I-DBC concentrates all incoming IIOP traffic on exactly one transport address (1 IP address, 1 port). In order to make CORBA/EJB and NAT operate together, it automatically and transparently adapts CORBA/EJB object references (IORs) to NAT translated addresses.
The I-DBC performs SSL encryption and authenticates clients’ reliable application level firewall security. Then, the I-DBC performs deep packet inspection on all data streams expected to be IIOP messages and blocks all traffic with incorrect, malformed, or malicious content. Additionally, the I-DBC protects the internal network and applications infrastructure from attacks, the CORBA/EJB applications from misuse and unauthorized access and the IIOP messages in transfer over the outside network from exposure and tampering.
I-DBC ensures a high degree of security by performing strong authentication, authorization, auditing, and reliable encryption. It also enables easy CORBA security management by offering centralized policy administration.
OpenFusion I-DBC IIOP Firewall—in particular the IIOP proxy component—is designed and implemented to follow well-established firewall design principles and implementation practices. It adds an additional layer of security for defense-in-depth to multi-tier applications, not only in scenarios with IIOP end-to-end but also in typical J2EE scenarios.
For J2EE Web applications, the I-DBC constitutes an additional security barrier between the Web Server and the EJB server, providing reliable security for the business logic in the EJB server even in the case of successful attempts from the Internet to take over the Web Server.
OpenFusion's CORBA firewall (I-DBC) can integrate with your company's existing network infrastructure without any modifications to your existing applications, ensuring deployment flexibility. High availability is supported through full support for clusters.
OpenFusion's IIOP firewall is delivered with all of the software components necessary to operate a corporate IIOP firewall (application-level gateway), including a bastion host component, the OpenFusion Security Policy Server, and the OpenFusion Administration Console.
For environments with a variety of installed middleware software, the IIOP DBC can be deployed together with OpenFusion's WS-DBC, the Web Services Domain Boundary Controller, thereby saving investments in scenarios that require security for both technologies.
Traditional firewall technology, such as packet filtering and stateful inspection, does not provide the means to securely run CORBA and EJB based distributed applications through existing firewall installations: CORBA and EJB middleware do not work together with traditional firewall concepts, and traditional firewalls do not provide application level security, such as fine-grained access control.
There are two obvious problems for the use of the Internet Inter-ORB Protocol (IIOP) across today's firewalls:
Firstly, the dynamic allocation of addresses by CORBA and EJB middleware makes it difficult to know the host and port addresses used for transactions in advance. Therefore, firewall administrators cannot set firewall rules for the passing of IIOP traffic through firewalls that allow IIOP to pass but do not weaken the existing firewall's security.
Secondly, the addressing information of CORBA objects and Enterprise Java Beans, contained in the object references, is invalidated when crossing a Network Address Translating router or firewall.
Furthermore, reliable enterprise firewall security must comprise deep packet inspection and security enforcement at the application protocol level for all IIOP traffic crossing the enterprise's domain boundary. User authentication, authorization, content filtering, encryption, and security audit are essential requirements for the secure exposure of CORBA and EJB based services to business partners and the outside world.
The only viable solution for the problems and requirements mentioned above is an application level firewall component for the enterprise's firewall installation, an IIOP security gateway.
Micro Focus provides the only complete and middleware independent turn-key solution for IIOP firewalling and CORBA/EJB server security in high-security, high-availability and high-performance environments.
