A subnet is an IP address range from which no other IP or Domain Name System (DNS) addresses that are located outside the network segment of the subnet can be reached. The implied consequences of this are as follows:
· You cannot reach external addresses from inside the subnet without the explicit use of proxy technology.
· With proxies between the subnet and external addresses, each access can be controlled at IP number level. This means that you can explicitly allow communication between IP 126.96.36.199 from inside the subnet to the address 188.8.131.52 outside the subnet, but to no other address worldwide.
· In particular, you can ensure that even if a server inside the subnet is hacked and conquered by an external hacker and this server is under complete control of the external hacker, the hacker cannot influence any other system outside the subnet. If there is no other server inside the subnet, it is impossible to gain access to any other system.
An important rule for network security states that HTTP calls should only be allowed from network areas with a high security level to network areas with the same or a lower security level, never the other way around.
This means that a call from the intranet (high security) to a server in the DMZ (lower security) is acceptable. Without the subnet, however, the rule would be violated for the external user, because the extranet has the lowest security level. The introduction of the IP subnet is therefore recommended because it creates an isolated IP range that can be considered as an artificial area with an even lower level of security.
Another reason for the subnet in the DMZ around the cFolders server (see figure Scenario A: cFolders) has already been mentioned: protection of other servers that already exist in the DMZ. A company usually places all servers that are accessible from the Internet inside the DMZ. This leads to a network area with several servers, one of which would be the cFolders server. By placing it, or even better, each DMZ server, in its own subnet, they are separated from each other on a low network level.
You can ensure that the transferred metadata and files are secure by using Secure Sockets Layer (SSL) technology. The SAP Web AS can be configured in such a way that it only allows HTTPS connections, and no HTTP connections. This is a requirement for the external user. The internal user could use HTTP, but in this case, you must ensure that the external user can only use the HTTPS address and not the HTTP address. You can achieve this by configuring the external firewall to allow access only via HTTPS to the IP addresses of the subnet in which the cFolders server is located.