[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [WEB SECURITY] Query: Are Firewalls obsolete in an Enterprise Web Service Environment?

From: "Justin Thomas" <justin@xxxxxxxxxxxx>
Subject: Re: [WEB SECURITY] Query: Are Firewalls obsolete in an Enterprise Web Service Environment?
Date: Tue, 25 Mar 2008 10:49:12 -0700

A network firewall may be redundant if you have complete and tight
control over all hosts on the network segment.  If you can reliably
control differentiated access to services that the hosts are
presenting (e.g., publish access to management services such as
terminal services and SSH to only authorized management systems) by
using only controls on the exposed hosts (host firewalls, et cetera),
then a network firewall is unnecessary.

What a network firewall provides is a central chokepoint for that type
of control.  Particularly in an enterprise, it may be more efficient
to provide that blunt network control at one, central location rather
than managing many rulesets on many separate hosts.  Controls on the
host must be tight, certainly, but a network firewall can be used to
handle the blunt, IP/port-based access control while more fine
grained, application-level controls are applied at the host.

-JT

On Tue, Mar 25, 2008 at 10:27 AM, william fitzgerald
<wfitzgerald@xxxxxxxx> wrote:
> Dear Web Application Experts,
>
>  Are Firewalls (Network Access Controls) obsolete in regard to Enterprise
>   Web Service Environments?
>
>  This is a genuine request to pros and cons as I lack the years of
>  experience of enterprise service deployment and security practices that
>  you may have.
>
>  My argument is that it appears to me that (secure) Enterprise Web
>  Service applications, particularly those involving access control, are
>  typically focused at the application-domain only, rather than taking a
>  more holistic approach to also include the underlying infrastructure
>  (for example, firewalls). As a result, infrastructure configurations may
>  unintentionally hinder and prohibit the normal operation of the Web Service.
>
>  Thus, the ideal firewall configuration is one that is aligned with the
>  application supported by the system, that is, it permits valid
>  application traffic, and, preferably, no more and no less.
>
>  While the Web Services may provide applications with security services,
>  I ma arguing that firewalls still have a role to play in securing the
>  low-level infrastructure. In particular as it is considered best
>  practice to rely on multiple layers of security.
>
>  What I presume is that Web Service developers assume the underlying
>  infrastructure is automatically available. Also there seems to be a
>  tendency to tunnel (for example SOAP) over http or https. From this
>  point of view, Web Service developers may form the opinion that
>  firewalls are redundant as they typically have ports 80 and 443
>  accessible (and forward traffic to specialized user-space programs for
>  further packet processing).
>
>  Maybe this is correct! What are your views as application experts?
>
>  In my opinion, deploying a network level firewall  (such as Linux
>  Netfilter) provisioned for Enterprise Web Services is not simply about
>  opening port 80 on the server for all traffic; one may wish to deny
>  certain nodes (IP addresses, etc.), only accept HTTP traffic from some
>  nodes, require other nodes to use HTTPS and also deal with HTTP traffic
>  that is tunneled through proxies available on other ports.
>
>  Comments?
>
>  While low level infrastructure such as network firewalls may not solve
>  all security issues ( as a more suitable application based XML firewall
>  would) in regard to Web Service applications, I believe they have a role
>  to play in applying the belt-and-braces approach to security best practices.
>
>  Comments?
>
>  What I am really looking for is some concrete documents, publications,
>  administrator experience that helps clarify the important role of
>  Network Access Controls (firewalls, IPS etc) within an enterprise SOA
>  environment, if any.
>
>  kind regards,
>  Will.
>
>  --
>  William M. Fitzgerald,
>  PhD Student,
>  Telecommunications Software & Systems Group,
>  ArcLabs Research and Innovation Centre,
>  Waterford Institute of Technology,
>  WIT West Campus,
>  Carriganore,
>  Waterford.
>  Office Ph: +353 51 302937
>  Mobile Ph: +353 87 9527083
>  Web: www.williamfitzgerald.org
>       www.linkedin.com/in/williamfitzgerald
>       www.ryze.com/go/wfitzgerald
>
>
>
>
>  ----------------------------------------------------------------------------
>  Join us on IRC: irc.freenode.net #webappsec
>
>  Have a question? Search The Web Security Mailing List Archives:
>  http://www.webappsec.org/lists/websecurity/
>
>  Subscribe via RSS:
>  http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
>
>

----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

References:
- [WEB SECURITY] Query: Are Firewalls obsolete in an Enterprise Web Service Environment?
  - From: william fitzgerald

Prev by Date: [WEB SECURITY] Query: Are Firewalls obsolete in an Enterprise Web Service Environment?
Next by Date: RE: [WEB SECURITY] Query: Are Firewalls obsolete in an Enterprise Web Service Environment?
Previous by thread: [WEB SECURITY] Query: Are Firewalls obsolete in an Enterprise Web Service Environment?
Next by thread: RE: [WEB SECURITY] Query: Are Firewalls obsolete in an Enterprise Web Service Environment?
Index(es):
- Date
- Thread

Brought to you by http://www.webappsec.org
Search this site