Hi Casper,
For this use case, there's an option on the ActiveMQ networkConnector to set up a duplex connection. That way, you don't have to open up a port in the firewall from the DMZ to the internal network - you could only initialize the connection from the internal network broker to the one in the DMZ and you can still get messages being forwarded in both directions. Regards, Gert Vanthienen On Tue, Aug 12, 2014 at 5:48 PM, Casper <[email protected]> wrote: > Hi Cristoffer, > > I like the way you synthesize the architecture design using the terms of the > industry! > > Regarding your infrastructure, you seem to have the following: > > ********** > Incoming msg > ********** > > f D M Z f I N T E R N A L > i notif i > r ---> AMQ --------- r --> A > e <-------- e <-- M <--------> system > w get w Q notif&get > a a > l l > l l > > The security team here don't like those incoming ports. They talk about > risks related to an incoming JMS requests forged to exploit a weakness in > the protocol implementation. I know they are low since they are built-up and > sent from a trusted system (vs sent from an external system). The risk is > more about someone who breaks into a system in the DMZ *then* try to exploit > weaknesses in the protocol implementation. > > I'll take a look to what this port gives access to. If only limited > functionalities are exposed (ex. only receiving notification vs request for > writing message in queues), your architecture may be able to satisfy my > security team needs. > > Btw, relating my needs to your own experience was helpful. > > Thank you Christoffer! > > > > -- > View this message in context: > http://servicemix.396122.n5.nabble.com/Network-of-brokers-Shared-database-in-master-master-mode-tp5721581p5721583.html > Sent from the ServiceMix - User mailing list archive at Nabble.com.
