I would like to discuss some jboss operating issues. Please have a look at the attached image.
We are currently operating some web applications running in a load balanced jboss environment (no clustering). Behind the main firewall, an Apache / mod_jk is used for the loadbalancing and the web applications are deployed on the jboss servers in the DMZ. Behind a second firewall, the core components (EJBs) are deployed on internal servers inside the LAN, together with databases and other EIS systems.
However, the second firewall, and therefore the connections behind the webapps and the EJBs are always a pain regarding setup & configuration, and we are planning a new infrastructure:
We would like to keep the Apache in the DMZ, and move the webapps @ jboss in a new zone (let's call it just DMZ2), together with the jboss servers containing the EJBs.
Question: Is this a secure approach?
A new third firewall could be introduced to separate the LAN with databases / EIS from the jboss environment.