Oracle 11Gex
Apex 5.14
ORDS 18
First let me acknowledge that the architecture of the solution we have in place is not ideal.
Internal network:
On the DB vm server, resides the 11Gex database with Apex 5.14.
On the App vm server, resides the ORDS 18 listener and Tomcat 9 app server.
On the Internal web vm server, resides IIS 10.
DMZ:
On the DMZ web vm server, resides Apache
We had an internal application that had maybe 30 users, that sent our client email 'referrals' requesting client action that our staff could not handle themselves. Our client wanted access to the application to eliminate the email traffic and to help it manage workloads resulting from the referrals and to enable them to 'close the loop' on the referrals by closing them out in the application. Obtaining reporting on all this was gravy.
Expanding this small application beyond our internal network brings our corporate RISK team into the picture; who need a better grip as to how an Apex application fits into their understanding of how a web based application works - and can be secured.
For Clients to access this internal Apex application: SSL web traffic hits our firewall which NATS the IP Address and directs SSL traffic to the DMZ Apache server. Apache acts as a Reverse-Proxy to forward this SSL traffic to the internal IIS web server. The internal IIS web server uses ReWrite Rules to off-load the HTTPS traffic and forwards HTTP traffic to the internal ORDS/Tomcat Application server, which connects to the internal DB server.
RISK wants 2 things -
1) the application must 'terminate the session' in the dmz - performing authentication at that point. Then the DMZ application opens a new session with a different protocol with the internal application.
2) all applications must be 'supported' by the vendor, supplying security updates and patches on a regular basis
In regards to #2- Oracle Database Express is not supported by Oracle... no patches are created for this product. HOW many security issues have arisen for this product since the previous version... and how many were considered 'critical' security issues. Is this a true concern? I do not have an Oracle support agreement and cannot do this type of research myself. The cost to purchase an Oracle SE DB (to gain support) with 5 years of licensing runs almost $100K... for an application will ever have at most 75 users.
In regards to #1- RISK wants the application broken into two parts, one in the DMZ and one internal; using different protocols for each, and putting the authentication in the DMZ. Is this even possible with APEX? It isn't a modular java application; as the database creates the html from the metadata within Apex - not at the application server. I would not want to put the ORDS/Tomcat in the DMZ where it is MORE vulnerable (IMHO) just to gain this.
What do you think? How can I explain to RISK what they want is just not possible with the tools at hand.
Or - is there some way to (reasonably) meet their needs or mitigate their concerns?
I do appreciate your time, imagination and assistance.
Rich