enables organizations to run scalable, secure, and sophisticated new or existing Forms applications over the Internet.
To deploy applications on the internet with an HTTP socket connecion, CPU requirements for the user's Forms Client PC are slightly higher than for previous versions of Forms Server in order to provide equivalent performance.
Sending Forms data in an HTTP wrapper will likely increase network traffic, and may have an impact on the number of sessions that can be run simultaneously on lower speed connections.
If you do not choose to use the HTTP socket connection method, your other option is to set up a DMZ outside of your protected network that contains the application server. You can set up an IP-router to block all incoming packets except those destined for ports 80 (HTTP traffic) and 9001 (default port for the Forms Listener) in order to protect the DMZ. The risk with this approach is that the Forms Server Listener port is still vulnerable. If multiple Forms Server Listeners are used (for example, when hosting multiple applications or multiple languages) the risks increase.
In addition, the IP router should be backed by a multi-homed firewall residing in the DMZ that re-routes all incoming traffic from the IP router to the application servers in the DMZ. The application servers need to connect to the database in the trusted corporate network, so the multi-homed firewall also needs to re-route all Net8 traffic to the data server in the trusted corporate network.
A rotation schedule can be set up where different Forms Server Listeners are used at different times to reduce the chance of break-in, although this will not deter a serious hacker.
To shield the internal network from attacks, we recommend that you set up an extra firewall between the multi-homed firewall and the internal network to filter the IP packets and only pass Net8 traffic.
If all users who will access your Forms applications are located within your LAN, then basic internal network security is sufficient, and the Forms Server will not require any special configuration.
If some users are located outside your LAN or secure WAN and will dial in for access to your Forms applications, then you will need a server designed specifically for remote access security. This scenario is ideal for employees who work offsite or for trusted customers who must access your LAN or WAN. This solution is not appropriate for implementations where more than 1000 users would need to access the LAN remotely.
Valid users are those who have been registered in your remote access server. Unregistered users do not have access. Remote Access Service (RAS) is a feature of Windows NT servers. A Windows NT RAS server can be used in this scenario as the remote access server.
A private WAN is often constructed with leased lines.To break in, an intruder would have to know the location of the leased lines and the wire codes of the lines used to transmit data. Under these conditions, a breach is unlikely.
If dial-up is via public phone lines, we recommend that you encrypt confidential data during transmission. Windows NT RAS servers include the Point-to-Point-Tunneling Protocol (PPTP), which can be used for encryption of confidential data over public dial-up lines. If you are not using a remote access server that provides an encryption protocol, see the following sections for other, more secure options for configuring Forms Server on your network.
There is a very small risk that an intruder can randomly dial the phone number for a remote access server, and then attempt multiple username/password combinations to log in to the LAN. However, remote access servers are more vulnerable to disgruntled ex-employees or customers who already know how to access the server.
To avoid this situation, we recommend the following precautions:
As mentioned in the previous section, a conventional WAN is usually constructed with leased lines. However, if dial-up is via public phone lines, we recommend that you have a more secure method of user authentication and data transmission.
One option is to use a VPN, or virtual private network, available from your telecommunications provider. The telecommunications provider keeps a list of allowed users, and creates the VPN whenever an approved user dials in. Your network would still need a remote access server, as described in the previous section, so all of the security benefits and risks of the previous section apply here. (This solution is not appropriate for implementations where more than 1000 users would need to access the LAN remotely.)
The primary risk is vulnerability to disgruntled ex-employees or customers who already know how to access the server and are already on the VPN provider's registered users list. To eliminate this risk, be sure to keep current the list of approved users for both the remote access server and the VPN provider's registered users list.
If you plan to use the Internet as your means of dial-up access, we recommend that you have a secure method of user authentication and data transmission. One option is to use the Forms Server HTTP socket configuration, or HTTPS (HTTP 1.1 socket configuration with secure sockets layer for improved privacy, integrity, and authentication.) For more information about HTTP sockets, see Section 3.2, "Sockets, HTTP, or HTTPS".
Another option is to use a VPN over the Internet. With this method, data is transferred over the Internet in the form of IP (Internet protocol) packets. An IP packet is a group of bits (your data) along with a source and destination IP address.
If you set up a VPN over the Internet, you can save telecommunication costs. Remote users dial a local ISP rather than leased lines or an 800 number. You must configure and maintain the VPN software at your network, and the users who dial in must have compatible VPN software. If you set up an extranet connection where two LANs communicate via the Internet, all parties need to use compatible firewalls. If you have remote workers, some vendors offer mobile firewalls that can be used by remote workers; however, this adds significant cost and administrative time.
Most major firewall vendors have options for implementing a VPN over the Internet. Preferred VPNs use:
Risks involved with setting up a VPN over the Internet include:
If you are planning to implement a mission-critical application using Forms Server, security is a key issue. After determining the type of network environment you need, formulate a security policy to protect it. Refer to Chapter 10, "Security Considerations" for more detailed information.
After your application servers are up and running, you must continually maintain security. This is true particularly if your applications are accessed through the Internet because your site will likely be visited by hackers. The enforcement of a security policy is an ongoing process.
We have described several deployment options for intranet, extranet, and Internet Forms applications, and have looked at the associated impact on security. From this we can draw the following conclusions:
A realistic implementation of security measures on the Internet is based on a combination of the following elements: