DMZ and FARM Architecture for Banking System
DNS
DNS stands for Domain Name System. It’s essentially the internet’s equivalent of a phone book, translating human-friendly domain names into IP addresses that computers use to identify each other on the network.
When you type a website’s domain name (like www.example.com) into your browser, your computer sends a request to a DNS server to look up that domain name. The DNS server then returns the corresponding IP address associated with that domain name, allowing your computer to connect to the correct web server and load the website.
DNS operates through various record types, including:
A Records: These associate a domain name with an IP address.
CNAME Records: They point one domain to another domain’s canonical name.
MX Records: These specify mail servers responsible for email delivery for a domain.
TXT Records: They hold text information, often used for verification or to provide information.
https://io.bikegremlin.com/13980/cloudflare-dns-setup/
DMZ (Demilitarized Zone)
In the realm of IT, a DMZ stands for “Demilitarized Zone.” It’s a segmented part of a network that acts as a buffer zone between the internet (untrusted network) and the private internal network (trusted network). The DMZ is designed to host services that need to be accessible from the internet, like web servers, email servers, or FTP servers, while still providing a level of security by separating these external-facing services from the internal network.
By placing servers that interact with the public or external entities in the DMZ, it helps mitigate the risk of potential attacks. However, it’s crucially important to set up proper security measures within the DMZ, such as firewalls, intrusion detection systems, and access controls, to safeguard both the external-facing services and the internal network from potential threats.
FARM (Safe Zone)
Server Farm (Safe Zone): A server farm refers to a collection or group of servers that work together to handle tasks, manage workloads, or provide services. It’s a cluster of servers typically used to enhance reliability, scalability, and performance. server farm sit behind the DMZ
A sequence of tools is commonly used to filter traffic and manage requests effectively on DMZ:
Firewalls: Act as the initial line of defense, controlling incoming and outgoing traffic based on predetermined security rules. Firewalls are essential in a DMZ to filter and block potentially malicious traffic, helping to prevent unauthorized access to sensitive internal resources.
Intrusion Detection/Prevention Systems (IDS/IPS): IDS monitors network traffic for suspicious activity or known attack patterns, generating alerts upon detection. IPS, on the other hand, actively blocks or prevents potential threats identified by the IDS. Deploying these systems in the DMZ helps detect and mitigate potential attacks in real-time.
Web Application Firewalls (WAF): Specifically focused on filtering and monitoring HTTP traffic to and from web applications, a WAF helps protect web applications from various attacks such as SQL injection, cross-site scripting (XSS), and other web-based threats. Placing a WAF in the DMZ adds an extra layer of security for web applications.
Proxy Servers/Reverse Proxies: Proxy servers or reverse proxies like NGINX or Apache can be used to handle incoming requests from external clients and route them to the appropriate internal services. They can also provide additional security by performing SSL termination, caching, and load balancing.
Content Filtering Systems: Employed to filter and control content accessed by users within the DMZ. These systems help enforce policies regarding web content, restricting access to certain websites or content categories based on predefined rules.
SSL/TLS Inspection: Dedicated tools capable of inspecting encrypted traffic to ensure it’s secure and doesn’t contain threats. These tools decrypt SSL/TLS traffic, inspect it for malicious content, and re-encrypt it before passing it along.
Logging and Monitoring Tools: Crucial for tracking and analyzing network traffic patterns, security events, and system activities within the DMZ. Centralized logging and monitoring systems help in identifying potential security incidents and analyzing traffic trends.
Communication between a DMZ and a server farm typically occurs through specific network configurations, such as:
Firewalls: A firewall separates the DMZ from the internal network and the server farm. It controls traffic between these zones, allowing certain types of data or communication while blocking others. Rules within the firewall are set up to permit communication between the DMZ and the farm based on defined criteria (protocols, ports, IP addresses, etc.).
Proxy Servers: Proxy servers can be placed within the DMZ to act as intermediaries between external (public-facing) services and the internal server farm. They can manage and regulate traffic, enhancing security by filtering requests and responses before they reach the server farm.
Reverse Proxies: These are similar to proxies but operate in the opposite direction. They sit in the server farm and manage incoming requests from the DMZ, serving as a gateway that provides additional security and load balancing.
Virtual Private Networks (VPNs): If remote access to the server farm is required from the DMZ, VPNs can be employed to establish secure connections. VPNs create encrypted tunnels over the public internet, ensuring that data transmitted between the DMZ and the server farm remains secure.
Network Segmentation: By segmenting the network into different zones (DMZ, server farm, internal network), network administrators can control communication between these zones through access control lists (ACLs), VLANs (Virtual Local Area Networks), or other segmentation techniques.
Internet Banking Architecture
EJB: EJB is a server-side component architecture used for building scalable, distributed, and transactional applications. It provides a framework for creating modular business logic components that can be deployed in a Java EE application server.
An ESB (Enterprise Service Bus) serves as middleware, providing a centralized, flexible, and scalable platform to facilitate communication, integration, and orchestration among various services, applications, and systems within an enterprise
