Network Security

When deploying ODEE on a network there are many security issues to take into consideration, especially the use of firewall and Virtual Private Network (VPN) technologies. A firewall will permit or deny network permissions based on configured rules, to protect the internal network from unauthorized access while permitting legitimate communications. Firewalls perform the following functions in a typical ODEE environment:

  • Guard the company Intranet from unauthorized outside access.
  • Separate Intranet users accessing the ODEE system from internal subnetworks where critical corporate information and services reside.
  • Protect from IP spoofing and routing threats.
  • Prohibit unauthorized users from accessing protected networks and control access to restricted services.

The ODEE user interface is browser-based and can be used to allow home-office users to access the functions deployed within ODEE. It is recommended that the users access the application from within the company network, secured behind the outside firewall. Virtual Private Network (VPN) technology should be used to allow employees working remotely to access the ODEE application. A VPN tunnels outside traffic through the firewall, placing outside clients virtually inside the firewall.

Make sure that the firewalls used to secure an ODEE’s environment support the HTTP 1.1 protocol. This enables browser cookies and inline data compression for improved performance.

A typical ODEE environment usually has the following security zones:

  • Internet: External web service clients may come from outside of the company network.
  • Intranet: A company network separated by the external firewall that gives home users access to the ODEE user interface. This is also where ODEE web servers and load balancers may be placed. Alternatively, for additional protection, web and load balancing servers may be placed in a separate demilitarized zone (DMZ) where external and internal clients first interact with the ODEE environment.
  • ODEE application server and database zone: ODEE application servers, including Web servers, database servers and possibly authentication servers (for example, if a customer chooses to implement a single sign-on using Lightweight Directory Access Protocol (LDAP) servers) reside in this zone. Access to the database that holds critical client information must be secured, with access restricted to system and database administrators only.