Show Menu
TOPICS×

Network layer security

Network security vulnerabilities are among the first threats to any Internet-facing or intranet-facing application server, and you must harden hosts on the network against these vulnerabilities.
Here are some common techniques that reduce network security vulnerabilities:
Technique
Description
Demilitarized zones (DMZs)
Segmentation must exist in at least two levels with the application server that is used to run Adobe Primetime DRM when Primetime DRM is behind the inner firewall. You must separate the external network from the DMZ that includes the web servers, and the web servers must be separated from the internal network. You can use firewalls to implement these layers of separation.
You can categorize and control the traffic that passes through each network layer to ensure that only the absolute minimum of required data is allowed.
Private IP addresses
Use Network Address Translation (NAT) with RFC 1918 private IP addresses on Primetime DRM application servers. You can assign private IP addresses (10.0.0.0/8, 172.16.0.0/12 and 192.168.0.0/16) to make it more difficult for an attacker to route traffic to and from a NAT internal host through the Internet.
Firewalls
Here are some criteria to consider when selecting a firewall solution:
  • Implement firewalls that support proxy servers and/or stateful inspection, instead of simple packet-filtering solutions.
  • Use a firewall that supports a security paradigm in which you can deny all services, except the explicitly permitted services.
  • Implement a firewall solution that is dual-homed or multi-homed. This architecture provides the greatest level of security and prevents unauthorized users from bypassing the firewall security.