Re: [WEB SECURITY] Query: Are Firewalls obsolete in an Enterprise Web Service Environment?

["Joe White" <joe@xxxxxxxxxxxxxxxxxx>]

Will,

I wish you the best of luck with your studies and research but also
offer a few parting thoughts, ..

I encourage you not to think of traditional Layer 4 security in terms
of an academic exercise but to be more pragmatic based upon changes
within the current threat environment.

I applaud you for your initial question that asked for validation of
the need for traditional Layer 4 security model as it applies to web
applications.  There are no doubt a number of opinions on the matter
and I would encourage you to align yourself with the forward thinkers
in the group as opposed to the ones more resistant to change.

I believe that there is consensus on the merits of traditional Layer 4
security in some cases and perhaps at the end of the day, the question
really is where do you use it and where do you not use it?

A larger enterprise network will likely face larger issues due to
legacy design considerations than a lighter more focused and
contemporary network serving only web applications.

If you were to walk into the NOC of an organization focused on serving
only web applications and ask where the traditional Layer 4 security
was in front of the web farm, you may be surprised at what you learn.
Perhaps my experiences are not representative but I have found that
the network engineers in these installations are generally world-class
in their talent and expertise.  They think about the world in terms of
packets and latency and if you start talking about adding another hop
between the user and the web farm just so you can inspect Layer 4
traffic when Layer 4 traffic has already been filtered/addressed at
either the border router or the load balancer, they will likely ask if
you had forgotten to take your medication for the day.  =)

As a general rule, you can usually get a few span ports (or if you are
lucky some network taps) in front of the web farm if you want to see
the network traffic but even if you did, what would you put there?

You have likely already noticed that the WAF topic is generally pretty
contentious as well.  There is no doubt an opinion or two in the group
about the misleading nature of the word "firewall" in the WAF name but
to be clear, you need to be focusing your attention on what tools
offer you, as a security professional/researcher, more visibility into
Layer 7 threats and challenges.  I submit that upon closer
examination, you will likely find that traditional Layer 4 (network)
security models fall short here and strangely resemble the dinosaurs
noticing that the climate is a bit colder this year than last.

I would respectfully offer that the greatest benefit of the WAF
security model is that it offers what is euphemistically called "just
in time patching" as well as more visibility into the web application
traffic in terms of forensics.  Ivan Ristic offers a useful breakdown
of WAF use cases in his blog here:

http://www.modsecurity.org/blog/archives/2008/03/web_application_4.html

As security professionals we are required to always adapt to changes
in the threat environment.  Our goal should be to adapt proactively
and not reactively.  We should also strive to be ahead of the curve in
terms of changes in the overall threat landscape and not hold on
blindly to what has worked in the past.

Your initial question suggests that you are capable of 'thinking out
of the box' on these issues and I encourage you to foster that ability
to it's fullest potential.

Hope this helps,
Joe

<<<>>>


On Wed, Mar 26, 2008 at 10:39 AM, william fitzgerald
<wfitzgerald@xxxxxxxx> wrote:
> Thanks Joe,
>
>  As you suggest not all servers are bastion hosts so border access
>  control is required as one step in the security process.
>
>  I must research WAF's and there role. Presumably they cannot provide
>  access control at lower layers and so there is still a need for a mixed
>  breed of firewalls.
>
>  regards,
>  Will.
>
>
>
>  Joe White wrote:
>  > Very interesting question.  Perhaps much more interesting than it
>  > initially seems, ...
>  >
>  > I think you may be ahead of your time in asking this question.  =)
>  >
>  > My initial reaction was of course you still need Layer 4 firewalls
>  > even if you are deploying Layer 7 firewalls because Layer 7 firewalls
>  > are still rapidly evolving and traditional network security on the
>  > perimeter is more mature and adds to a 'Defense in Depth' strategy.
>  >
>  > However, I also submit for consideration that many of the existing
>  > networks hosting web applications were likely built before the Web
>  > Application Firewall (WAF) was considered viable for deployment.  So
>  > in a sense, it could be argued that the traditional network security
>  > infrastructure was likely a legacy deployment.
>  >
>  > If you think about it, TCP port traffic can be filtered on the border
>  > router (only allow TCP 80 and TCP 443).  I have seen a couple of
>  > blazing fast networks built for performance and speed with this
>  > configuration.  With ASICS, you can get pretty close to wire speed
>  > while TCP filtering on the network perimeter.
>  >
>  > So, if all you need is TCP port filtering in front of the web
>  > application (web farm) then why wouldn't filtering TCP port traffic at
>  > the border router be a viable solution?
>  >
>  > The question you have to ask yourself is what are you trying to
>  > accomplish with your network architecture?  What are your security
>  > objectives?
>  >
>  > Consider for the moment a network designed from scratch just for a web
>  > application (no legacy components) and you could design the network
>  > any way you wanted, ...
>  >
>  > I can envision a network segment designed to only accommodate web
>  > application traffic (front door to web farm) with no other daemons
>  > running on the web servers and each web server adequately hardened at
>  > the OS level.  This same network may have another network segment
>  > (side door) that includes traditional Layer 4 security in order to
>  > accommodate VPN access for administration, SSH, etc.  My point being
>  > that isn't it fair to say that you can optimize a network segment to
>  > accommodate only web traffic without the need for traditional network
>  > layer security?
>  >
>  > After filtering TCP port traffic at the border router, you would
>  > likely need a Load Balancer (terminate SSL/TLS or not) and then a
>  > Layer 7 (web application) firewall in front of the presentation tier
>  > of your web application.  For the cost of traditional Layer 4
>  > security, you could probably deploy Imperva SecureSphere (no vendor
>  > affiliation - just using as an example) in front of the presentation
>  > tier and also have budget to deploy SecureSphere between the
>  > application tier and the database tier. In this case, the whole
>  > network is designed from scratch to serve/secure only web traffic.
>  >
>  > I guess at the end of the day what you really have to ask yourself is
>  > how many daemons (TCP ports) are you trying to accommodate.
>  >
>  > Hope this helps,
>  > Joe
>  >
>  > <<<>>>
>  >
>  >
>  > On Tue, Mar 25, 2008 at 10:27 AM, william fitzgerald
>  > <wfitzgerald@xxxxxxxx> wrote:
>  >> Dear Web Application Experts,
>  >>
>  >>  Are Firewalls (Network Access Controls) obsolete in regard to Enterprise
>  >>   Web Service Environments?
>  >>
>  >>  This is a genuine request to pros and cons as I lack the years of
>  >>  experience of enterprise service deployment and security practices that
>  >>  you may have.
>  >>
>  >>  My argument is that it appears to me that (secure) Enterprise Web
>  >>  Service applications, particularly those involving access control, are
>  >>  typically focused at the application-domain only, rather than taking a
>  >>  more holistic approach to also include the underlying infrastructure
>  >>  (for example, firewalls). As a result, infrastructure configurations may
>  >>  unintentionally hinder and prohibit the normal operation of the Web Service.
>  >>
>  >>  Thus, the ideal firewall configuration is one that is aligned with the
>  >>  application supported by the system, that is, it permits valid
>  >>  application traffic, and, preferably, no more and no less.
>  >>
>  >>  While the Web Services may provide applications with security services,
>  >>  I ma arguing that firewalls still have a role to play in securing the
>  >>  low-level infrastructure. In particular as it is considered best
>  >>  practice to rely on multiple layers of security.
>  >>
>  >>  What I presume is that Web Service developers assume the underlying
>  >>  infrastructure is automatically available. Also there seems to be a
>  >>  tendency to tunnel (for example SOAP) over http or https. From this
>  >>  point of view, Web Service developers may form the opinion that
>  >>  firewalls are redundant as they typically have ports 80 and 443
>  >>  accessible (and forward traffic to specialized user-space programs for
>  >>  further packet processing).
>  >>
>  >>  Maybe this is correct! What are your views as application experts?
>  >>
>  >>  In my opinion, deploying a network level firewall  (such as Linux
>  >>  Netfilter) provisioned for Enterprise Web Services is not simply about
>  >>  opening port 80 on the server for all traffic; one may wish to deny
>  >>  certain nodes (IP addresses, etc.), only accept HTTP traffic from some
>  >>  nodes, require other nodes to use HTTPS and also deal with HTTP traffic
>  >>  that is tunneled through proxies available on other ports.
>  >>
>  >>  Comments?
>  >>
>  >>  While low level infrastructure such as network firewalls may not solve
>  >>  all security issues ( as a more suitable application based XML firewall
>  >>  would) in regard to Web Service applications, I believe they have a role
>  >>  to play in applying the belt-and-braces approach to security best practices.
>  >>
>  >>  Comments?
>  >>
>  >>  What I am really looking for is some concrete documents, publications,
>  >>  administrator experience that helps clarify the important role of
>  >>  Network Access Controls (firewalls, IPS etc) within an enterprise SOA
>  >>  environment, if any.
>  >>
>  >>  kind regards,
>  >>  Will.
>  >>
>  >>  --
>  >>  William M. Fitzgerald,
>  >>  PhD Student,
>  >>  Telecommunications Software & Systems Group,
>  >>  ArcLabs Research and Innovation Centre,
>  >>  Waterford Institute of Technology,
>  >>  WIT West Campus,
>  >>  Carriganore,
>  >>  Waterford.
>  >>  Office Ph: +353 51 302937
>  >>  Mobile Ph: +353 87 9527083
>  >>  Web: www.williamfitzgerald.org
>  >>       www.linkedin.com/in/williamfitzgerald
>  >>       www.ryze.com/go/wfitzgerald
>  >>
>  >>
>  >>
>  >>
>  >>  ----------------------------------------------------------------------------
>  >>  Join us on IRC: irc.freenode.net #webappsec
>  >>
>  >>  Have a question? Search The Web Security Mailing List Archives:
>  >>  http://www.webappsec.org/lists/websecurity/
>  >>
>  >>  Subscribe via RSS:
>  >>  http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
>  >>
>  >>
>  >
>
>  --
>
>
> William M. Fitzgerald,
>  PhD Student,
>  Telecommunications Software & Systems Group,
>  ArcLabs Research and Innovation Centre,
>  Waterford Institute of Technology,
>  WIT West Campus,
>  Carriganore,
>  Waterford.
>  Office Ph: +353 51 302937
>  Mobile Ph: +353 87 9527083
>  Web: www.williamfitzgerald.org
>       www.linkedin.com/in/williamfitzgerald
>       www.ryze.com/go/wfitzgerald
>
>
>
>

----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]