[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [WEB SECURITY] Query: Are Firewalls obsolete in an Enterprise Web Service Environment?

From: "Arian J. Evans" <arian.evans@xxxxxxxxxxxxxx>
Subject: Re: [WEB SECURITY] Query: Are Firewalls obsolete in an Enterprise Web Service Environment?
Date: Tue, 25 Mar 2008 18:53:01 -0700

William --

Bang. Dead. Done. Network firewalls are obsolete, or better
said -- they have less value today than they did in 1995-2003,
especially for the purposes of protecting your software.

Apparently others are not thinking correctly about this yet.

The perimeter has been dead for a long time. I used to tell people
this back around 2001 when I was helping glue web services and
asynchronous message queues together for financial institutions.
People didn't get it while their precious data was flapping in the
wind the whole time.

Network firewalls have a valid use as an access control mechanism,
for port and protocol pairing, and IP filtering, but that's it.

Networks have little to do with applications, and network security
has little to do with application security, though it exists almost
entirely because of it. (Necessary, but not sufficient.)

The firewall vendors have desperately tried to add junk features
to play in this space -- let's take Checkpoint's "AI"...."Application
Intelligence". I could argue most of the features are junk, but
let's say, for the sake of amusement, that Checkpoint actually
has some "application intelligence".

It won't ever seen the interesting traffic. Not only does it lack
the notion of session and state, but it is a syntactical device
trying to solve a semantic problem. Never gonna work.

Even more so -- any interesting sessions are SSL encrypted,
and no network devices are able to inspect that traffic. (true,
this could be solved with minimal implementation, but out
in the real world -- no one terminates SSL except on their
webservers or load balancers. Seriously.)

Let's discuss web application firewalls. They aren't firewalls.

They are intermediary proxies trying to syntactically scrub
traffic, and largely they all fail due to poor implementation,
poor design/interface, or lack of good data.

"Software Security" is one part syntax problem, and one
large part semantic problem. Nothing with the word
"firewall" in it today understands the semantic web.

The WAFs could, and hopefully we can get them to do so
once they let go of their insane marketing messages.

Incidentally -- I think this will change soon though. A
couple of WAF vendors already "get it", and a few more
are coming to market that will (hopefully) give us what
we all need from web application "firewalls".

But they won't be a "firewall", despite the fact we'll
probably still call them that.

--

The world has already had plenty of free network penetration
tests. SQL Slammer was a great one, for example.

With recent SQL Inject bots/massive scripted attacks, the
software world is starting to get them too.

SQL injection is a syntax problem, so we COULD solve
that with a little (or a lot) of perimeter data scrubbing aka
a firewall, but there are many classes of weaknesses
that require a semantic notion of use-case or infered
understanding of the software to "protect".

The problem here is that the perimeter is dead, so it's
damn near impossible to "firewall" off an entire piece
of software and make money with it too.

I think the WAFs (web app "firewalls") will evolve
to be protocol aware IPS devices e.g.-apply
"virtual  patches" to known issues.

Possibly, some day, somebody will take all the
lessons we learned from NBADs and apply them
to software use-case and then we'll have a really
smart, business-enabling WAF that is semantic
in nature, and possibly statistical with regards
to syntax issues.

But today, most are still poorly marketed as "firewalls"
that magically "learn" your software and "firewall"
it off somehow. They can't and they don't, and
they've missed that firewalls are dead anyway.

So yes: all of the perimeter network widgets
marketed as Firewalls/IDS/IPS are pretty much
dead and useless for the currently evolving
threat landscape.

If the WAFs evolve into known weak attack-vector
blockers, or use-case enforcers, they will probably
make a great network widget solution, but they
really won't be anything like a network "firewall".

Network Firewalls are great at detecting and blocking
things like nmap scans.

If you want to detect or to block those nmap scans,
by all means, have at it.

But, but, who cares.

I believe I heard PCI or VISA say most cardholder
data is lost through SQL Injection.

I'd love for IBM's managed services to publish
some attack and compromise statistics (or anyone
with a large amount of measured network traffic).

But, until someone releases some really hard
data, I'm going to go with what we read in the
news that is causing companies real issues,
and it's almost never anything that a firewall
can do much about.

It's usually rogue wireless, or too high of a privilege
level in the software, or a flaw in some piece of
software that someone bad had access to.

Firewall or not.

Thanks for the great question. Cheers,

-- 
-- 
Arian Evans, software security stuff

reformed hacker turned animal rights activist to meet hot chicks
concerned with those tasty animals

On Tue, Mar 25, 2008 at 10:27 AM, william fitzgerald
<wfitzgerald@xxxxxxxx> wrote:
> Dear Web Application Experts,
>
>  Are Firewalls (Network Access Controls) obsolete in regard to Enterprise
>   Web Service Environments?
>
>  This is a genuine request to pros and cons as I lack the years of
>  experience of enterprise service deployment and security practices that
>  you may have.
>
>  My argument is that it appears to me that (secure) Enterprise Web
>  Service applications, particularly those involving access control, are
>  typically focused at the application-domain only, rather than taking a
>  more holistic approach to also include the underlying infrastructure
>  (for example, firewalls). As a result, infrastructure configurations may
>  unintentionally hinder and prohibit the normal operation of the Web Service.
>
>  Thus, the ideal firewall configuration is one that is aligned with the
>  application supported by the system, that is, it permits valid
>  application traffic, and, preferably, no more and no less.
>
>  While the Web Services may provide applications with security services,
>  I ma arguing that firewalls still have a role to play in securing the
>  low-level infrastructure. In particular as it is considered best
>  practice to rely on multiple layers of security.
>
>  What I presume is that Web Service developers assume the underlying
>  infrastructure is automatically available. Also there seems to be a
>  tendency to tunnel (for example SOAP) over http or https. From this
>  point of view, Web Service developers may form the opinion that
>  firewalls are redundant as they typically have ports 80 and 443
>  accessible (and forward traffic to specialized user-space programs for
>  further packet processing).
>
>  Maybe this is correct! What are your views as application experts?
>
>  In my opinion, deploying a network level firewall  (such as Linux
>  Netfilter) provisioned for Enterprise Web Services is not simply about
>  opening port 80 on the server for all traffic; one may wish to deny
>  certain nodes (IP addresses, etc.), only accept HTTP traffic from some
>  nodes, require other nodes to use HTTPS and also deal with HTTP traffic
>  that is tunneled through proxies available on other ports.
>
>  Comments?
>
>  While low level infrastructure such as network firewalls may not solve
>  all security issues ( as a more suitable application based XML firewall
>  would) in regard to Web Service applications, I believe they have a role
>  to play in applying the belt-and-braces approach to security best practices.
>
>  Comments?
>
>  What I am really looking for is some concrete documents, publications,
>  administrator experience that helps clarify the important role of
>  Network Access Controls (firewalls, IPS etc) within an enterprise SOA
>  environment, if any.
>
>  kind regards,
>  Will.
>
>  --
>  William M. Fitzgerald,
>  PhD Student,
>  Telecommunications Software & Systems Group,
>  ArcLabs Research and Innovation Centre,
>  Waterford Institute of Technology,
>  WIT West Campus,
>  Carriganore,
>  Waterford.
>  Office Ph: +353 51 302937
>  Mobile Ph: +353 87 9527083
>  Web: www.williamfitzgerald.org
>       www.linkedin.com/in/williamfitzgerald
>       www.ryze.com/go/wfitzgerald
>
>

----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Follow-Ups:
- Re: [WEB SECURITY] Query: Are Firewalls obsolete in an Enterprise Web Service Environment?
  - From: Rafal M. Los

References:
- [WEB SECURITY] Query: Are Firewalls obsolete in an Enterprise Web Service Environment?
  - From: william fitzgerald

Prev by Date: Re: [WEB SECURITY] Query: Are Firewalls obsolete in an Enterprise Web Service Environment?
Next by Date: Re: [WEB SECURITY] Query: Are Firewalls obsolete in an Enterprise Web Service Environment?
Previous by thread: Re: [WEB SECURITY] Query: Are Firewalls obsolete in an Enterprise Web Service Environment?
Next by thread: Re: [WEB SECURITY] Query: Are Firewalls obsolete in an Enterprise Web Service Environment?
Index(es):
- Date
- Thread

Brought to you by http://www.webappsec.org
Search this site