2 layers of firewall Implementation Design

Similar Messages

• DC Firewall implementation

  Hi Experts,
  Could you please guide me to best practices of implementing/designing Firewalls in existing Data Center. I am looking to implementing Transparent mode Firewalls to minimize disruptions and achieve server farm security.
  Existing topology is collapsed Aggregration/Access Layer. 2x6500 Active/Standby through HSRP and external routing is OSPF. These switches connect to CORE through OSPF 0, Server farms networks default gateways is the HSRP address on Switches.Server networks segmented through Vlans [170-190].
  Cisco ASA to be implemented, do not want major routing changes hence opted for transparent mode. Attached high level topology of what to be achieved.
  Any detailed design guides would be appreciated on how the traffic flow from WAN to DC be intercepted and within DC.

  No.
  You can control a firewall in C or such from Java. But you must have native codes in part of it.
  This question is asked repeatedly.. you really should have searched because the answer is always the same. You can't do it directly in Java.

• Oracle Procurement/Sourcing :- Need advise on an implementation design

  Dear Guru's,
  Need advise on an implementation design
  Problem Summary :-
  Our client(say "X") is contracted to perform certain business functions for their client (Say"Y")
  Say "X" is do sourcing (RFP,RFQ) functions till PO creation,receiving in a excel based custom application ( Not through oracle EBS) for client "Y".
  So "X" is not responsible for paying for those services and "Y" pays for those receipts.
  We want to implement Oracle EBS Advance procurement solution for their above functions and replace the custom application processes.
  But client "X" is not accepting advance procurement solution as they("X") are not paying for the services and they don't want to fit this solution in Oracle EBS as this may cause legal issues.
  Questions:-
  1. Whats the best design solution for this type of scenario to fit the custom process into Oracle EBS procurement ?
  2. Can we follow the sourcing implementation process(RFQ/RFP)-> PO Creation-> PO receipts-> AP Invoice matching in Oracle EBS and is there a way to nullify this transaction in Oracle so      that there will not be any legal issues? May be creating credit memo/AR invoice etc...
  Appreciate your help!
  Thanks
  Karthik

  Hi All,
  Once basic question on the centralized procurement model. Please advise.
  Scenario :-  Two OU(OU1- Requesting OU and OU2- Purchasing OU) Scenaio:-
  1
  Purchase Requisition in OU1
  2
  AutoCreate PO in OU2
  3
  Approve PO in OU2
  4
  Receive the material in INV1 of OU1
  5
  Supplier sends the invoice to OU2
  6
  Cost the transactions
  7
  Run ‘Create Intercompany AR invoices in OU2
  8
  Run ‘Auto Invoice Master Program in OU2
  9
  Run ‘Create Intercompany AP invoices in OU1
  10
  Run ‘Expense Report Import in OU1
  Question:-
  1. After step 5(Supplier sends the invoice to OU2) who will do the payment for supplier and what's the process?
  2. I could see the intercompany invoice process in further steps which creates invoices, but not sure on how supplier payments are paid.
     In which step the paymens(Supplier, Intercompany) are processed.
  Please advise!
  Thanks
  Karthik

• Firewall implementation in java

  Need help about firewall implementation in java,Is it possible to develop application level firewall in java?how?

  No.
  You can control a firewall in C or such from Java. But you must have native codes in part of it.
  This question is asked repeatedly.. you really should have searched because the answer is always the same. You can't do it directly in Java.

• Timing issues in implemented design

  Hello everyone,
  I have been reading in these forums for a long time now, but have never posted. Possibly because I have never had such a design-specific issue that was above my knowledge...I wish my problem was more "friendly" for a first post.
  Anywho, my problem is as follows: I've been working on a design for a few months now and everything was working fine up until recently (apart from logic errors of course that I would run into and fix here and there). I recently integrated a module that I did not design myself. My behavioral simulations work fine and all of my previous functionality seems to be working as well when the design is implemented. However, the functionality based on the "foreign" module has introduced problems.
  What I am using: Spartan 6-XC6SLX16 and therefore ISE
  Here are some of the functional symptoms I have recorded so far:
  - The functionality always produces the same output after the design is implemented and uploaded
  - The functionality can differ if I change something (no matter how small or where) in the design itself
  - The same applies for changing constraints
  - After some implementations+uploading the functionality works correctly, and in other cases it fails by either producing erroneous results or just "getting" stuck (i.e. one of my FSMs)
  - The critical path w.r.t. my system clock is in the module that seems to be the source of the problems
  This leads me to believe that there is some timing-related issue. The only timing related constraint I have used is for my system clock period. The timing report does not show any errors regarding this constraint.
  My guess so far would be that I have an unconstrained path problem, possibly in combination with insufficient account for system and input jitter, as the design does take up around 40-50% of FPGA. The problem is that I have no experience in tracking such an issue down, so I could definitely use some pointers in the right direction.
  Things I have tried:
  - Basic logic debugging of the input-output behavior of the problematic functionality using chipscope
  - Post-PAR simulation of the module that includes "foreign" components: Works fine with a 100MHz constraint
  - Increasing the frequency constraint for the entire design from 100 to 120 MHz but that was just out of lack for better ideas, it did not help.
  - Looking at the unconstrained paths that the timing analysis can provide. I was hoping to find something related to the component that seems to be causing the problems, but no luck. Mainly just entries related to all of the ring oscillators that I am using, which it seems to be interpreting as a clock domain crossing case. These, however, have nothing to do with the problematic portion of the design.
  I have a few questions at this point:
  -Can one problem lead to a totally uncontrollable landslide of other seemingly independent problems?
  -Also, how do I make sure that I get ALL of the unconstrained paths and not just a subset?
  -Could it even be an unconstrained path issue if nothing in the report indicates that there is an unconstrained path in the problematic region?
  I hope I have described my problem thoroughly enough for you to make some educated assumptions about what could be going wrong. I'm interested in learning what typically causes such problems. I am aware of synchronizing between clock domains, or the de-assertions of asynchronous resets, the standard problems...but I missed something critical here and I don't want it to happen again. Perhaps somebody has a pointer for me where I could do a little more digging?
  I will set up a timing simulation of the entire design, but as this is a rather lengthy process it will be some time until I get some results.
  Cheers,
  Shibby

  Hello,
  Thank you for the quick replies so far.
  austin wrote:
  So, my questions to you are:
  Did you review the entire (verbose) timing report?
  What is your smallest positive slack number?
  What is your system jitter? Your clofck source jitter?
  How well is the device bypassed on the board you are using (is it one of ours, or one from our distributors)?
  - Yes, I went over the entire verbose timing report that DIDN't cover unconstrained paths. However, when I did have the timing analyzer output unconstrained paths as well, there were a lot of timing errors. I assume this is due to the fact that unconstrained = period requirement of 0 and the slack is therefore always negative? I had a look at these and none of them really indicate a problem to me.
  - The smallest positive slack in the case of the standard verbose timing report was 0.304ns.
  - The system jitter is (the default?...I did not specify it in my UCF) 0.070ns. The other jitter values (TIJ and DJ) are both set to zero. So the resulting clock uncertainty is very small...possibly too small.
  - The board is a Nexys 3 from Digilent. I assume they know their stuff when it comes to capacitive bypassing of ICs. How would this play a role? If I've understood correctly then this is correlated to the system jitter. Bypassing problems would lead to larger/more frequent voltage dips (especially for larger designs) and therefore a clock that exhibits more/larger uncertainty (i.e. jitter)?
  I think my lack of knowledge in correctly constraining larger designs might be causing the problems here. But perhaps also not, so just to be sure, I want to ask the following (possibly stupid) questions:
  - Instead of increasing parameters related to jitter of a certain clock, wouldn't increasing the period constraint of that clock have the same effect? As I wrote, increasing for example the system clock constraint to 120MHz rather than 100MHz showed no improvement of the problem...I'm not sure what this tells me...if anything at all.
  - I do have another clock domain and I do synchronize signals (there is nothing big going on, mainly just handshaking) between the two domains. What could the effect be if I removed the period constraint for one of the clocks apart from possible timing problems in that clock domain?
  - The ring oscillators that I have clock certain FFs if oscillators enabled, however I do not know their exact frequencies. Would it suffice to just use a known upper bound?
  The latter two questions concern parts of the design that habe been there for a long time and have no functional connection to what was added that seems to be causing the problem, though.
  austin wrote:
  ISE ignores clock domain crossing (Vivado does not, but Vivado only supports 7 series and later devices). Do you have any unidentifed clock crossings that require synchronizers?
   Yes, I do. As mentioned above I synchronize my handshake signals between clock domains using simple level synhronizers (since I'm not doing anything fancy like transforming pulses). I am also synchronizing the de-assert of my asynchronous system reset in both clock domains using standard reset bridges, which are basically just level synchronizers.
  Interestingly, the timing report containing unconstrained path info tells me that one constraint was not met whereas the other one does not. It also concludes that the maximum frequency is lower than 100MHz, but gives the same result for the system clock. If I've understood correctly, this is due to the fact that there is an unconstrained path with maximum combinational path delay larger than 10ns. I had a look at this path (there are a few of the same type) and it is a path that I don't think needs to be constrained, so I wouldn't see this as the issue. 
  Albeit having looked at the timing reports, I wouldn't exclude that I've missed something, simply because I haven't dealt with such problems until now. So, I'm not sure whether or not it would be helpful to attach both the standard verbose timing report and the one including unconstrained paths...but perhaps someone could point me to something that might seem fishy..?
  One thing I will do is continue to try and isolate the location of the problem using timing simulations or possibly stripping the logic of certain components and checking the behavior of the implemented design.
  Best regards,
  Shibby

• BPEL implementation design suggestions

  Hi all,
  Being new to SOA, I'm not really sure whats best practice regarding BPEL and certain problems. I just think that the way I have implemented a BPEL solution is "ugly" and was hoping there was a better solution. So I hope some of you may have some design experience you would share. :-)
  We have a legacy system that gives us some unique document ids that we need to use when creating new documents. The problem is that the new system has to be up 24/7 and the legacy system is down for maintenance every night for about 6 hours.
  As we are using SOA for the document creation, I have created a BPEL process that retrieves 20000 ids from the legacy system. When we need an id we ask the BPEL process for an id. When there is under 100 id's left, I retrieve 20000 more from the legacy system.
  I have implemented this as following:
  1. Load 20000 id's via a webservice.
  2. Save the 20000 id's in a local database via a database adapter (allows me to get id's from a local database when legacy system is down).
  3. Load 1000 id's via a database adapter (into memory).
  4. Assign the 1000 id's into a Global variable of the same message type as the Collection used by the database adapter.
  5. Each time the BPEL process is called, return the first id and mark it as used (couldn't find out how to delete an entry).
  Step 1 and 2 are only called if there are less that 100 id's left in the local db.
  The problem is that since the BPEL process returns each time (synchronized webservice process). Its not really a in memory queue system as it will load 1000 id's from the database each time instead of using the memory. I might as well just load one id from the db each time.
  If this was Java, I would just load 1000 id's into an arraylist and add more to the arraylist from the db when needed. This would avoid to many db calls.
  So how would you implement this i BPEL?
  many thanks,
  William

  Ok guys, Here is one quick example of what i would ideally like to achieve.
  [http://i279.photobucket.com/albums/kk128/ziggy_76/onelayerprocess.jpg|http://i279.photobucket.com/albums/kk128/ziggy_76/onelayerprocess.jpg]
  Everything above the shaded line already exists so i will be developing new components below the shaded line. (i.e. there is already a process that reads from the database and writes to the relevant queue.
  The diagram shows that each ftp server will have two processes associated with it. An INftp and OUTftp process. The IN process will be polling the relevant ftp server and writes whatever it reads back into the queue. The OUT process will be checking the queue to see if there are any new items that need to be transffered to a server. Each item in the queue has an IN or OUT flag.
  I am wondering whether it is more efficient to use the above approach, or include a new process that reads from both queues and sends the requeust to either the IN or OUT processes which a normal objects.
  How would a plugin be used in this situation? If there is a generic class for putting files into an FTP server, does this mean all the PUT processes will need to extend this class? How would i deal with situations where the "putting" requires different logic for each server?
  I am thinking that maybe only the logic for "putting" and "getting" should be generic but the preparation should be independent?
  And also, what is more efficient to use in terms of performance a java thread or an instantiated object?
  Thanks
  Edited by: ziggy on May 5, 2009 1:52 PM

• Firewall Interface design

  We plan a two tier firewall with the physical topology like this:
  WWW --------------- FW1-----------FW2-----------------INTERNAL
  We will have multiple DMZ zones off FW2 and our VPN termination point off FW1. FW2 will be responsible for the NAT'ing in the design.
  My plan will to have Internal IP addresses (RFC1918) between FW1 and FW2 so that FW2 cannot be accessed publically.
  If we have multiple DMZ interfaces off FW2, do I need to logically separate them in the 'Intermediate' zone (between FW1 and FW2) ?
  So for example, FW2 will have two subinterfaces, Gi0/0.100 = DMZ1, Gi 0/0.200 = DMZ2. Should this be carried over a logical path between FW1 and FW2, or should it just use the single interface on FW1 and FW2?
  Hope this is clear.

  Using the single interface between FW1 and FW2 will be fine.
  You just need to ensure your routing steers the traffic correctly, nat statements are aligned and access-lists allow the necessary flows.
  The one tricky bit would be the NAT. If the only place the public IPs connect to is FW1 yet the NAT from DMZ server real address to public IP is in FW2, you will need some static routing along with your access-list entries to make sure the requests for your DMZ servers' public addresses are passed through FW1 to the inside interface and on to FW2's outside interface. 

• Extranet/Firewall implementation question

  All,
  We’re running EP6 SP11 on a single server scenario.  We’ve implemented iviews that access backend CRM and BW systems.  All connections are HTTP (verses SSL).  I’ve been asked to make the Portal system available outside the firewall where the sales team can access sales functionality w/o VPN authentication.  I’ve read about reverse proxy and SSL scenarios which make sense however I have a couple of questions. 
  It seems like the reverse proxy scenario would be a good choice.  I understand how access to the portal would work however not sure what happens when the iviews which accesses backend systems are launched.
  I would like to get others input.
  Thanks,
  Greg

  Hi Greg,
  We have an external portal that is frontended by an Apache Reverse Proxy.  In the Apache Configuration file there is a section for reverse proxy statements.
  So basically we have it setup so that when users request portal.sap.com/irj it is reverse proxyed to the portal server.  For Iviews that access backend sysems we setup the same thing.
  For example we have an iview that connects to a R3 system so we have it setup so that anything that comes across as portal.sap.com/r3 is reverse proxyed to an ITS Server that then connects to the R3 system.
  Hope that helps
  Keith

• Simple firewall implementation

  Hello,
  I'm pretty new to the cisco product and want to setup a simple firewall.
  I found some exampels but can't get it to work.
  For now we are using Cisco routers 88x and 89x series.
  When I activate te script I the remote connection to the router is lost, although I have put an permit rule for ssh.
  The script is the following:
  ip inspect name Firewall tcp
  ip inspect name Firewall udp
  ip inspect name Firewall rtsp
  ip inspect name Firewall h323
  ip inspect name Firewall netshow
  ip inspect name Firewall ftp
  ip inspect name Firewall ssh
  ip access-list extended Allow-IN
   permit eigrp any any
   permit icmp any 192.168.2.0 0.0.0.255 echo-reply
   permit icmp any 192.168.2.0 0.0.0.255 unreachable
   permit icmp any 192.168.2.0 0.0.0.255 administratively-prohibited
   permit icmp any 192.168.2.0 0.0.0.255 packet-too-big
   permit icmp any 192.168.2.0 0.0.0.255 echo
   permit icmp any 192.168.2.0 0.0.0.255 time-exceeded
   permit tcp any 192.168.2.0 0.0.0.255 eq 22
   deny ip any any
  interface Vlan1
   ip inspect Firewall in
  interface Dialer1
   ip access-group Allow-IN in
  Can anyone tell me what I'm doing wrong here?
  And a second question, can I use for the ip inspect also port numbers or must I always use a service name?
  Thank you,
  //Edwin

  Hello,
  I have tested this.
  I couldn't add the router-traffic to the ip inspect rule for ssh but could add it to the ip inspect rule with tcp.
  I tested this option but unfortunatly the connection was closed again as soon the rules were applied to the interfaces.
  Maybe I did it wrong or it doesn't work.
  //Edwin

• Firewall Implementation

  Is it advisable to place a firewall infront of my server farm???? and why                  

  Hello Maro,
  A firewall is a device that will be place into the network to filter traffic (depending on the security policies your managment team has set) to protect the internal resources from both internal and outside threaths,
  So if you place a firewall in front of a server farm that will protect them it would be amazing,
  Now remember that you will need to configure the firewall to allow access to those servers on the right ports/services,
  Regards
  Remember to rate all of the helpful posts.
  For this community that's as important as a thanks.

• P2p network java implementation -design/scalability questions

  Hi,
  i am trying to build a (distributed) p2p network simultor. What's this? Each PC called "farm" will have tenths of thousands -i hope- "Peer" threads running (say level "0") . These threads will be referenced by a Farm thread running on each PC (say level "1"). In the case where a message needs to be forwarded to a "remote" Peer (a Peer running in another farm), there will be also a server and a client communication module for each Farm (say level "2").
  The farms will also communicate with FarmMonitor via a client module (in level "2" also) , a Process running on a single PC, mainly handling user requests.
           |---------------------------------------------------|
          \|/                                                 \|/
  Farm server/client mod          Farm server/client mod
  |-----------------------------------|         |------------------------------------|
  |          farm1               |         |            farm2               |
  |-----------------------------------|         |------------------------------------|
  FarmMonitor client                    FarmMonitor client
            |                                            |
            |                                            |                      
            \____________________________\_____________ |  FarmMonitor Server
                                                                                 |----------------------------------|
                                                                                 |    FarmMonitor         |
                                                                                 |----------------------------------|I have built a demo -roughly reach the Farm-Farm communication part , which works with nio Pipes betwen Peers, but looks complicated and i would also like to use nio SocketChannels for the communication. Since however i am inexperienced in nio (and in general), i have little time, i mainly work on my own and i must decide for once in my life to use the K.I.S.S. rule, i have thought of another alternative.
  Peers (threads) -not running most of the time- communicating in a Producer-Consumer fashion via a (incoming) message mailbox/buffer. Each Peer will have these mailboxes of its neighbouring peers mapped to the corresponding neighbouring peer id. Each peer will temporarily buffer its outcoming messages internally and once awoken forward them to right mailbox. The communication modules will serialize the msgs and use old-fashioned i/o.
  Am i heading to a disaster? Will i have scalability problems, because of all these monitors and threads? Any remarks useful.
  Thanks

  Jason, quick update on this.  I might not have used the correct terminology regarding the publishing in AD.  What I try to say when you have extended the schema in AD with the SCCM Specifics, and you then install Management Point that object is
  also created under the System Management container.  When checking client logs I could see that the client is querying AD and retrieves list of Management points, once it determines the site that it will assign to it get the list of MP's for that site.
  In my development environment I have not extended the schema, so I'm using SMSSITECODE=XXX SMSMP=NETBIOSNAME.   What I did see now, after I got the IBCM working correctly when installing new SCCM Client, using the following install parameters "SMSSITECODE=LA0
  SMSMP=ABC ...." checking locationservices.log, I see that the client is "assigning to Management point ABC" and few seconds after that message it also get the Internet MP information, and once client is installed and then checking the Control Panel applet
  "Network" the Internet Management Point information is populated, that already is good news.
  My software distribution is working for some new apps that I created after IBCM was configured, however for few apps that already existed before IBCM was created, I still have the issue that it cannot find any DP's, however I'm able to install the same app
  from my intranet without issues.  Need to check on this further, I hope when implementing this in my Production environment that I don't run into same issue with all my existing applications.
  thx again for all the help, appreciated.

• Implementation/Design suggestions

  Hi guys,
  I have been tasked with writing a process that will be making multiple ftp connections to multiple servers.
  1. The FTP process will be connecting to multiple servers
  2. All connections will be kept alive at all times (if possible)
  3. Each connection will require different logic when upoading files. For example files in Server A will be uploaded into a temporary directory then moved to a different directory. Files uploaded into Server B will have to be in the following format ["IBM343"][Date] etc.
  4. Some servers will require upload in Binary format and some will require ASCII only
  The options that i am thinking of are as follows.
  1. Have one object that forks out mulitple threads. Each thread will be managing a specific FTP connection. The logic to handle the specific FTP server will be in the thread.
  2. Have one object that manages several objects that will be managing the FTP connections.
  I am curious to get your opinions on how you would approach this. Can you think of other more efficent design approaches that are better than those listed above.
  Thanks.
  Ps. i have posted this in other forums.

  Ok guys, Here is one quick example of what i would ideally like to achieve.
  [http://i279.photobucket.com/albums/kk128/ziggy_76/onelayerprocess.jpg|http://i279.photobucket.com/albums/kk128/ziggy_76/onelayerprocess.jpg]
  Everything above the shaded line already exists so i will be developing new components below the shaded line. (i.e. there is already a process that reads from the database and writes to the relevant queue.
  The diagram shows that each ftp server will have two processes associated with it. An INftp and OUTftp process. The IN process will be polling the relevant ftp server and writes whatever it reads back into the queue. The OUT process will be checking the queue to see if there are any new items that need to be transffered to a server. Each item in the queue has an IN or OUT flag.
  I am wondering whether it is more efficient to use the above approach, or include a new process that reads from both queues and sends the requeust to either the IN or OUT processes which a normal objects.
  How would a plugin be used in this situation? If there is a generic class for putting files into an FTP server, does this mean all the PUT processes will need to extend this class? How would i deal with situations where the "putting" requires different logic for each server?
  I am thinking that maybe only the logic for "putting" and "getting" should be generic but the preparation should be independent?
  And also, what is more efficient to use in terms of performance a java thread or an instantiated object?
  Thanks
  Edited by: ziggy on May 5, 2009 1:52 PM

• How to save the state of the changed visible layers in pdf, pre-designed in Indesign

  Hi,
  I have made an Indesign (CS 5.5) file with some textfields (no button), and interactive buttons. And saved it as Interactive PDF.
  I have made a fillable form out of the textfields in Adobe Acrobat Pro X, and the interactive buttons are working in PDF.
  When you open the PDF in Acrobat Reader or Pro, fill in text and change a state of the button and save the file: all the changes (text and state) are saved.
  When you open the PDF in Acrobat Reader or Pro, fill in text and save the file: the changes (text) are saved.
  When you open the PDF in Acrobat Reader or Pro, and only change a state of the button and save the file: the changes are NOT saved.
  What I mean with states of a button: SHOW/HIDE or ON/OFF etc.
  Does anyone know what I'm doing wrong. Or is it not possible to only save changes in states of a button?
  Thanks in advance for thinking with me.
  Josiane

  You would have to check your color management and things like overprint settings or the ink levels of the color components. Streaking is usually a sign of areas getting oversaturated and the automatic adjustments in the printer driver being unable to compensate. and then of course other factors may figure in like banding inherent in using gradients across large areas, out of gamut issues for certain colors and what have you. You'd have to be much more specific about all of that for anyone to even begin to advise specifically...
  Mylenium

• 2 Tier firewall design

  Hi All
  what are peoples thoughts on a 2 tier firewall design for a large enterprise, is it normal and recommended paractice to have 2 layers of firewall? and of different vendors ?
  also would the rulebase normally be duplicated on each firewall ?
  cheers

  Hi,
  The most common situations where I've seen this used is when a customer has an office network and an automation network. So mostly in factories/mills where its important to separate the 2 networks from eachother.
  In these cases the firewall pair between office and automation are usually doing NAT Exemption for all traffic. Any NAT is handled on the firewall equipment on the edge of the whole network.
  In these types of setups you can basically leave the inner ASA without any NAT configurations and you will mostly be configuring ACLs while the bulk of the firewall configurations are done at the edge devices.
  - Jouni

• Layered Firewalls Implementation

  Guyz right now , i have 2 periemter firewalls which im relying on and since im replacing them soon i was thinking of buying more firewalls for the Layered firewall implementation but i really want to understand what is the point of applying 3 layers of firewalls for example , like what i will be trying to achieve for a better security ????                  

  Hi Maro,
  Firewall will allow traffic from a high security level (like inside interface which has security level of 100) to low security level interfaces (like outside interface or DMZ interface which has security level which have any value less that 100) by default with out access-list. If you need to allow traffic from low to high then you need to specifically allow it through access-list.
  With stateful packet inspection what firewall does is, it maintain a table of all the traffic which goes from inside to outside and the return traffic will be allowed (not need of any specific acl) only if the traffic is initiated from inside and have an entry in firewall stateful table,
  Hope this helps.
  Regards
  Najaf
  Please rate when applicable or helpful !!!