Are firewalls obsolete in a world involving enterprise applications SOA?
|
View:
New views
11 Messages
—
Rating Filter:
Alert me
|
 |
Are firewalls obsolete in a world involving enterprise applications SOA?
by wfitzgerald
::
Rate this Message:
Dear Firewall Experts,
Provocative Question: ++++++++++++++++++++ Are firewalls obsolete in a world involving enterprise Web Service SOA? What do I mean by the above question: given that Web Services (J2EE and so forth) tend to tunnel through http and https (eg. SOAP) what role can a traditional network firewall play? If its just a matter of opening ports http and https for your dedicated enterprise services then is there even a need for a firewall! I am asking this question not to be flamed but to provoke a discussion as to why we still need firewalls. Assumptions: ++++++++++++ I use the term firewall loosely to mean "network access control". That is, its a mechanism to prevent unwanted packets. Therefore, a firewall could be iptables (stateful, DPI etc) or even the proxy TCP Wrappers, cisco and so forth. In particular, I have focused on Linux iptables and TCP Wrapper. I realize that one can install an xml based firewall to inspect packet content in regard to web services. Scenario Network: ++++++++++++++++++ Internet ---> Firewall ---> Enterprise SOA Server ---> Additional firewalls and back-end database servers etc. Is it a case that in this Enterprise SOA environment the NAC firewall is made redundant (as opposed to an xml firewall): Internet ---> Enterprise SOA Webservice server Assuming of course the servers are dedicated Web Service servers that run no other services such as DHCP, intranet web server, email and so forth that need to be protected? Firewall Justification: +++++++++++++++++++++++ I am trying to find publications, white papers, reports etc that state the case for the need for firewalls. I need something concrete. The current information I have found (web service orientated!) tends to say firewalls are obsolete when talking about enterprise SOA given that once port 80 and 443 is open on the firewall the SOS services are exposed and hence protection happens at the application layer of the particular service. However, best practice suggests one should take a more holistic approach to security and apply the "belt-and-braces" approach. That is, install firewalls, IDS, AV, proper authentication at various OSI stack layers etc etc. So we get a layered security affect, thus there must be a justification for using a firewall still. My Opinion: +++++++++++ My opinion on what NAC firewalls can offer to web service SOA other than simply opening port http and https is as follows: 1) control access to those ports via ip address ranges (eg. customer/business subscribers) 2) deep packet inspection to solicit appropriate content incoming and outgoing from the SOA enterprise servers. 3) ???? what else would be done? please comment. While I agree that there are xml based firewalls to monitor xml based Web Service traffic, I wonder can it perform access controls at the lower levels like network based firewalls (for example, block certain IP addresses)? My guess is they don't given the operate at the application layer. I also wonder why one would invest in an xml firewall that is dedicated to one kind of traffic profiling and not use for example a very expensive cisco firewall that can cover a multitude of traffic profiling. Presumably these expensive firewalls (or the equivalent unexpensive iptables firewall) can inspect the packet for malicious content to and from the enterprise servers (I believe we have snort-2-iptables to also help here). At any rate, I do not want to start a huge debate on the pros and cons of an xml firewall versus a network firewall as I am aware dedicated firewalls specialize in various traffic profiling. Also its best practice to install a wide range for firewall capabilities. The real issue is the justification of NAC's in an enterprise SOA environment. Of course, if this enterprise environment also included the company standard services such as email, dns, web server etc I can see the major impact of the NAC firewall. But what is the case for dedicated enterprise SOA? My shortcomings: ++++++++++++++++ My inexperience in an enterprise network environment of how things are really carried out rather than what is done in theory. Summary: ++++++++ What role do NAC's have to play in an environment of enterprise application services? All pointers to documentation and your comments are welcome. I look forward to your support, regards, Will. -- William M. Fitzgerald, PhD Student, Telecommunications Software & Systems Group, ArcLabs Research and Innovation Centre, Waterford Institute of Technology, WIT West Campus, Carriganore, Waterford. Office Ph: +353 51 302937 Mobile Ph: +353 87 9527083 Web: www.williamfitzgerald.org www.linkedin.com/in/williamfitzgerald www.ryze.com/go/wfitzgerald |
|
|
Re: Are firewalls obsolete in a world involving enterprise applications SOA?
by Brent Gueth
::
Rate this Message:
There are a few things that need to be taken into consideration (I'm going to speak at this from a proxy based firewall perspective). 1. Can you always guarantee without a shadow of a doubt that this servers are not running any other services? Can you verify that your staff will always do proper due diligence? Unless you can verify from now into eternity that the answer is yes it can be locked properly there is always a place for a firewall. 2. Due you have a certified DMZ currently? Do these server currently exist being firewall. It has long been a tradition to have web servers that are publicly facing to be in a less secure DMZ. This argument with new services is just rehashing this argument. How do you maintain that the databases are secure to the web servers if you don't have a handle on the network getting to your DMZ? If using a proxy firewall you can inspect the packets and verify that the HTTP packets follow the RFC and only allow commands that you want through if it's smart enough. If it's HTTPS you could do the same thing with the firewall decrypting the packet and re-encrypting on the way out - essentially doing man in the middle scanning. I've read how IPS and IDS are the second coming. Well let's look at how harmful HTTPS could be. Since many services going outbound can tunnel through HTTPS without a web filtering software that is constantly updated users can essentially do any function they please. This will bypass any IDS or AV scanning until the software is already loaded on the machine since the scanners won't be able to look at encrypted packets. So under this scenario as more things move to HTTPS - the arguement would be that you would no longer need IDS or AV on these networks. How do you control it then? One is to decrypt the HTTPS onto a trusted proxy server which then forwards requests onto the actual webserver. This will help mitigate the risks and allow you to see what is going on. Whether you consider this a firewall, gateway, or a proxy it does fulfill the same role. You also pointed out one thing else that's important - controlling source connection subnets/IPs. Removing this sort of control removes any say so that you have in the future. Since you asked what NACs exist in network or web development - in my experience none - the developers normally expect their software to work. They don't care what impact it may have and their code may unintentionally enable other services on your web services. NAC controls and development are two different mind sets but as times goes on they are getting closer. Developers however don't normally understand networking so they don't care. On Tue, Mar 25, 2008 at 7:56 AM, william fitzgerald <wfitzgerald@...> wrote: Dear Firewall Experts, |
|
|
Re: Are firewalls obsolete in a world involving enterprise applications SOA?
by Geoffrey J Gowey
::
Rate this Message:
To be succinct: yes, firewalls are still very much a necessity. If one ignores the more advanced features of firewalls and only focuses on the basic features of ip packet source/destination filtering there's still evidence of a clear need for them before even seeing what the usage of other technologies such as SMLI or SPF bring to the table. Relying on operating system and application security alone is insufficient in a networked environment.
By putting internal and external firewalls in place, a corporation has choke points that can enforce corporate policy of what an application really should be limited to doing. A for instance would be the limitation of IP access from a DMZ web server to a middle tier server for its data. A firewall between the DMZ server and the middle tier server can be configured to ensure that this is the only access the server has and not access to other systems that it has no reason to be interacting with (such as a mail server). This helps reduce exposure should the DMZ server be compromised. Also, if the firewall between the DMZ server and the middle tier server is configured properly, you will be able to discover irregular activity that could indicate a misbehaving application or a server compromise by traffic trying to conduct actions that were not part of the agreed on policy. On Tue, Mar 25, 2008 at 4:56 AM, william fitzgerald <wfitzgerald@...> wrote: Dear Firewall Experts, -- Kindest Regards, Geoff |
|
|
|
|
|
Re: Are firewalls obsolete in a world involving enterprise applications SOA?
by Ron Brown-2
::
Rate this Message:
Greetings Will,
The short answer is yes... absolutely yes. The long answer would be far to lengthy for this reply (plus my dinner would get cold). Aside from the obvious benefits for filtering / verifying the inbound traffic, let's consider outbound traffic. Unwanted data egress is as much of a problem (if not more) than what's coming in. Let's say that I'm a bad guy.. I want your web server and I'm going to get it. Your box is only listening on TCP ports 80 and 443... you've got you web server well configured and patched... but you've got a application being delivered by that web server that has a weakness. (I know.. it could never happen to you, but humor me). I find a way to exploit that weakness that doesn't give me direct access, but I can over-run your stack and write some "special code" into system memory. Let's say that code does something very common in "bad guy land"... it initiates an outbound connection (on some other port) to a netcat listener I've got waiting on another compromised box. Zowie! I've got a console on your web server and it's mine... all mine. Now let's say that you web server is behind a well configured firewall that's doing stateful inspection.. It will let your web server respond as it wishes to complete the transaction, but it won't let the web server initiate *my* outbound connection because there's no inbound request in it's state table. Awww... I didn't get your machine. Another common practice is to disallow all outbound SMTP connections except those from corporate mail servers.. this keep the propagation of evil bits and SPAM(tm) to a minimum from those pesky pieces of malware that have their own SMTP engines. Let's also consider that if you're in the US and doing business on the Internet these days, there's no shortage of regulatory compliance issues to deal with. Healthcare and insurance folks have strict HIPAA laws that absolutely can not be satisfied without a firewall and detailed logging. Wanna accept credit cards? PCI compliance is going to mandate that firewall as well. At the network perimeter (with a DMZ for Internet visible hosts), at any WAN links that may exist with vendors or other Semi/Non-trusted networks, at remote offices with which you need secured (encrypted) connectivity over the Internet.. everywhere you look... those pesky firewalls :) And the most important reason that firewalls are very much needed... I want to keep my job :) ~~~~~~~~~~~~~~~~~ Ron Brown Firewall Administrator >>> william fitzgerald <wfitzgerald@...> 3/25/2008 7:56 AM >>> Dear Firewall Experts, Provocative Question: ++++++++++++++++++++ Are firewalls obsolete in a world involving enterprise Web Service SOA? What do I mean by the above question: given that Web Services (J2EE and so forth) tend to tunnel through http and https (eg. SOAP) what role can a traditional network firewall play? If its just a matter of opening ports http and https for your dedicated enterprise services then is there even a need for a firewall! I am asking this question not to be flamed but to provoke a discussion as to why we still need firewalls. Assumptions: ++++++++++++ I use the term firewall loosely to mean "network access control". That is, its a mechanism to prevent unwanted packets. Therefore, a firewall could be iptables (stateful, DPI etc) or even the proxy TCP Wrappers, cisco and so forth. In particular, I have focused on Linux iptables and TCP Wrapper. I realize that one can install an xml based firewall to inspect packet content in regard to web services. Scenario Network: ++++++++++++++++++ Internet ---> Firewall ---> Enterprise SOA Server ---> Additional firewalls and back-end database servers etc. Is it a case that in this Enterprise SOA environment the NAC firewall is made redundant (as opposed to an xml firewall): Internet ---> Enterprise SOA Webservice server Assuming of course the servers are dedicated Web Service servers that run no other services such as DHCP, intranet web server, email and so forth that need to be protected? Firewall Justification: +++++++++++++++++++++++ I am trying to find publications, white papers, reports etc that state the case for the need for firewalls. I need something concrete. The current information I have found (web service orientated!) tends to say firewalls are obsolete when talking about enterprise SOA given that once port 80 and 443 is open on the firewall the SOS services are exposed and hence protection happens at the application layer of the particular service. However, best practice suggests one should take a more holistic approach to security and apply the "belt-and-braces" approach. That is, install firewalls, IDS, AV, proper authentication at various OSI stack layers etc etc. So we get a layered security affect, thus there must be a justification for using a firewall still. My Opinion: +++++++++++ My opinion on what NAC firewalls can offer to web service SOA other than simply opening port http and https is as follows: 1) control access to those ports via ip address ranges (eg. customer/business subscribers) 2) deep packet inspection to solicit appropriate content incoming and outgoing from the SOA enterprise servers. 3) ???? what else would be done? please comment. While I agree that there are xml based firewalls to monitor xml based Web Service traffic, I wonder can it perform access controls at the lower levels like network based firewalls (for example, block certain IP addresses)? My guess is they don't given the operate at the application layer. I also wonder why one would invest in an xml firewall that is dedicated to one kind of traffic profiling and not use for example a very expensive cisco firewall that can cover a multitude of traffic profiling. Presumably these expensive firewalls (or the equivalent unexpensive iptables firewall) can inspect the packet for malicious content to and from the enterprise servers (I believe we have snort-2-iptables to also help here). At any rate, I do not want to start a huge debate on the pros and cons of an xml firewall versus a network firewall as I am aware dedicated firewalls specialize in various traffic profiling. Also its best practice to install a wide range for firewall capabilities. The real issue is the justification of NAC's in an enterprise SOA environment. Of course, if this enterprise environment also included the company standard services such as email, dns, web server etc I can see the major impact of the NAC firewall. But what is the case for dedicated enterprise SOA? My shortcomings: ++++++++++++++++ My inexperience in an enterprise network environment of how things are really carried out rather than what is done in theory. Summary: ++++++++ What role do NAC's have to play in an environment of enterprise application services? All pointers to documentation and your comments are welcome. I look forward to your support, regards, Will. -- William M. Fitzgerald, PhD Student, Telecommunications Software & Systems Group, ArcLabs Research and Innovation Centre, Waterford Institute of Technology, WIT West Campus, Carriganore, Waterford. Office Ph: +353 51 302937 Mobile Ph: +353 87 9527083 Web: www.williamfitzgerald.org www.linkedin.com/in/williamfitzgerald www.ryze.com/go/wfitzgerald CONFIDENTIALITY NOTICE: This email message, including any attachments, is for the use of the intended recipient(s) only and may contain information that is privileged, confidential, and prohibited from unauthorized disclosure under applicable law. If you are not the intended recipient of this message, any dissemination, distribution, or copying of this message is strictly prohibited. If you received this message in error, please notify the sender by reply email and destroy all copies of the original message and attachments. |
|
|
Re: Are firewalls obsolete in a world involving enterprise applications SOA?
by wfitzgerald
::
Rate this Message:
Thanks Brent.
I certainly agree unless one is running a bastion host running exactly the permitted services then firewalls are still an important factor. In terms of a holistic security approach firewalls should be deployed even in a bastion host environment along with proper patch management, password policies etc. Also as you suggest internal firewalls offer an important point of demarcation. What are the kinds of requests are made to system administrators from application developers to permit enterprise SOA web services? Surely its not just please open port http and https to all. linux iptables example: iptables -A FORWARD -p tcp --dport http,https -j ACCEPT Presumably a network administrator may need to restrict both incoming and outgoing web service traffic, for example to a specific web service server from selected business partners IP subnets: iptables -A FORWARD -i eth0 -s 193.1.1.0/0 -d -p tcp --dport http -j ACCEPT iptables -A FORWARD -o eth1 -s 192.168.1.1 -d 192.168.1.1 -p tcp --sport http -j ACCEPT While the Web service application maybe able to handle DoS attacks, presumably a network administrator can help at the lower layers and thus help in providing a holistic security approach: iptables -A FORWARD -i eth0 -d 192.168.1.1-p tcp -dport http --syn -m limit --limit 5/s -j ACCEPT What are the typical kinds of enterprise polices that require a network level administrator to provide certain access controls when a web service is deployed within an SOA? regards, Will. Brent Gueth wrote: > > > There are a few things that need to be taken into consideration (I'm > going to speak at this from a proxy based firewall perspective). > > > > 1. Can you always guarantee without a shadow of a doubt that this > servers are not running any other services? Can you verify that your > staff will always do proper due diligence? Unless you can verify from > now into eternity that the answer is yes it can be locked properly there > is always a place for a firewall. > > 2. Due you have a certified DMZ currently? Do these server currently > exist being firewall. It has long been a tradition to have web servers > that are publicly facing to be in a less secure DMZ. This argument > with new services is just rehashing this argument. How do you maintain > that the databases are secure to the web servers if you don't have a > handle on the network getting to your DMZ? > > If using a proxy firewall you can inspect the packets and verify that > the HTTP packets follow the RFC and only allow commands that you want > through if it's smart enough. If it's HTTPS you could do the same > thing with the firewall decrypting the packet and re-encrypting on the > way out - essentially doing man in the middle scanning. > > I've read how IPS and IDS are the second coming. Well let's look at how > harmful HTTPS could be. Since many services going outbound can tunnel > through HTTPS without a web filtering software that is constantly > updated users can essentially do any function they please. This will > bypass any IDS or AV scanning until the software is already loaded on > the machine since the scanners won't be able to look at encrypted > packets. So under this scenario as more things move to HTTPS - the > arguement would be that you would no longer need IDS or AV on these > networks. > > How do you control it then? One is to decrypt the HTTPS onto a trusted > proxy server which then forwards requests onto the actual webserver. > This will help mitigate the risks and allow you to see what is going > on. Whether you consider this a firewall, gateway, or a proxy it does > fulfill the same role. > > You also pointed out one thing else that's important - controlling > source connection subnets/IPs. Removing this sort of control removes > any say so that you have in the future. > > Since you asked what NACs exist in network or web development - in my > experience none - the developers normally expect their software to > work. They don't care what impact it may have and their code may > unintentionally enable other services on your web services. NAC > controls and development are two different mind sets but as times goes > on they are getting closer. Developers however don't normally > understand networking so they don't care. > > > > > > > On Tue, Mar 25, 2008 at 7:56 AM, william fitzgerald > <wfitzgerald@... <mailto:wfitzgerald@...>> wrote: > > Dear Firewall Experts, > > Provocative Question: > ++++++++++++++++++++ > Are firewalls obsolete in a world involving enterprise Web Service SOA? > > What do I mean by the above question: given that Web Services (J2EE and > so forth) tend to tunnel through http and https (eg. SOAP) what role can > a traditional network firewall play? If its just a matter of opening > ports http and https for your dedicated enterprise services then is > there even a need for a firewall! > > I am asking this question not to be flamed but to provoke a discussion > as to why we still need firewalls. > > Assumptions: > ++++++++++++ > I use the term firewall loosely to mean "network access control". That > is, its a mechanism to prevent unwanted packets. Therefore, a firewall > could be iptables (stateful, DPI etc) or even the proxy TCP Wrappers, > cisco and so forth. > > In particular, I have focused on Linux iptables and TCP Wrapper. I > realize that one can install an xml based firewall to inspect packet > content in regard to web services. > > Scenario Network: > ++++++++++++++++++ > Internet ---> Firewall ---> Enterprise SOA Server ---> Additional > firewalls and back-end database servers etc. > > Is it a case that in this Enterprise SOA environment the NAC firewall is > made redundant (as opposed to an xml firewall): > > Internet ---> Enterprise SOA Webservice server > > Assuming of course the servers are dedicated Web Service servers that > run no other services such as DHCP, intranet web server, email and so > forth that need to be protected? > > Firewall Justification: > +++++++++++++++++++++++ > > I am trying to find publications, white papers, reports etc that state > the case for the need for firewalls. I need something concrete. > > The current information I have found (web service orientated!) tends to > say firewalls are obsolete when talking about enterprise SOA given that > once port 80 and 443 is open on the firewall the SOS services are > exposed and hence protection happens at the application layer of the > particular service. > > However, best practice suggests one should take a more holistic approach > to security and apply the "belt-and-braces" approach. That is, install > firewalls, IDS, AV, proper authentication at various OSI stack layers > etc etc. So we get a layered security affect, thus there must be a > justification for using a firewall still. > > My Opinion: > +++++++++++ > > My opinion on what NAC firewalls can offer to web service SOA other than > simply opening port http and https is as follows: > > 1) control access to those ports via ip address ranges (eg. > customer/business subscribers) > 2) deep packet inspection to solicit appropriate content incoming and > outgoing from the SOA enterprise servers. > 3) ???? what else would be done? please comment. > > While I agree that there are xml based firewalls to monitor xml based > Web Service traffic, I wonder can it perform access controls at the > lower levels like network based firewalls (for example, block certain IP > addresses)? My guess is they don't given the operate at the application > layer. > > I also wonder why one would invest in an xml firewall that is dedicated > to one kind of traffic profiling and not use for example a very > expensive cisco firewall that can cover a multitude of traffic > profiling. Presumably these expensive firewalls (or the equivalent > unexpensive iptables firewall) can inspect the packet for malicious > content to and from the enterprise servers (I believe we have > snort-2-iptables to also help here). At any rate, I do not want to start > a huge debate on the pros and cons of an xml firewall versus a network > firewall as I am aware dedicated firewalls specialize in various traffic > profiling. Also its best practice to install a wide range for firewall > capabilities. > > The real issue is the justification of NAC's in an enterprise SOA > environment. Of course, if this enterprise environment also included the > company standard services such as email, dns, web server etc I can see > the major impact of the NAC firewall. But what is the case for dedicated > enterprise SOA? > > > My shortcomings: > ++++++++++++++++ > My inexperience in an enterprise network environment of how things are > really carried out rather than what is done in theory. > > > Summary: > ++++++++ > What role do NAC's have to play in an environment of enterprise > application services? > > All pointers to documentation and your comments are welcome. > > I look forward to your support, > regards, > Will. > > -- > William M. Fitzgerald, > PhD Student, > Telecommunications Software & Systems Group, > ArcLabs Research and Innovation Centre, > Waterford Institute of Technology, > WIT West Campus, > Carriganore, > Waterford. > Office Ph: +353 51 302937 > Mobile Ph: +353 87 9527083 > Web: www.williamfitzgerald.org <http://www.williamfitzgerald.org> > www.linkedin.com/in/williamfitzgerald > <http://www.linkedin.com/in/williamfitzgerald> > www.ryze.com/go/wfitzgerald <http://www.ryze.com/go/wfitzgerald> > > > > -- William M. Fitzgerald, PhD Student, Telecommunications Software & Systems Group, ArcLabs Research and Innovation Centre, Waterford Institute of Technology, WIT West Campus, Carriganore, Waterford. Office Ph: +353 51 302937 Mobile Ph: +353 87 9527083 Web: www.williamfitzgerald.org www.linkedin.com/in/williamfitzgerald www.ryze.com/go/wfitzgerald |
|
|
Re: Are firewalls obsolete in a world involving enterprise applications SOA?
by wfitzgerald
::
Rate this Message:
Thanks Geoffrey,
I agree firewalls are an important point of demarcation narrowing access (intended access) between various intranets. In your experience what kinds of rules or policies are put in place when an enterprise application goes live? What are the kinds of policies that application developers demand from system administrators? My argument is that it appears to me that (secure) Enterprise Web Service applications, particularly those involving access control, are typically focused at the application-domain only, rather than taking a more holistic approach to also include the underlying infrastructure (for example, firewalls). As a result, infrastructure configurations may unintentionally hinder and prohibit the normal operation of the Web Service. Thus, the ideal firewall configuration is one that is aligned with the application supported by the system, that is, it permits valid application traffic, and, preferably, no more and no less. As I stated in my original post, Web Service developers assume the underlying infrastructure is automatically available. Also there seems to be a tendency to tunnel (for example SOAP) over http or https. From this point of view, Web Service developers may form the opinion that firewalls are redundant as they typically have ports 80 and 443 accessible (and forward traffic to specialized user-space programs for further packet processing). Maybe this is correct! comments? In my opinion, deploying a network level firewall (such as Linux Netfilter) provisioned for Enterprise Web Services is not simply about opening port 80 on the server for all traffic; one may wish to deny certain nodes (IP addresses, etc.), only accept HTTP traffic from some nodes, require other nodes to use HTTPS and also deal with HTTP traffic that is tunneled through proxies available on other ports. Comments? While low level infrastructure such as network firewalls may not solve all security issues ( as a more suitable application based XML firewall mite) in regard to Web Service applications, I believe as stated in my previous post, they have a role to play in applying the belt-and-braces approach to security best practices. Comments? What I am really looking for is some concrete documents, publications, administrator experience that helps clarify the important role of Network Access Controls (firewalls, IPS etc) within an enterprise SOA environment, if any. regards, Will. Geoffrey Gowey wrote: > To be succinct: yes, firewalls are still very much a necessity. If one > ignores the more advanced features of firewalls and only focuses on the > basic features of ip packet source/destination filtering there's still > evidence of a clear need for them before even seeing what the usage of > other technologies such as SMLI or SPF bring to the table. Relying on > operating system and application security alone is insufficient in a > networked environment. > > By putting internal and external firewalls in place, a corporation has > choke points that can enforce corporate policy of what an application > really should be limited to doing. A for instance would be the > limitation of IP access from a DMZ web server to a middle tier server > for its data. A firewall between the DMZ server and the middle tier > server can be configured to ensure that this is the only access the > server has and not access to other systems that it has no reason to be > interacting with (such as a mail server). This helps reduce exposure > should the DMZ server be compromised. Also, if the firewall between the > DMZ server and the middle tier server is configured properly, you will > be able to discover irregular activity that could indicate a misbehaving > application or a server compromise by traffic trying to conduct actions > that were not part of the agreed on policy. > > > On Tue, Mar 25, 2008 at 4:56 AM, william fitzgerald > <wfitzgerald@... <mailto:wfitzgerald@...>> wrote: > > Dear Firewall Experts, > > Provocative Question: > ++++++++++++++++++++ > Are firewalls obsolete in a world involving enterprise Web Service SOA? > > What do I mean by the above question: given that Web Services (J2EE and > so forth) tend to tunnel through http and https (eg. SOAP) what role can > a traditional network firewall play? If its just a matter of opening > ports http and https for your dedicated enterprise services then is > there even a need for a firewall! > > I am asking this question not to be flamed but to provoke a discussion > as to why we still need firewalls. > > Assumptions: > ++++++++++++ > I use the term firewall loosely to mean "network access control". That > is, its a mechanism to prevent unwanted packets. Therefore, a firewall > could be iptables (stateful, DPI etc) or even the proxy TCP Wrappers, > cisco and so forth. > > In particular, I have focused on Linux iptables and TCP Wrapper. I > realize that one can install an xml based firewall to inspect packet > content in regard to web services. > > Scenario Network: > ++++++++++++++++++ > Internet ---> Firewall ---> Enterprise SOA Server ---> Additional > firewalls and back-end database servers etc. > > Is it a case that in this Enterprise SOA environment the NAC firewall is > made redundant (as opposed to an xml firewall): > > Internet ---> Enterprise SOA Webservice server > > Assuming of course the servers are dedicated Web Service servers that > run no other services such as DHCP, intranet web server, email and so > forth that need to be protected? > > Firewall Justification: > +++++++++++++++++++++++ > > I am trying to find publications, white papers, reports etc that state > the case for the need for firewalls. I need something concrete. > > The current information I have found (web service orientated!) tends to > say firewalls are obsolete when talking about enterprise SOA given that > once port 80 and 443 is open on the firewall the SOS services are > exposed and hence protection happens at the application layer of the > particular service. > > However, best practice suggests one should take a more holistic approach > to security and apply the "belt-and-braces" approach. That is, install > firewalls, IDS, AV, proper authentication at various OSI stack layers > etc etc. So we get a layered security affect, thus there must be a > justification for using a firewall still. > > My Opinion: > +++++++++++ > > My opinion on what NAC firewalls can offer to web service SOA other than > simply opening port http and https is as follows: > > 1) control access to those ports via ip address ranges (eg. > customer/business subscribers) > 2) deep packet inspection to solicit appropriate content incoming and > outgoing from the SOA enterprise servers. > 3) ???? what else would be done? please comment. > > While I agree that there are xml based firewalls to monitor xml based > Web Service traffic, I wonder can it perform access controls at the > lower levels like network based firewalls (for example, block certain IP > addresses)? My guess is they don't given the operate at the application > layer. > > I also wonder why one would invest in an xml firewall that is dedicated > to one kind of traffic profiling and not use for example a very > expensive cisco firewall that can cover a multitude of traffic > profiling. Presumably these expensive firewalls (or the equivalent > unexpensive iptables firewall) can inspect the packet for malicious > content to and from the enterprise servers (I believe we have > snort-2-iptables to also help here). At any rate, I do not want to start > a huge debate on the pros and cons of an xml firewall versus a network > firewall as I am aware dedicated firewalls specialize in various traffic > profiling. Also its best practice to install a wide range for firewall > capabilities. > > The real issue is the justification of NAC's in an enterprise SOA > environment. Of course, if this enterprise environment also included the > company standard services such as email, dns, web server etc I can see > the major impact of the NAC firewall. But what is the case for dedicated > enterprise SOA? > > > My shortcomings: > ++++++++++++++++ > My inexperience in an enterprise network environment of how things are > really carried out rather than what is done in theory. > > > Summary: > ++++++++ > What role do NAC's have to play in an environment of enterprise > application services? > > All pointers to documentation and your comments are welcome. > > I look forward to your support, > regards, > Will. > > -- > William M. Fitzgerald, > PhD Student, > Telecommunications Software & Systems Group, > ArcLabs Research and Innovation Centre, > Waterford Institute of Technology, > WIT West Campus, > Carriganore, > Waterford. > Office Ph: +353 51 302937 > Mobile Ph: +353 87 9527083 > Web: www.williamfitzgerald.org <http://www.williamfitzgerald.org> > www.linkedin.com/in/williamfitzgerald > <http://www.linkedin.com/in/williamfitzgerald> > www.ryze.com/go/wfitzgerald <http://www.ryze.com/go/wfitzgerald> > > > > > > > -- > Kindest Regards, > > Geoff -- William M. Fitzgerald, PhD Student, Telecommunications Software & Systems Group, ArcLabs Research and Innovation Centre, Waterford Institute of Technology, WIT West Campus, Carriganore, Waterford. Office Ph: +353 51 302937 Mobile Ph: +353 87 9527083 Web: www.williamfitzgerald.org www.linkedin.com/in/williamfitzgerald www.ryze.com/go/wfitzgerald |
|
|
Re: Are firewalls obsolete in a world involving enterprise applications SOA?
by wfitzgerald
::
Rate this Message:
Thanks Ron,
Controlling outgoing traffic is certainly important!!! Ron Brown wrote: > Greetings Will, > > The short answer is yes... absolutely yes. > > The long answer would be far to lengthy for this reply (plus my dinner would get cold). > > Aside from the obvious benefits for filtering / verifying the inbound traffic, let's consider outbound traffic. > Unwanted data egress is as much of a problem (if not more) than what's coming in. > > Let's say that I'm a bad guy.. I want your web server and I'm going to get it. Your box is only listening on TCP ports 80 and 443... you've got you web server well configured and patched... but you've got a application being delivered by that web server that has a weakness. (I know.. it could never happen to you, but humor me). I find a way to exploit that weakness that doesn't give me direct access, but I can over-run your stack and write some "special code" into system memory. Let's say that code does something very common in "bad guy land"... it initiates an outbound connection (on some other port) to a netcat listener I've got waiting on another compromised box. Zowie! I've got a console on your web server and it's mine... all mine. Now let's say that you web server is behind a well configured firewall that's doing stateful inspection.. It will let your web server respond as it wishes to complete the transaction, but it won't let the web server initiate *my* outb > > Another common practice is to disallow all outbound SMTP connections except those from corporate mail servers.. this keep the propagation of evil bits and SPAM(tm) to a minimum from those pesky pieces of malware that have their own SMTP engines. > > Let's also consider that if you're in the US and doing business on the Internet these days, there's no shortage of regulatory compliance issues to deal with. Healthcare and insurance folks have strict HIPAA laws that absolutely can not be satisfied without a firewall and detailed logging. Wanna accept credit cards? PCI compliance is going to mandate that firewall as well. > > At the network perimeter (with a DMZ for Internet visible hosts), at any WAN links that may exist with vendors or other Semi/Non-trusted networks, at remote offices with which you need secured (encrypted) connectivity over the Internet.. everywhere you look... those pesky firewalls :) > > And the most important reason that firewalls are very much needed... > > I want to keep my job :) > > > > ~~~~~~~~~~~~~~~~~ > Ron Brown > Firewall Administrator > > > > >>>> william fitzgerald <wfitzgerald@...> 3/25/2008 7:56 AM >>> > Dear Firewall Experts, > > Provocative Question: > ++++++++++++++++++++ > Are firewalls obsolete in a world involving enterprise Web Service SOA? > > What do I mean by the above question: given that Web Services (J2EE and > so forth) tend to tunnel through http and https (eg. SOAP) what role can > a traditional network firewall play? If its just a matter of opening > ports http and https for your dedicated enterprise services then is > there even a need for a firewall! > > I am asking this question not to be flamed but to provoke a discussion > as to why we still need firewalls. > > Assumptions: > ++++++++++++ > I use the term firewall loosely to mean "network access control". That > is, its a mechanism to prevent unwanted packets. Therefore, a firewall > could be iptables (stateful, DPI etc) or even the proxy TCP Wrappers, > cisco and so forth. > > In particular, I have focused on Linux iptables and TCP Wrapper. I > realize that one can install an xml based firewall to inspect packet > content in regard to web services. > > Scenario Network: > ++++++++++++++++++ > Internet ---> Firewall ---> Enterprise SOA Server ---> Additional > firewalls and back-end database servers etc. > > Is it a case that in this Enterprise SOA environment the NAC firewall is > made redundant (as opposed to an xml firewall): > > Internet ---> Enterprise SOA Webservice server > > Assuming of course the servers are dedicated Web Service servers that > run no other services such as DHCP, intranet web server, email and so > forth that need to be protected? > > Firewall Justification: > +++++++++++++++++++++++ > > I am trying to find publications, white papers, reports etc that state > the case for the need for firewalls. I need something concrete. > > The current information I have found (web service orientated!) tends to > say firewalls are obsolete when talking about enterprise SOA given that > once port 80 and 443 is open on the firewall the SOS services are > exposed and hence protection happens at the application layer of the > particular service. > > However, best practice suggests one should take a more holistic approach > to security and apply the "belt-and-braces" approach. That is, install > firewalls, IDS, AV, proper authentication at various OSI stack layers > etc etc. So we get a layered security affect, thus there must be a > justification for using a firewall still. > > My Opinion: > +++++++++++ > > My opinion on what NAC firewalls can offer to web service SOA other than > simply opening port http and https is as follows: > > 1) control access to those ports via ip address ranges (eg. > customer/business subscribers) > 2) deep packet inspection to solicit appropriate content incoming and > outgoing from the SOA enterprise servers. > 3) ???? what else would be done? please comment. > > While I agree that there are xml based firewalls to monitor xml based > Web Service traffic, I wonder can it perform access controls at the > lower levels like network based firewalls (for example, block certain IP > addresses)? My guess is they don't given the operate at the application > layer. > > I also wonder why one would invest in an xml firewall that is dedicated > to one kind of traffic profiling and not use for example a very > expensive cisco firewall that can cover a multitude of traffic > profiling. Presumably these expensive firewalls (or the equivalent > unexpensive iptables firewall) can inspect the packet for malicious > content to and from the enterprise servers (I believe we have > snort-2-iptables to also help here). At any rate, I do not want to start > a huge debate on the pros and cons of an xml firewall versus a network > firewall as I am aware dedicated firewalls specialize in various traffic > profiling. Also its best practice to install a wide range for firewall > capabilities. > > The real issue is the justification of NAC's in an enterprise SOA > environment. Of course, if this enterprise environment also included the > company standard services such as email, dns, web server etc I can see > the major impact of the NAC firewall. But what is the case for dedicated > enterprise SOA? > > > My shortcomings: > ++++++++++++++++ > My inexperience in an enterprise network environment of how things are > really carried out rather than what is done in theory. > > > Summary: > ++++++++ > What role do NAC's have to play in an environment of enterprise > application services? > > All pointers to documentation and your comments are welcome. > > I look forward to your support, > regards, > Will. > -- William M. Fitzgerald, PhD Student, Telecommunications Software & Systems Group, ArcLabs Research and Innovation Centre, Waterford Institute of Technology, WIT West Campus, Carriganore, Waterford. Office Ph: +353 51 302937 Mobile Ph: +353 87 9527083 Web: www.williamfitzgerald.org www.linkedin.com/in/williamfitzgerald www.ryze.com/go/wfitzgerald |
|
|
RE: Are firewalls obsolete in a world involving enterprise applications SOA?
by Srinivasa Addepalli
::
Rate this Message:
Hi, Traditional firewalls are not going to go away. It does not mean that Web security firewalls are not required. Web application firewalls only work on HTTP protocol and it is required to protect your HTTP Server infrastructure and provide access control at the application level. Traditional firewalls are required at the Enterprise Edge and Enterprise core to provide control among different zones for different services. Short answer: Both are required and they complement each other. Srini Provocative Question: ++++++++++++++++++++ Are firewalls obsolete in a world involving enterprise Web Service SOA? What do I mean by the above question: given that Web Services (J2EE and so forth) tend to tunnel through http and https (eg. SOAP) what role can a traditional network firewall play? If its just a matter of opening ports http and https for your dedicated enterprise services then is there even a need for a firewall! I am asking this question not to be flamed but to provoke a discussion as to why we still need firewalls. Assumptions: ++++++++++++ I use the term firewall loosely to mean "network access control". That is, its a mechanism to prevent unwanted packets. Therefore, a firewall could be iptables (stateful, DPI etc) or even the proxy TCP Wrappers, cisco and so forth. In particular, I have focused on Linux iptables and TCP Wrapper. I realize that one can install an xml based firewall to inspect packet content in regard to web services. Scenario Network: ++++++++++++++++++ Internet ---> Firewall ---> Enterprise SOA Server ---> Additional firewalls and back-end database servers etc. Is it a case that in this Enterprise SOA environment the NAC firewall is made redundant (as opposed to an xml firewall): Internet ---> Enterprise SOA Webservice server Assuming of course the servers are dedicated Web Service servers that run no other services such as DHCP, intranet web server, email and so forth that need to be protected? Firewall Justification: +++++++++++++++++++++++ I am trying to find publications, white papers, reports etc that state the case for the need for firewalls. I need something concrete. The current information I have found (web service orientated!) tends to say firewalls are obsolete when talking about enterprise SOA given that once port 80 and 443 is open on the firewall the SOS services are exposed and hence protection happens at the application layer of the particular service. However, best practice suggests one should take a more holistic approach to security and apply the "belt-and-braces" approach. That is, install firewalls, IDS, AV, proper authentication at various OSI stack layers etc etc. So we get a layered security affect, thus there must be a justification for using a firewall still. My Opinion: +++++++++++ My opinion on what NAC firewalls can offer to web service SOA other than simply opening port http and https is as follows: 1) control access to those ports via ip address ranges (eg. customer/business subscribers) 2) deep packet inspection to solicit appropriate content incoming and outgoing from the SOA enterprise servers. 3) ???? what else would be done? please comment. While I agree that there are xml based firewalls to monitor xml based Web Service traffic, I wonder can it perform access controls at the lower levels like network based firewalls (for example, block certain IP addresses)? My guess is they don't given the operate at the application layer. I also wonder why one would invest in an xml firewall that is dedicated to one kind of traffic profiling and not use for example a very expensive cisco firewall that can cover a multitude of traffic profiling. Presumably these expensive firewalls (or the equivalent unexpensive iptables firewall) can inspect the packet for malicious content to and from the enterprise servers (I believe we have snort-2-iptables to also help here). At any rate, I do not want to start a huge debate on the pros and cons of an xml firewall versus a network firewall as I am aware dedicated firewalls specialize in various traffic profiling. Also its best practice to install a wide range for firewall capabilities. The real issue is the justification of NAC's in an enterprise SOA environment. Of course, if this enterprise environment also included the company standard services such as email, dns, web server etc I can see the major impact of the NAC firewall. But what is the case for dedicated enterprise SOA? My shortcomings: ++++++++++++++++ My inexperience in an enterprise network environment of how things are really carried out rather than what is done in theory. Summary: ++++++++ What role do NAC's have to play in an environment of enterprise application services? All pointers to documentation and your comments are welcome. I look forward to your support, regards, Will. -- William M. Fitzgerald, PhD Student, Telecommunications Software & Systems Group, ArcLabs Research and Innovation Centre, Waterford Institute of Technology, WIT West Campus, Carriganore, Waterford. Office Ph: +353 51 302937 Mobile Ph: +353 87 9527083 Web: www.williamfitzgerald.org www.linkedin.com/in/williamfitzgerald www.ryze.com/go/wfitzgerald ******************************************************************************** This email message (including any attachments) is for the sole use of the intended recipient(s) and may contain confidential, proprietary and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please immediately notify the sender by reply email and destroy all copies of the original message. Thank you. Intoto Inc. |
|
|
Re: Are firewalls obsolete in a world involving enterprise applications SOA?
by Geoffrey J Gowey
::
Rate this Message:
The answer to your questions about policies is that it requires a joint effort to
establish the policies. You need the input of the developers as to
what it the application should be doing during its normal operation.
The system administrators need to accommodate the developers with a
degree of accessibility to allow the application to function, but never with total access to the system (absolute access is never a good idea). The network administrators configure the network access according to the agreed upon access requirements. However, this process is usually agreed upon during the actual discussion about the application before the code is even written and not at deployment time.
After an application is deployed the admins should be doing what their jobs require them to do: check the logs, patch systems, etc. There's no reason why their roles or responsibilities should need to be changed for a single application. As for security: firewalls come from everything from the garden variety dumb as bricks models that only feature ip/port restrictions to the more advanced models that use technologies to inspect the traffic before it hits the application and make sure that what is being transmitted falls within parameters that would be considered "normal". The latter models have to understand the protocol being used such as HTTP, FTP, SOAP, etc. SSL can be decrypted by an SSL accelerator applicance making the encryption not a problem for firewall appliances. Application level proxies also can help with security, but require more configuration and are more obvious than the cut-through variety that use SMLI or SPF. Preventing a total system takeover from a poorly written application requires the usual amount of common sense: the principal of least security (never give anything more privileges than it needs). Different user accounts used for different applications provides a level of segregation between the applications be it for file system or database access. I'm not really sure if there's really a one stop source on what you're looking for because your questions span three different security categories: network security (covered in network administration books), system security (covered in systems administration books), and designing secure applications (covered in programming books). Then, if there's a database involved (as is usually the case), you have a dba whose job revolves around tweaking the performance and the security of the rdbms (oracle, sql server, db2, etc). The reason for this segregation is usually because the roles in an administration are segregated and that's not necessarilly a bad thing. Generally, the admins are concerned with securing their appliances and systems to the highest state possible while the dba and the programmer are concerned with their respective applications. It's a lot to juggle. How much lattitude or how many roles anyone has (particularly the developer) is more a matter of the policy that you're working for making it completely arbitrary. There are better practices and guidance available in each field, but knowing everything takes hours and hours of reading plus years of experience. If you're looking at trying your hand in seeing how in depth you can go with programming and security grab some network gear and cheap systems off EBay, construct a lab of your own, and go to town because there's no substitute for doing. On Wed, Mar 26, 2008 at 10:35 AM, william fitzgerald <wfitzgerald@...> wrote: Thanks Geoffrey, -- Kindest Regards, Geoff |
|
|
RE: Are firewalls obsolete in a world involving enterprise applicationsSOA?
by Paul, Sandeep
::
Rate this Message:
Hi William
In my opinion firewalls (ACL based) are still required. Yes, content filtering security solutions like IDS/IPS and proxy firewalls have taken much of the attention. ACL based firewalls not only provide a layer of defense to your layered security architecture but also help, reducing network traffic that needs to be scanned by the upper layer security devices [think of this from performance perspective of upper layer security devices]. You have filtered out unwanted traffic using ACL based firewalls and the amount of traffic that needs to be scanned by IDS/IPS devices is much less now and this is very important. [Traffic for your network (X+Y)] [Desired traffic (Only X)] Internet ------------------------------> Firewall ------------------------> IDS/IPS or Proxy Filters Thanks and Best Regards Sandeep Paul iPolicy Networks -----Original Message----- From: listbounce@... [mailto:listbounce@...] On Behalf Of william fitzgerald Sent: Tuesday, March 25, 2008 5:26 PM To: firewalls@... Subject: Are firewalls obsolete in a world involving enterprise applicationsSOA? Dear Firewall Experts, Provocative Question: ++++++++++++++++++++ Are firewalls obsolete in a world involving enterprise Web Service SOA? What do I mean by the above question: given that Web Services (J2EE and so forth) tend to tunnel through http and https (eg. SOAP) what role can a traditional network firewall play? If its just a matter of opening ports http and https for your dedicated enterprise services then is there even a need for a firewall! I am asking this question not to be flamed but to provoke a discussion as to why we still need firewalls. Assumptions: ++++++++++++ I use the term firewall loosely to mean "network access control". That is, its a mechanism to prevent unwanted packets. Therefore, a firewall could be iptables (stateful, DPI etc) or even the proxy TCP Wrappers, cisco and so forth. In particular, I have focused on Linux iptables and TCP Wrapper. I realize that one can install an xml based firewall to inspect packet content in regard to web services. Scenario Network: ++++++++++++++++++ Internet ---> Firewall ---> Enterprise SOA Server ---> Additional firewalls and back-end database servers etc. Is it a case that in this Enterprise SOA environment the NAC firewall is made redundant (as opposed to an xml firewall): Internet ---> Enterprise SOA Webservice server Assuming of course the servers are dedicated Web Service servers that run no other services such as DHCP, intranet web server, email and so forth that need to be protected? Firewall Justification: +++++++++++++++++++++++ I am trying to find publications, white papers, reports etc that state the case for the need for firewalls. I need something concrete. The current information I have found (web service orientated!) tends to say firewalls are obsolete when talking about enterprise SOA given that once port 80 and 443 is open on the firewall the SOS services are exposed and hence protection happens at the application layer of the particular service. However, best practice suggests one should take a more holistic approach to security and apply the "belt-and-braces" approach. That is, install firewalls, IDS, AV, proper authentication at various OSI stack layers etc etc. So we get a layered security affect, thus there must be a justification for using a firewall still. My Opinion: +++++++++++ My opinion on what NAC firewalls can offer to web service SOA other than simply opening port http and https is as follows: 1) control access to those ports via ip address ranges (eg. customer/business subscribers) 2) deep packet inspection to solicit appropriate content incoming and outgoing from the SOA enterprise servers. 3) ???? what else would be done? please comment. While I agree that there are xml based firewalls to monitor xml based Web Service traffic, I wonder can it perform access controls at the lower levels like network based firewalls (for example, block certain IP addresses)? My guess is they don't given the operate at the application layer. I also wonder why one would invest in an xml firewall that is dedicated to one kind of traffic profiling and not use for example a very expensive cisco firewall that can cover a multitude of traffic profiling. Presumably these expensive firewalls (or the equivalent unexpensive iptables firewall) can inspect the packet for malicious content to and from the enterprise servers (I believe we have snort-2-iptables to also help here). At any rate, I do not want to start a huge debate on the pros and cons of an xml firewall versus a network firewall as I am aware dedicated firewalls specialize in various traffic profiling. Also its best practice to install a wide range for firewall capabilities. The real issue is the justification of NAC's in an enterprise SOA environment. Of course, if this enterprise environment also included the company standard services such as email, dns, web server etc I can see the major impact of the NAC firewall. But what is the case for dedicated enterprise SOA? My shortcomings: ++++++++++++++++ My inexperience in an enterprise network environment of how things are really carried out rather than what is done in theory. Summary: ++++++++ What role do NAC's have to play in an environment of enterprise application services? All pointers to documentation and your comments are welcome. I look forward to your support, regards, Will. -- William M. Fitzgerald, PhD Student, Telecommunications Software & Systems Group, ArcLabs Research and Innovation Centre, Waterford Institute of Technology, WIT West Campus, Carriganore, Waterford. Office Ph: +353 51 302937 Mobile Ph: +353 87 9527083 Web: www.williamfitzgerald.org www.linkedin.com/in/williamfitzgerald www.ryze.com/go/wfitzgerald DISCLAIMER: The contents of this E-mail (including the contents of the enclosure(s) or attachment(s) if any) are privileged and confidential material of iPolicy Networks Limited and should not be disclosed to, used by, distributed, reproduced or copied in any manner by anyone other than the intended addressee(s) and for intended purpose. In case you are not the desired addressee or you have received the mail by error, you should re-direct this message to the sender and immediately destroy it. The views expressed in this E-mail message (including the enclosure(s) or attachment(s) if any) are those of the individual sender, except where the sender expressly, and with authority, states them to be the views of iPolicy Networks Limited |
| Free embeddable forum powered by Nabble | Forum Help |
