[WEB SECURITY] Query: Are Firewalls obsolete in an Enterprise Web Service Environment?

[william fitzgerald <wfitzgerald@xxxxxxxx>]

Dear Web Application Experts,

Are Firewalls (Network Access Controls) obsolete in regard to Enterprise 
 Web Service Environments?

This is a genuine request to pros and cons as I lack the years of 
experience of enterprise service deployment and security practices that 
you may have.

My argument is that it appears to me that (secure) Enterprise Web 
Service applications, particularly those involving access control, are 
typically focused at the application-domain only, rather than taking a 
more holistic approach to also include the underlying infrastructure 
(for example, firewalls). As a result, infrastructure configurations may 
unintentionally hinder and prohibit the normal operation of the Web Service.

Thus, the ideal firewall configuration is one that is aligned with the 
application supported by the system, that is, it permits valid 
application traffic, and, preferably, no more and no less.

While the Web Services may provide applications with security services, 
I ma arguing that firewalls still have a role to play in securing the 
low-level infrastructure. In particular as it is considered best 
practice to rely on multiple layers of security.

What I presume is that Web Service developers assume the underlying 
infrastructure is automatically available. Also there seems to be a 
tendency to tunnel (for example SOAP) over http or https. From this 
point of view, Web Service developers may form the opinion that 
firewalls are redundant as they typically have ports 80 and 443 
accessible (and forward traffic to specialized user-space programs for 
further packet processing).

Maybe this is correct! What are your views as application experts?

In my opinion, deploying a network level firewall  (such as Linux 
Netfilter) provisioned for Enterprise Web Services is not simply about 
opening port 80 on the server for all traffic; one may wish to deny 
certain nodes (IP addresses, etc.), only accept HTTP traffic from some 
nodes, require other nodes to use HTTPS and also deal with HTTP traffic 
that is tunneled through proxies available on other ports.

Comments?

While low level infrastructure such as network firewalls may not solve 
all security issues ( as a more suitable application based XML firewall 
would) in regard to Web Service applications, I believe they have a role 
to play in applying the belt-and-braces approach to security best practices.

Comments?

What I am really looking for is some concrete documents, publications, 
administrator experience that helps clarify the important role of 
Network Access Controls (firewalls, IPS etc) within an enterprise SOA 
environment, if any.

kind regards,
Will.

--
William M. Fitzgerald,
PhD Student,
Telecommunications Software & Systems Group,
ArcLabs Research and Innovation Centre,
Waterford Institute of Technology,
WIT West Campus,
Carriganore,
Waterford.
Office Ph: +353 51 302937
Mobile Ph: +353 87 9527083
Web: www.williamfitzgerald.org
     www.linkedin.com/in/williamfitzgerald
     www.ryze.com/go/wfitzgerald




----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]