[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [WEB SECURITY] Query: Are Firewalls obsolete in an Enterprise Web Service Environment?

Thanks David.

I am obviously on the right track in justifying the necessity for network-level firewalls amongst application firewalls and inbuilt application security providing a holistic security approach.

I agree whole heartily that firewalls are open to tunneling.

But i think there are a few things network firewalls can do at the lower layers such as rate limit traffic preventing DoS attacks on web services or permit only the IP subnet of business partners to web services over http and https.

Also I guess Deep Packet Inspection (DPI) helps at the upper layers of the OSI stack. Most network-level firewalls can support this albeit not as deeply as dedicated application gateways.

If you have time to pass on the links or names of various white papers I would appreciate that alot.

regards,
Will.

Johnson, David E wrote: 
Not an expert, but--Short and unsatisfying answer- It very much depends
on the enterprise in question.
1. Firewalls are vulnerable to tunneling. To address this requires
enterprise implement content security like that supported by the
Intel(r) SOA Security Toolkit. (For more info try
www.intel.com/software/xml )

2. The existence of content protection does not obviate the need for
transport layer security and firewalls. We cannot assure that today's
dynamic organizational environment will link equally secured systems and
have the same risk thresholds throughout.

3. We do not want to become so advanced we become vulnerable to the old
attacks again....like assuming a rifle  and jets protects you from
having to learn hand-hand combat--terrain and visibility are constantly
shifting. The true trick is ensuring the legacy security layers are
complementary and not supplementary with newer ones and used in the
appropriate environments to avoid unacceptable security vulnerabilities
at the right cost in performance and dollars.

Issues I have raised for you in addition to the simple--should I use
both:
Risk Management
Total Cost of Ownership

Help address this in a systematic way tied to your question and you may
have a topic:). I will see if we have any whitepapers lying around.

Dave
David E.A. Johnson
Director, Digital Security Products
Intel Corporation
SSG-MMD
1815 S. Meyers Rd., Suite 150
Oakbrook Terrace, Illinois 60441
770-433-3272 direct
404-769-7207 mobile


-----Original Message-----
From: william fitzgerald [mailto:wfitzgerald@xxxxxxxx] Sent: Tuesday, March 25, 2008 1:27 PM
To: websecurity@xxxxxxxxxxxxx
Subject: [WEB SECURITY] Query: Are Firewalls obsolete in an Enterprise
Web Service Environment?

Dear Web Application Experts,

Are Firewalls (Network Access Controls) obsolete in regard to Enterprise

  Web Service Environments?

This is a genuine request to pros and cons as I lack the years of experience of enterprise service deployment and security practices that you may have.

My argument is that it appears to me that (secure) Enterprise Web Service applications, particularly those involving access control, are typically focused at the application-domain only, rather than taking a more holistic approach to also include the underlying infrastructure (for example, firewalls). As a result, infrastructure configurations may

unintentionally hinder and prohibit the normal operation of the Web
Service.

Thus, the ideal firewall configuration is one that is aligned with the application supported by the system, that is, it permits valid application traffic, and, preferably, no more and no less.

While the Web Services may provide applications with security services, I ma arguing that firewalls still have a role to play in securing the low-level infrastructure. In particular as it is considered best practice to rely on multiple layers of security.

What I presume is that Web Service developers assume the underlying infrastructure is automatically available. Also there seems to be a tendency to tunnel (for example SOAP) over http or https. From this point of view, Web Service developers may form the opinion that firewalls are redundant as they typically have ports 80 and 443 accessible (and forward traffic to specialized user-space programs for further packet processing).

Maybe this is correct! What are your views as application experts?

In my opinion, deploying a network level firewall (such as Linux Netfilter) provisioned for Enterprise Web Services is not simply about opening port 80 on the server for all traffic; one may wish to deny certain nodes (IP addresses, etc.), only accept HTTP traffic from some nodes, require other nodes to use HTTPS and also deal with HTTP traffic that is tunneled through proxies available on other ports.

Comments?

While low level infrastructure such as network firewalls may not solve all security issues ( as a more suitable application based XML firewall would) in regard to Web Service applications, I believe they have a role

to play in applying the belt-and-braces approach to security best
practices.

Comments?

What I am really looking for is some concrete documents, publications, administrator experience that helps clarify the important role of Network Access Controls (firewalls, IPS etc) within an enterprise SOA environment, if any.

kind regards,
Will.


--
William M. Fitzgerald,
PhD Student,
Telecommunications Software & Systems Group,
ArcLabs Research and Innovation Centre,
Waterford Institute of Technology,
WIT West Campus,
Carriganore,
Waterford.
Office Ph: +353 51 302937
Mobile Ph: +353 87 9527083
Web: www.williamfitzgerald.org
     www.linkedin.com/in/williamfitzgerald
     www.ryze.com/go/wfitzgerald




----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: http://www.webappsec.org/lists/websecurity/

Subscribe via RSS: http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Brought to you by http://www.webappsec.org
Search this site