Very interesting question. Perhaps much more interesting than it
initially seems, ...
I think you may be ahead of your time in asking this question. =)
My initial reaction was of course you still need Layer 4 firewalls
even if you are deploying Layer 7 firewalls because Layer 7 firewalls
are still rapidly evolving and traditional network security on the
perimeter is more mature and adds to a 'Defense in Depth' strategy.
However, I also submit for consideration that many of the existing
networks hosting web applications were likely built before the Web
Application Firewall (WAF) was considered viable for deployment. So
in a sense, it could be argued that the traditional network security
infrastructure was likely a legacy deployment.
If you think about it, TCP port traffic can be filtered on the border
router (only allow TCP 80 and TCP 443). I have seen a couple of
blazing fast networks built for performance and speed with this
configuration. With ASICS, you can get pretty close to wire speed
while TCP filtering on the network perimeter.
So, if all you need is TCP port filtering in front of the web
application (web farm) then why wouldn't filtering TCP port traffic at
the border router be a viable solution?
The question you have to ask yourself is what are you trying to
accomplish with your network architecture? What are your security
objectives?
Consider for the moment a network designed from scratch just for a web
application (no legacy components) and you could design the network
any way you wanted, ...
I can envision a network segment designed to only accommodate web
application traffic (front door to web farm) with no other daemons
running on the web servers and each web server adequately hardened at
the OS level. This same network may have another network segment
(side door) that includes traditional Layer 4 security in order to
accommodate VPN access for administration, SSH, etc. My point being
that isn't it fair to say that you can optimize a network segment to
accommodate only web traffic without the need for traditional network
layer security?
After filtering TCP port traffic at the border router, you would
likely need a Load Balancer (terminate SSL/TLS or not) and then a
Layer 7 (web application) firewall in front of the presentation tier
of your web application. For the cost of traditional Layer 4
security, you could probably deploy Imperva SecureSphere (no vendor
affiliation - just using as an example) in front of the presentation
tier and also have budget to deploy SecureSphere between the
application tier and the database tier. In this case, the whole
network is designed from scratch to serve/secure only web traffic.
I guess at the end of the day what you really have to ask yourself is
how many daemons (TCP ports) are you trying to accommodate.
Hope this helps,
Joe
<<<>>>
On Tue, Mar 25, 2008 at 10:27 AM, william fitzgerald
<wfitzgerald@xxxxxxxx> wrote:
Dear Web Application Experts,
Are Firewalls (Network Access Controls) obsolete in regard to Enterprise
Web Service Environments?
This is a genuine request to pros and cons as I lack the years of
experience of enterprise service deployment and security practices that
you may have.
My argument is that it appears to me that (secure) Enterprise Web
Service applications, particularly those involving access control, are
typically focused at the application-domain only, rather than taking a
more holistic approach to also include the underlying infrastructure
(for example, firewalls). As a result, infrastructure configurations may
unintentionally hinder and prohibit the normal operation of the Web Service.
Thus, the ideal firewall configuration is one that is aligned with the
application supported by the system, that is, it permits valid
application traffic, and, preferably, no more and no less.
While the Web Services may provide applications with security services,
I ma arguing that firewalls still have a role to play in securing the
low-level infrastructure. In particular as it is considered best
practice to rely on multiple layers of security.
What I presume is that Web Service developers assume the underlying
infrastructure is automatically available. Also there seems to be a
tendency to tunnel (for example SOAP) over http or https. From this
point of view, Web Service developers may form the opinion that
firewalls are redundant as they typically have ports 80 and 443
accessible (and forward traffic to specialized user-space programs for
further packet processing).
Maybe this is correct! What are your views as application experts?
In my opinion, deploying a network level firewall (such as Linux
Netfilter) provisioned for Enterprise Web Services is not simply about
opening port 80 on the server for all traffic; one may wish to deny
certain nodes (IP addresses, etc.), only accept HTTP traffic from some
nodes, require other nodes to use HTTPS and also deal with HTTP traffic
that is tunneled through proxies available on other ports.
Comments?
While low level infrastructure such as network firewalls may not solve
all security issues ( as a more suitable application based XML firewall
would) in regard to Web Service applications, I believe they have a role
to play in applying the belt-and-braces approach to security best practices.
Comments?
What I am really looking for is some concrete documents, publications,
administrator experience that helps clarify the important role of
Network Access Controls (firewalls, IPS etc) within an enterprise SOA
environment, if any.
kind regards,
Will.
--
William M. Fitzgerald,
PhD Student,
Telecommunications Software & Systems Group,
ArcLabs Research and Innovation Centre,
Waterford Institute of Technology,
WIT West Campus,
Carriganore,
Waterford.
Office Ph: +353 51 302937
Mobile Ph: +353 87 9527083
Web: www.williamfitzgerald.org
www.linkedin.com/in/williamfitzgerald
www.ryze.com/go/wfitzgerald
----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec
Have a question? Search The Web Security Mailing List Archives:
http://www.webappsec.org/lists/websecurity/
Subscribe via RSS:
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]