I agree with you 100%. I’‘m very conscious of security and realize that having a “service” exposed externally requires more than just open a port in the firewall. However, if you’‘re opening up the server externally, so you must be interested in offering some value that you have on your intranet. If you really want to make sure that no one unauthorized is using you’‘re next work, than I suggest that you look at VPN or SSL communication using 2-way certs (hmmm…I’'m not sure if that is support in XMPP, an exercise for another day).
So if you’‘re still interested in letting users connect to your intranet without a strong means of authenticating the users (vpn or 2-way cert), then it’‘s a matter of defense in depth. If when Pampero comes around, I would still recommend a firewall between the open ports in the CM and the wild, wild net. For two reasons, one is load balancing (since you’‘ll need a round robin mechanism, assuming that DNS RR is not good enough, and basic DoS and TCP SYN attacks. Snort and it’‘s kind offer some interesting options when it comes to detecting (and potentially resolving) those types of attacks. This should be running on a server in front of your DMZ. Second, the CM’‘s will most likely being checking authentication (at least if they’‘re terminating the SSL connection…in fact they’‘ll have to…since they need to process the payload) and an optional flag to verify the integrity of the request. The CM will live in your DMZ. Since most DMZ servers have at least two network interfaces, usually translating the DMZ ip address (incoming on one NIC) to another internal subnet (outgoing on the second NIC). Finally you get to your “service.” Typically at this level, you’'re more interested in fault tolerance and scalability. JM has been tested with 7-8k connections. Definitely plenty of room for any small to medium sized community.
As for LDAP and Oracle server…make sure that the accounts that are used are limited to only the data they should have access to. LDAP users can be constrainted (I’‘m not sure which LDAP server you’‘re using, but OpenLdap, iPlanet and AD can all limit the visibility of a particular user). Oracle is the same way and even goes a step further and allows you to put resource constraints on users so they don’'t use up all the memory, connections, processing power, etc. You need to choose your values correctly.
So, after saying all that…finding a proxy that does all that is going to be difficult. Each layer needs to uphold it’‘s end of the bargain and do it’'s job. In the scenario I described above, the only piece that is exposed to the internet is a computer that sits in front of the DMZ. I would strongly recommend that you leverage your sun infrastructure and look at SunScreen to provide that front level of support. CM will provide additional integrity checks, but JM already provides these and more.
I hope this helps,