Re: [WEB SECURITY] Query: Are Firewalls obsolete in an Enterprise Web Service Environment?

["Arian J. Evans" <arian.evans@xxxxxxxxxxxxxx>]

On Wed, Mar 26, 2008 at 9:51 AM, william fitzgerald
<wfitzgerald@xxxxxxxx> wrote:
> Thanks David.
>
>  I am obviously on the right track in justifying the necessity for
>  network-level firewalls amongst application firewalls and inbuilt
>  application security providing a holistic security approach.

Sure. Firewalls are useful for "holistic" security. So are background checks.
They just aren't that useful for application security.

>
>  I agree whole heartily that firewalls are open to tunneling.

They kind of have to be.

>  But i think there are a few things network firewalls can do at the lower
>  layers such as rate limit traffic preventing DoS attacks on web services
>   or permit only the IP subnet of business partners to web services over
>  http and https.

You don't need a firewall for either of those issues.

Sure, a firewall would help, but you could do this on the host, the app
or web server, or build a simple NBAD on top of a sniffer to monitor
and set QOS bits to throttle rate. </firewall>

I will argue these are our least important application security issues.

Firewalls, as they are most commonly used today, PIX and Checkpoint,
and say, even Sidewinder, aren't really used for rate limiting (most
cannot handle demanding rate-limiting needs) and their value
in IP restrictions is minimal at best give how most folks want to
expose their WSS or RESTful APIs to the web.


>  Also I guess Deep Packet Inspection (DPI) helps at the upper layers of
>  the OSI stack. Most network-level firewalls can support this albeit not
>  as deeply as dedicated application gateways.

Has anything demonstrated DPI to be useful?

Seriously, you're still chasing a syntax problem with DPI. At least, every
"DPI" implementation I've seen. While they could theoretically address
things like SQL injection -- the implementations I've seen attempting to
address basic SQL Injection are laughable at best.

>  If you have time to pass on the links or names of various white papers I
>  would appreciate that alot.

Agreed. I'd like to see a paper covering recent (December 2004 on) attacks
that have caused real loss, versus the network controls that could have
helped mitigate this loss.

The way firewalls and IPS are deployed and used today, I don't see them
helping much in most of the attacks I see/hear going on.

Note: I am NOT saying that Firewalls are not useful. Things would probably
be *a lot* worse without Firewalls, IPS, all the normal perimeter stuff
we depend on. Defense in depth, blah blah blah

You asked about application controls, though, and I don't see
anyone demonstrating real value here for these controls for
applications.

So even if you take MItre's CWE and break down all the syntactical
elements, and show how your Firewall or DPI solution could solve
for those.....in the real world they never seem to actually solve.

This is due to deployment/implementation, performance limitations,
encryption constraints, etc. etc., but I'd guess 99% of deployments
are not capable of scrubbing any meaningful traffic (or even
understanding it).

This still utterly ignores the very large semantic problem with
business rules/logic, which your firewalls are useless for.

Yet people are exploiting these.

Buy any concert tickets recently? Experience any online
auction fraud? Lose your domain to an HTML mail CSRF
attack recently?

That's the kind of stuff that's cooking up today, and this
thread just isn't relevant at all to it.

To be clear: I'm not saying throw out your firewalls & IPS.
Most people cannot control their environments enough
to do that safely. But you asked:

"Are Firewalls (Network Access Controls) obsolete in
regard to Enterprise  Web Service Environments?"

The answer is clearly: yes. No one has demonstrated
any meaningful value a firewall can provide that you
can't also easily accomplish on the host or in the software.

And more:  I'll say again: are DoS and lack of ingress
ACLs the real security threats we are facing with
our web services?

I'd like to see some data on that if it exists.

If not, NAC approaches are obsolete.

-- 
-- 
Arian Evans, software security stuff

reformed hacker turned animal rights activist to meet hot chicks
concerned with those tasty animals




>
>  Johnson, David E wrote:
>  > Not an expert, but--Short and unsatisfying answer- It very much depends
>  > on the enterprise in question.
>  > 1. Firewalls are vulnerable to tunneling. To address this requires
>  > enterprise implement content security like that supported by the
>  > Intel(r) SOA Security Toolkit. (For more info try
>  > www.intel.com/software/xml )
>  >
>  > 2. The existence of content protection does not obviate the need for
>  > transport layer security and firewalls. We cannot assure that today's
>  > dynamic organizational environment will link equally secured systems and
>  > have the same risk thresholds throughout.
>  >
>  > 3. We do not want to become so advanced we become vulnerable to the old
>  > attacks again....like assuming a rifle  and jets protects you from
>  > having to learn hand-hand combat--terrain and visibility are constantly
>  > shifting. The true trick is ensuring the legacy security layers are
>  > complementary and not supplementary with newer ones and used in the
>  > appropriate environments to avoid unacceptable security vulnerabilities
>  > at the right cost in performance and dollars.
>  >
>  > Issues I have raised for you in addition to the simple--should I use
>  > both:
>  > Risk Management
>  > Total Cost of Ownership
>  >
>  > Help address this in a systematic way tied to your question and you may
>  > have a topic:). I will see if we have any whitepapers lying around.
>  >
>  > Dave
>  > David E.A. Johnson
>  > Director, Digital Security Products
>  > Intel Corporation
>  > SSG-MMD
>  > 1815 S. Meyers Rd., Suite 150
>  > Oakbrook Terrace, Illinois  60441
>  > 770-433-3272 direct
>  > 404-769-7207 mobile
>  >
>  >
>  > -----Original Message-----
>  > From: william fitzgerald [mailto:wfitzgerald@xxxxxxxx]
>  > Sent: Tuesday, March 25, 2008 1:27 PM
>  > To: websecurity@xxxxxxxxxxxxx
>  > Subject: [WEB SECURITY] Query: Are Firewalls obsolete in an Enterprise
>  > Web Service Environment?
>  >
>  > Dear Web Application Experts,
>  >
>  > Are Firewalls (Network Access Controls) obsolete in regard to Enterprise
>  >
>  >   Web Service Environments?
>  >
>  > This is a genuine request to pros and cons as I lack the years of
>  > experience of enterprise service deployment and security practices that
>  > you may have.
>  >
>  > My argument is that it appears to me that (secure) Enterprise Web
>  > Service applications, particularly those involving access control, are
>  > typically focused at the application-domain only, rather than taking a
>  > more holistic approach to also include the underlying infrastructure
>  > (for example, firewalls). As a result, infrastructure configurations may
>  >
>  > unintentionally hinder and prohibit the normal operation of the Web
>  > Service.
>  >
>  > Thus, the ideal firewall configuration is one that is aligned with the
>  > application supported by the system, that is, it permits valid
>  > application traffic, and, preferably, no more and no less.
>  >
>  > While the Web Services may provide applications with security services,
>  > I ma arguing that firewalls still have a role to play in securing the
>  > low-level infrastructure. In particular as it is considered best
>  > practice to rely on multiple layers of security.
>  >
>  > What I presume is that Web Service developers assume the underlying
>  > infrastructure is automatically available. Also there seems to be a
>  > tendency to tunnel (for example SOAP) over http or https. From this
>  > point of view, Web Service developers may form the opinion that
>  > firewalls are redundant as they typically have ports 80 and 443
>  > accessible (and forward traffic to specialized user-space programs for
>  > further packet processing).
>  >
>  > Maybe this is correct! What are your views as application experts?
>  >
>  > In my opinion, deploying a network level firewall  (such as Linux
>  > Netfilter) provisioned for Enterprise Web Services is not simply about
>  > opening port 80 on the server for all traffic; one may wish to deny
>  > certain nodes (IP addresses, etc.), only accept HTTP traffic from some
>  > nodes, require other nodes to use HTTPS and also deal with HTTP traffic
>  > that is tunneled through proxies available on other ports.
>  >
>  > Comments?
>  >
>  > While low level infrastructure such as network firewalls may not solve
>  > all security issues ( as a more suitable application based XML firewall
>  > would) in regard to Web Service applications, I believe they have a role
>  >
>  > to play in applying the belt-and-braces approach to security best
>  > practices.
>  >
>  > Comments?
>  >
>  > What I am really looking for is some concrete documents, publications,
>  > administrator experience that helps clarify the important role of
>  > Network Access Controls (firewalls, IPS etc) within an enterprise SOA
>  > environment, if any.
>  >
>  > kind regards,
>  > Will.
>  >
>
>  --
>  William M. Fitzgerald,
>  PhD Student,
>  Telecommunications Software & Systems Group,
>  ArcLabs Research and Innovation Centre,
>  Waterford Institute of Technology,
>  WIT West Campus,
>  Carriganore,
>  Waterford.
>  Office Ph: +353 51 302937
>  Mobile Ph: +353 87 9527083
>  Web: www.williamfitzgerald.org
>       www.linkedin.com/in/williamfitzgerald
>       www.ryze.com/go/wfitzgerald
>
>
>
>
>  ----------------------------------------------------------------------------
>  Join us on IRC: irc.freenode.net #webappsec
>
>  Have a question? Search The Web Security Mailing List Archives:
>  http://www.webappsec.org/lists/websecurity/
>
>  Subscribe via RSS:
>  http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
>
>

----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]