Network layer security
Network security vulnerabilities are among the first threats to any Internet-facing or intranet-facing application server, and you must harden hosts on the network against these vulnerabilities.
Here are some common techniques that reduce network security vulnerabilities:
Demilitarized zones (DMZs)
Segmentation must exist in at least two levels with the application server that is used to run Adobe Primetime DRM when Primetime DRM is behind the inner firewall. You must separate the external network from the DMZ that includes the web servers, and the web servers must be separated from the internal network. You can use firewalls to implement these layers of separation.
You can categorize and control the traffic that passes through each network layer to ensure that only the absolute minimum of required data is allowed.
Private IP addresses
Use Network Address Translation (NAT) with RFC 1918 private IP addresses on Primetime DRM application servers. You can assign private IP addresses (10.0.0.0/8, 172.16.0.0/12 and 192.168.0.0/16) to make it more difficult for an attacker to route traffic to and from a NAT internal host through the Internet.
Here are some criteria to consider when selecting a firewall solution: