Show Menu
TOPICS×

Network layer security

Network security vulnerabilities are among the first threats to any Internet-facing or intranet-facing application server. This section describes the process of hardening hosts on the network against these vulnerabilities. It addresses network segmentation, Transmission Control Protocol/Internet Protocol (TCP/IP) stack hardening, and the use of firewalls for host protection.
This table describes common techniques that reduce network security vulnerabilities.
Technique
Description
Demilitarized zones (DMZs)
Segmentation must exist in at least two levels with the application server used to run Adobe Access placed behind the inner firewall. Separate the external network from the DMZ that contains the web servers, which in turn must be separated from the internal network. Use firewalls to implement the layers of separation. Categorize and control the traffic that passes through each network layer to ensure that only the absolute minimum of required data is allowed.
Private IP addresses
Use Network Address Translation (NAT) with RFC 1918 private IP addresses on Adobe Access application servers. Assign private IP addresses (10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/16) to make it more difficult for an attacker to route traffic to and from a NAT internal host through the Internet.
Firewalls
Use the following criteria to select a firewall solution:
  • Implement firewalls that support proxy servers and/or stateful inspection instead of simple packet-filtering solutions.
  • Use a firewall that supports a security paradigm in which you can deny all services except those explicitly permitted.
  • Implement a firewall solution that is dual-homed or multi-homed. This architecture provides the greatest level of security and helps to prevent unauthorized users from bypassing the firewall security.