That is in fact what was done in an application I worked on. We used ColdFusion for both the Front-End and the "Commerce Server" and the commerce server only took credit card information from the front-end and could not give it back. It was behind its own hardware firewall and any exploit in ColdFusion would have been hidden from the front end unless it could be exploited through the API methods we exposed through the gateway. To gain access to any other url endpoints you would need to access the server from within the firewall by connecting to a VPN gateway on a separate physical network that was only connected by a dedicated T1 to our office. We did this before there was PCI, because it made sense.
The whole system has now been rewritten in dotNET. It would be interesting to see if I can find that old CF app. It ran solid for almost ten years on the same 3 NT4 servers handling tens of thousands of users per day. And it could have probably run on one server except that we isolated the commerce and MSSQL functions from the front-end app.
The whole system has now been rewritten in dotNET. It would be interesting to see if I can find that old CF app. It ran solid for almost ten years on the same 3 NT4 servers handling tens of thousands of users per day. And it could have probably run on one server except that we isolated the commerce and MSSQL functions from the front-end app.