1. Security Guide
  2. Network Zones and Firewalls

Network Zones and Firewalls

A firewall separates a company’s external Siebel Web Clients (those accessing applications over the Internet) from its internal network and controls network traffic between the two domains. A firewall defines a focal point to keep unauthorized users out of a protected network, prohibits vulnerable services from entering or leaving the network, and provides protection from various kinds of IP spoofing and routing attacks.

To secure a network, divide the network into zones of control by considering factors, such as the type of information contained in the zone and who needs access to that zone. Then place firewalls between the zones and implement access controls between the zones.

The following figure shows the recommended placement of firewalls in a Siebel CRM environment, which is between the Internet and demilitarized zones, and between the demilitarized and intranet zones. For optimum performance, do not install a firewall between the intranet zone and the internal highly secure zone.

Recommended Firewall Deployment in a Siebel Business Applications Environment: This image is described in the surrounding text.

As illustrated in this figure, an enterprise network for Siebel CRM typically comprises the following zones of control:

  • Internet zone. This zone is insecure and not trusted. External Siebel Web Clients reside in this zone.

  • Demilitarized zone. Publicly accessible servers are placed in this zone. Servers placed in this zone are called bastion hosts. Web server load balancers and Reverse Proxy Server reside in this zone. Clients outside the firewall access the Reverse Proxy Web server through a secure connection. This zone is where the external network first interacts with the Siebel environment.

  • Intranet zone. This zone consists of internal networks. Components that reside inside this zone include the Application Interface, Siebel Servers, Siebel Gateway, and authentication server (Lightweight Directory Access Protocol directory server). In a deployment of Siebel employee applications, Web clients reside beyond the DMZ, somewhere between the DMZ and the unsecured Internet depending on customer security requirements. Depending on the requirements and configured security adapter, the authentication mode can be one of the following: SSO/SAML, Database, LDAP, or Custom.

    Note: The Application Interface accesses the migration database when it is deployed for migration.

  • Internal highly secure zone. Business critical information and services are placed in this zone. The Siebel Database and File System reside in this zone. Restrict access to this zone to system administrators and database administrators.

For additional information on the recommended placement of firewalls, see Recommended Network Topology. For information on assigning ports when setting up firewalls, see Guidelines for Assigning Ports on Firewalls.