Conceptual System Design
This conceptual design separates each system function onto its own server, which allows the placement of more sensitive functions and servers in increasingly more secure network segments. It also allow for each function to be performed by a specialized server, each of which are sized, configured, tuned, managed, and administered specifically for its distinct function.
The outer perimeter firewall (Firewall 1) separates the public Internet from the DENR network. Firewall 2 separates the DMZ from the internal network. Firewall 3 separates the internal network from the hardened internal network.
This design provides enhanced security by narrowing the attack surface at each successively higher-risk network segment.
Authentication is provided by the existing DENR enterprise authentication server. When the application server requires authorization for a user, the browser is redirected to the authentication server. After the user authenticates successfully, the browser is then redirected back to the application server.
The authentication server interfaces with the NCID Access Management service. After successful authentication, the application server uses NCID Web services to obtain the user's NCID information, and create the user's account on the Portal, if necessary.