There are a few things that need to be taken into consideration (I'm going
to speak at this from a proxy based firewall perspective).
1. Can you always guarantee without a shadow of a doubt that this servers
are not running any other services? Can you verify that your staff will
always do proper due diligence? Unless you can verify from now into eternity
that the answer is yes it can be locked properly there is always a place for
a firewall.
2. Due you have a certified DMZ currently? Do these server currently exist
being firewall. It has long been a tradition to have web servers that are
publicly facing to be in a less secure DMZ. This argument with new
services is just rehashing this argument. How do you maintain that the
databases are secure to the web servers if you don't have a handle on the
network getting to your DMZ?
If using a proxy firewall you can inspect the packets and verify that the
HTTP packets follow the RFC and only allow commands that you want through if
it's smart enough. If it's HTTPS you could do the same thing with the
firewall decrypting the packet and re-encrypting on the way out -
essentially doing man in the middle scanning.
I've read how IPS and IDS are the second coming. Well let's look at how
harmful HTTPS could be. Since many services going outbound can tunnel
through HTTPS without a web filtering software that is constantly updated
users can essentially do any function they please. This will bypass any
IDS or AV scanning until the software is already loaded on the machine since
the scanners won't be able to look at encrypted packets. So under this
scenario as more things move to HTTPS - the arguement would be that you
would no longer need IDS or AV on these networks.
How do you control it then? One is to decrypt the HTTPS onto a trusted
proxy server which then forwards requests onto the actual webserver. This
will help mitigate the risks and allow you to see what is going on.
Whether you consider this a firewall, gateway, or a proxy it does fulfill
the same role.
You also pointed out one thing else that's important - controlling source
connection subnets/IPs. Removing this sort of control removes any say so
that you have in the future.
Since you asked what NACs exist in network or web development - in my
experience none - the developers normally expect their software to work.
They don't care what impact it may have and their code may unintentionally
enable other services on your web services. NAC controls and development
are two different mind sets but as times goes on they are getting closer.
Developers however don't normally understand networking so they don't care.
On Tue, Mar 25, 2008 at 7:56 AM, william fitzgerald <wfitzgerald (at) tssg (dot) org [email concealed]>
wrote:
> Dear Firewall Experts,
>
> Provocative Question:
> ++++++++++++++++++++
> Are firewalls obsolete in a world involving enterprise Web Service SOA?
>
> What do I mean by the above question: given that Web Services (J2EE and
> so forth) tend to tunnel through http and https (eg. SOAP) what role can
> a traditional network firewall play? If its just a matter of opening
> ports http and https for your dedicated enterprise services then is
> there even a need for a firewall!
>
> I am asking this question not to be flamed but to provoke a discussion
> as to why we still need firewalls.
>
> Assumptions:
> ++++++++++++
> I use the term firewall loosely to mean "network access control". That
> is, its a mechanism to prevent unwanted packets. Therefore, a firewall
> could be iptables (stateful, DPI etc) or even the proxy TCP Wrappers,
> cisco and so forth.
>
> In particular, I have focused on Linux iptables and TCP Wrapper. I
> realize that one can install an xml based firewall to inspect packet
> content in regard to web services.
>
> Scenario Network:
> ++++++++++++++++++
> Internet ---> Firewall ---> Enterprise SOA Server ---> Additional
> firewalls and back-end database servers etc.
>
> Is it a case that in this Enterprise SOA environment the NAC firewall is
> made redundant (as opposed to an xml firewall):
>
> Internet ---> Enterprise SOA Webservice server
>
> Assuming of course the servers are dedicated Web Service servers that
> run no other services such as DHCP, intranet web server, email and so
> forth that need to be protected?
>
> Firewall Justification:
> +++++++++++++++++++++++
>
> I am trying to find publications, white papers, reports etc that state
> the case for the need for firewalls. I need something concrete.
>
> The current information I have found (web service orientated!) tends to
> say firewalls are obsolete when talking about enterprise SOA given that
> once port 80 and 443 is open on the firewall the SOS services are
> exposed and hence protection happens at the application layer of the
> particular service.
>
> However, best practice suggests one should take a more holistic approach
> to security and apply the "belt-and-braces" approach. That is, install
> firewalls, IDS, AV, proper authentication at various OSI stack layers
> etc etc. So we get a layered security affect, thus there must be a
> justification for using a firewall still.
>
> My Opinion:
> +++++++++++
>
> My opinion on what NAC firewalls can offer to web service SOA other than
> simply opening port http and https is as follows:
>
> 1) control access to those ports via ip address ranges (eg.
> customer/business subscribers)
> 2) deep packet inspection to solicit appropriate content incoming and
> outgoing from the SOA enterprise servers.
> 3) ???? what else would be done? please comment.
>
> While I agree that there are xml based firewalls to monitor xml based
> Web Service traffic, I wonder can it perform access controls at the
> lower levels like network based firewalls (for example, block certain IP
> addresses)? My guess is they don't given the operate at the application
> layer.
>
> I also wonder why one would invest in an xml firewall that is dedicated
> to one kind of traffic profiling and not use for example a very
> expensive cisco firewall that can cover a multitude of traffic
> profiling. Presumably these expensive firewalls (or the equivalent
> unexpensive iptables firewall) can inspect the packet for malicious
> content to and from the enterprise servers (I believe we have
> snort-2-iptables to also help here). At any rate, I do not want to start
> a huge debate on the pros and cons of an xml firewall versus a network
> firewall as I am aware dedicated firewalls specialize in various traffic
> profiling. Also its best practice to install a wide range for firewall
> capabilities.
>
> The real issue is the justification of NAC's in an enterprise SOA
> environment. Of course, if this enterprise environment also included the
> company standard services such as email, dns, web server etc I can see
> the major impact of the NAC firewall. But what is the case for dedicated
> enterprise SOA?
>
>
> My shortcomings:
> ++++++++++++++++
> My inexperience in an enterprise network environment of how things are
> really carried out rather than what is done in theory.
>
>
> Summary:
> ++++++++
> What role do NAC's have to play in an environment of enterprise
> application services?
>
> All pointers to documentation and your comments are welcome.
>
> I look forward to your support,
> regards,
> Will.
>
> --
> William M. Fitzgerald,
> PhD Student,
> Telecommunications Software & Systems Group,
> ArcLabs Research and Innovation Centre,
> Waterford Institute of Technology,
> WIT West Campus,
> Carriganore,
> Waterford.
> Office Ph: +353 51 302937
> Mobile Ph: +353 87 9527083
> Web: www.williamfitzgerald.org
> www.linkedin.com/in/williamfitzgerald
> www.ryze.com/go/wfitzgerald
>
>
>
>
<br><br>There are a few things that need to be taken into consideration (I'm going to speak at this from a proxy based firewall perspective).<br><br><br><br>1. Can you always guarantee without a shadow of a doubt that this servers are not running any other services? Can you verify that your staff will always do proper due diligence? Unless you can verify from now into eternity that the answer is yes it can be locked properly there is always a place for a firewall. <br>
<br>2. Due you have a certified DMZ currently? Do these server currently exist being firewall. It has long been a tradition to have web servers that are publicly facing to be in a less secure DMZ. This argument with new services is just rehashing this argument. How do you maintain that the databases are secure to the web servers if you don't have a handle on the network getting to your DMZ?<br>
<br>If using a proxy firewall you can inspect the packets and verify that the HTTP packets follow the RFC and only allow commands that you want through if it's smart enough. If it's HTTPS you could do the same thing with the firewall decrypting the packet and re-encrypting on the way out - essentially doing man in the middle scanning. <br>
<br>I've read how IPS and IDS are the second coming. Well let's look at how harmful HTTPS could be. Since many services going outbound can tunnel through HTTPS without a web filtering software that is constantly updated users can essentially do any function they please. This will bypass any IDS or AV scanning until the software is already loaded on the machine since the scanners won't be able to look at encrypted packets. So under this scenario as more things move to HTTPS - the arguement would be that you would no longer need IDS or AV on these networks.<br>
<br>How do you control it then? One is to decrypt the HTTPS onto a trusted proxy server which then forwards requests onto the actual webserver. This will help mitigate the risks and allow you to see what is going on. Whether you consider this a firewall, gateway, or a proxy it does fulfill the same role.<br>
<br>You also pointed out one thing else that's important - controlling source connection subnets/IPs. Removing this sort of control removes any say so that you have in the future. <br><br>Since you asked what NACs exist in network or web development - in my experience none - the developers normally expect their software to work. They don't care what impact it may have and their code may unintentionally enable other services on your web services. NAC controls and development are two different mind sets but as times goes on they are getting closer. Developers however don't normally understand networking so they don't care. <br>
<br><br><br><br><br><br><div class="gmail_quote">On Tue, Mar 25, 2008 at 7:56 AM, william fitzgerald <<a href="mailto:wfitzgerald (at) tssg (dot) org [email concealed]">wfitzgerald (at) tssg (dot) org [email concealed]</a>> wrote:<br><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
Dear Firewall Experts,<br>
<br>
Provocative Question:<br>
++++++++++++++++++++<br>
Are firewalls obsolete in a world involving enterprise Web Service SOA?<br>
<br>
What do I mean by the above question: given that Web Services (J2EE and<br>
so forth) tend to tunnel through http and https (eg. SOAP) what role can<br>
a traditional network firewall play? If its just a matter of opening<br>
ports http and https for your dedicated enterprise services then is<br>
there even a need for a firewall!<br>
<br>
I am asking this question not to be flamed but to provoke a discussion<br>
as to why we still need firewalls.<br>
<br>
Assumptions:<br>
++++++++++++<br>
I use the term firewall loosely to mean "network access control". That<br>
is, its a mechanism to prevent unwanted packets. Therefore, a firewall<br>
could be iptables (stateful, DPI etc) or even the proxy TCP Wrappers,<br>
cisco and so forth.<br>
<br>
In particular, I have focused on Linux iptables and TCP Wrapper. I<br>
realize that one can install an xml based firewall to inspect packet<br>
content in regard to web services.<br>
<br>
Scenario Network:<br>
++++++++++++++++++<br>
Internet ---> Firewall ---> Enterprise SOA Server ---> Additional<br>
firewalls and back-end database servers etc.<br>
<br>
Is it a case that in this Enterprise SOA environment the NAC firewall is<br>
made redundant (as opposed to an xml firewall):<br>
<br>
Internet ---> Enterprise SOA Webservice server<br>
<br>
Assuming of course the servers are dedicated Web Service servers that<br>
run no other services such as DHCP, intranet web server, email and so<br>
forth that need to be protected?<br>
<br>
Firewall Justification:<br>
+++++++++++++++++++++++<br>
<br>
I am trying to find publications, white papers, reports etc that state<br>
the case for the need for firewalls. I need something concrete.<br>
<br>
The current information I have found (web service orientated!) tends to<br>
say firewalls are obsolete when talking about enterprise SOA given that<br>
once port 80 and 443 is open on the firewall the SOS services are<br>
exposed and hence protection happens at the application layer of the<br>
particular service.<br>
<br>
However, best practice suggests one should take a more holistic approach<br>
to security and apply the "belt-and-braces" approach. That is, install<br>
firewalls, IDS, AV, proper authentication at various OSI stack layers<br>
etc etc. So we get a layered security affect, thus there must be a<br>
justification for using a firewall still.<br>
<br>
My Opinion:<br>
+++++++++++<br>
<br>
My opinion on what NAC firewalls can offer to web service SOA other than<br>
simply opening port http and https is as follows:<br>
<br>
1) control access to those ports via ip address ranges (eg.<br>
customer/business subscribers)<br>
2) deep packet inspection to solicit appropriate content incoming and<br>
outgoing from the SOA enterprise servers.<br>
3) ???? what else would be done? please comment.<br>
<br>
While I agree that there are xml based firewalls to monitor xml based<br>
Web Service traffic, I wonder can it perform access controls at the<br>
lower levels like network based firewalls (for example, block certain IP<br>
addresses)? My guess is they don't given the operate at the application<br>
layer.<br>
<br>
I also wonder why one would invest in an xml firewall that is dedicated<br>
to one kind of traffic profiling and not use for example a very<br>
expensive cisco firewall that can cover a multitude of traffic<br>
profiling. Presumably these expensive firewalls (or the equivalent<br>
unexpensive iptables firewall) can inspect the packet for malicious<br>
content to and from the enterprise servers (I believe we have<br>
snort-2-iptables to also help here). At any rate, I do not want to start<br>
a huge debate on the pros and cons of an xml firewall versus a network<br>
firewall as I am aware dedicated firewalls specialize in various traffic<br>
profiling. Also its best practice to install a wide range for firewall<br>
capabilities.<br>
<br>
The real issue is the justification of NAC's in an enterprise SOA<br>
environment. Of course, if this enterprise environment also included the<br>
company standard services such as email, dns, web server etc I can see<br>
the major impact of the NAC firewall. But what is the case for dedicated<br>
enterprise SOA?<br>
<br>
<br>
My shortcomings:<br>
++++++++++++++++<br>
My inexperience in an enterprise network environment of how things are<br>
really carried out rather than what is done in theory.<br>
<br>
<br>
Summary:<br>
++++++++<br>
What role do NAC's have to play in an environment of enterprise<br>
application services?<br>
<br>
All pointers to documentation and your comments are welcome.<br>
<br>
I look forward to your support,<br>
regards,<br>
Will.<br>
<br>
--<br>
William M. Fitzgerald,<br>
PhD Student,<br>
Telecommunications Software & Systems Group,<br>
ArcLabs Research and Innovation Centre,<br>
Waterford Institute of Technology,<br>
WIT West Campus,<br>
Carriganore,<br>
Waterford.<br>
Office Ph: +353 51 302937<br>
Mobile Ph: +353 87 9527083<br>
Web: <a href="http://www.williamfitzgerald.org" target="_blank">www.williamfitzgerald.org</a><br>
<a href="http://www.linkedin.com/in/williamfitzgerald" target="_blank">www.linkedin.com/in/williamfitzgerald</a><br>
<a href="http://www.ryze.com/go/wfitzgerald" target="_blank">www.ryze.com/go/wfitzgerald</a><br>
<br>
<br>
<br>
</blockquote></div><br>
to speak at this from a proxy based firewall perspective).
1. Can you always guarantee without a shadow of a doubt that this servers
are not running any other services? Can you verify that your staff will
always do proper due diligence? Unless you can verify from now into eternity
that the answer is yes it can be locked properly there is always a place for
a firewall.
2. Due you have a certified DMZ currently? Do these server currently exist
being firewall. It has long been a tradition to have web servers that are
publicly facing to be in a less secure DMZ. This argument with new
services is just rehashing this argument. How do you maintain that the
databases are secure to the web servers if you don't have a handle on the
network getting to your DMZ?
If using a proxy firewall you can inspect the packets and verify that the
HTTP packets follow the RFC and only allow commands that you want through if
it's smart enough. If it's HTTPS you could do the same thing with the
firewall decrypting the packet and re-encrypting on the way out -
essentially doing man in the middle scanning.
I've read how IPS and IDS are the second coming. Well let's look at how
harmful HTTPS could be. Since many services going outbound can tunnel
through HTTPS without a web filtering software that is constantly updated
users can essentially do any function they please. This will bypass any
IDS or AV scanning until the software is already loaded on the machine since
the scanners won't be able to look at encrypted packets. So under this
scenario as more things move to HTTPS - the arguement would be that you
would no longer need IDS or AV on these networks.
How do you control it then? One is to decrypt the HTTPS onto a trusted
proxy server which then forwards requests onto the actual webserver. This
will help mitigate the risks and allow you to see what is going on.
Whether you consider this a firewall, gateway, or a proxy it does fulfill
the same role.
You also pointed out one thing else that's important - controlling source
connection subnets/IPs. Removing this sort of control removes any say so
that you have in the future.
Since you asked what NACs exist in network or web development - in my
experience none - the developers normally expect their software to work.
They don't care what impact it may have and their code may unintentionally
enable other services on your web services. NAC controls and development
are two different mind sets but as times goes on they are getting closer.
Developers however don't normally understand networking so they don't care.
On Tue, Mar 25, 2008 at 7:56 AM, william fitzgerald <wfitzgerald (at) tssg (dot) org [email concealed]>
wrote:
> Dear Firewall Experts,
>
> Provocative Question:
> ++++++++++++++++++++
> Are firewalls obsolete in a world involving enterprise Web Service SOA?
>
> What do I mean by the above question: given that Web Services (J2EE and
> so forth) tend to tunnel through http and https (eg. SOAP) what role can
> a traditional network firewall play? If its just a matter of opening
> ports http and https for your dedicated enterprise services then is
> there even a need for a firewall!
>
> I am asking this question not to be flamed but to provoke a discussion
> as to why we still need firewalls.
>
> Assumptions:
> ++++++++++++
> I use the term firewall loosely to mean "network access control". That
> is, its a mechanism to prevent unwanted packets. Therefore, a firewall
> could be iptables (stateful, DPI etc) or even the proxy TCP Wrappers,
> cisco and so forth.
>
> In particular, I have focused on Linux iptables and TCP Wrapper. I
> realize that one can install an xml based firewall to inspect packet
> content in regard to web services.
>
> Scenario Network:
> ++++++++++++++++++
> Internet ---> Firewall ---> Enterprise SOA Server ---> Additional
> firewalls and back-end database servers etc.
>
> Is it a case that in this Enterprise SOA environment the NAC firewall is
> made redundant (as opposed to an xml firewall):
>
> Internet ---> Enterprise SOA Webservice server
>
> Assuming of course the servers are dedicated Web Service servers that
> run no other services such as DHCP, intranet web server, email and so
> forth that need to be protected?
>
> Firewall Justification:
> +++++++++++++++++++++++
>
> I am trying to find publications, white papers, reports etc that state
> the case for the need for firewalls. I need something concrete.
>
> The current information I have found (web service orientated!) tends to
> say firewalls are obsolete when talking about enterprise SOA given that
> once port 80 and 443 is open on the firewall the SOS services are
> exposed and hence protection happens at the application layer of the
> particular service.
>
> However, best practice suggests one should take a more holistic approach
> to security and apply the "belt-and-braces" approach. That is, install
> firewalls, IDS, AV, proper authentication at various OSI stack layers
> etc etc. So we get a layered security affect, thus there must be a
> justification for using a firewall still.
>
> My Opinion:
> +++++++++++
>
> My opinion on what NAC firewalls can offer to web service SOA other than
> simply opening port http and https is as follows:
>
> 1) control access to those ports via ip address ranges (eg.
> customer/business subscribers)
> 2) deep packet inspection to solicit appropriate content incoming and
> outgoing from the SOA enterprise servers.
> 3) ???? what else would be done? please comment.
>
> While I agree that there are xml based firewalls to monitor xml based
> Web Service traffic, I wonder can it perform access controls at the
> lower levels like network based firewalls (for example, block certain IP
> addresses)? My guess is they don't given the operate at the application
> layer.
>
> I also wonder why one would invest in an xml firewall that is dedicated
> to one kind of traffic profiling and not use for example a very
> expensive cisco firewall that can cover a multitude of traffic
> profiling. Presumably these expensive firewalls (or the equivalent
> unexpensive iptables firewall) can inspect the packet for malicious
> content to and from the enterprise servers (I believe we have
> snort-2-iptables to also help here). At any rate, I do not want to start
> a huge debate on the pros and cons of an xml firewall versus a network
> firewall as I am aware dedicated firewalls specialize in various traffic
> profiling. Also its best practice to install a wide range for firewall
> capabilities.
>
> The real issue is the justification of NAC's in an enterprise SOA
> environment. Of course, if this enterprise environment also included the
> company standard services such as email, dns, web server etc I can see
> the major impact of the NAC firewall. But what is the case for dedicated
> enterprise SOA?
>
>
> My shortcomings:
> ++++++++++++++++
> My inexperience in an enterprise network environment of how things are
> really carried out rather than what is done in theory.
>
>
> Summary:
> ++++++++
> What role do NAC's have to play in an environment of enterprise
> application services?
>
> All pointers to documentation and your comments are welcome.
>
> I look forward to your support,
> regards,
> Will.
>
> --
> William M. Fitzgerald,
> PhD Student,
> Telecommunications Software & Systems Group,
> ArcLabs Research and Innovation Centre,
> Waterford Institute of Technology,
> WIT West Campus,
> Carriganore,
> Waterford.
> Office Ph: +353 51 302937
> Mobile Ph: +353 87 9527083
> Web: www.williamfitzgerald.org
> www.linkedin.com/in/williamfitzgerald
> www.ryze.com/go/wfitzgerald
>
>
>
>
<br><br>There are a few things that need to be taken into consideration (I'm going to speak at this from a proxy based firewall perspective).<br><br><br><br>1. Can you always guarantee without a shadow of a doubt that this servers are not running any other services? Can you verify that your staff will always do proper due diligence? Unless you can verify from now into eternity that the answer is yes it can be locked properly there is always a place for a firewall. <br>
<br>2. Due you have a certified DMZ currently? Do these server currently exist being firewall. It has long been a tradition to have web servers that are publicly facing to be in a less secure DMZ. This argument with new services is just rehashing this argument. How do you maintain that the databases are secure to the web servers if you don't have a handle on the network getting to your DMZ?<br>
<br>If using a proxy firewall you can inspect the packets and verify that the HTTP packets follow the RFC and only allow commands that you want through if it's smart enough. If it's HTTPS you could do the same thing with the firewall decrypting the packet and re-encrypting on the way out - essentially doing man in the middle scanning. <br>
<br>I've read how IPS and IDS are the second coming. Well let's look at how harmful HTTPS could be. Since many services going outbound can tunnel through HTTPS without a web filtering software that is constantly updated users can essentially do any function they please. This will bypass any IDS or AV scanning until the software is already loaded on the machine since the scanners won't be able to look at encrypted packets. So under this scenario as more things move to HTTPS - the arguement would be that you would no longer need IDS or AV on these networks.<br>
<br>How do you control it then? One is to decrypt the HTTPS onto a trusted proxy server which then forwards requests onto the actual webserver. This will help mitigate the risks and allow you to see what is going on. Whether you consider this a firewall, gateway, or a proxy it does fulfill the same role.<br>
<br>You also pointed out one thing else that's important - controlling source connection subnets/IPs. Removing this sort of control removes any say so that you have in the future. <br><br>Since you asked what NACs exist in network or web development - in my experience none - the developers normally expect their software to work. They don't care what impact it may have and their code may unintentionally enable other services on your web services. NAC controls and development are two different mind sets but as times goes on they are getting closer. Developers however don't normally understand networking so they don't care. <br>
<br><br><br><br><br><br><div class="gmail_quote">On Tue, Mar 25, 2008 at 7:56 AM, william fitzgerald <<a href="mailto:wfitzgerald (at) tssg (dot) org [email concealed]">wfitzgerald (at) tssg (dot) org [email concealed]</a>> wrote:<br><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
Dear Firewall Experts,<br>
<br>
Provocative Question:<br>
++++++++++++++++++++<br>
Are firewalls obsolete in a world involving enterprise Web Service SOA?<br>
<br>
What do I mean by the above question: given that Web Services (J2EE and<br>
so forth) tend to tunnel through http and https (eg. SOAP) what role can<br>
a traditional network firewall play? If its just a matter of opening<br>
ports http and https for your dedicated enterprise services then is<br>
there even a need for a firewall!<br>
<br>
I am asking this question not to be flamed but to provoke a discussion<br>
as to why we still need firewalls.<br>
<br>
Assumptions:<br>
++++++++++++<br>
I use the term firewall loosely to mean "network access control". That<br>
is, its a mechanism to prevent unwanted packets. Therefore, a firewall<br>
could be iptables (stateful, DPI etc) or even the proxy TCP Wrappers,<br>
cisco and so forth.<br>
<br>
In particular, I have focused on Linux iptables and TCP Wrapper. I<br>
realize that one can install an xml based firewall to inspect packet<br>
content in regard to web services.<br>
<br>
Scenario Network:<br>
++++++++++++++++++<br>
Internet ---> Firewall ---> Enterprise SOA Server ---> Additional<br>
firewalls and back-end database servers etc.<br>
<br>
Is it a case that in this Enterprise SOA environment the NAC firewall is<br>
made redundant (as opposed to an xml firewall):<br>
<br>
Internet ---> Enterprise SOA Webservice server<br>
<br>
Assuming of course the servers are dedicated Web Service servers that<br>
run no other services such as DHCP, intranet web server, email and so<br>
forth that need to be protected?<br>
<br>
Firewall Justification:<br>
+++++++++++++++++++++++<br>
<br>
I am trying to find publications, white papers, reports etc that state<br>
the case for the need for firewalls. I need something concrete.<br>
<br>
The current information I have found (web service orientated!) tends to<br>
say firewalls are obsolete when talking about enterprise SOA given that<br>
once port 80 and 443 is open on the firewall the SOS services are<br>
exposed and hence protection happens at the application layer of the<br>
particular service.<br>
<br>
However, best practice suggests one should take a more holistic approach<br>
to security and apply the "belt-and-braces" approach. That is, install<br>
firewalls, IDS, AV, proper authentication at various OSI stack layers<br>
etc etc. So we get a layered security affect, thus there must be a<br>
justification for using a firewall still.<br>
<br>
My Opinion:<br>
+++++++++++<br>
<br>
My opinion on what NAC firewalls can offer to web service SOA other than<br>
simply opening port http and https is as follows:<br>
<br>
1) control access to those ports via ip address ranges (eg.<br>
customer/business subscribers)<br>
2) deep packet inspection to solicit appropriate content incoming and<br>
outgoing from the SOA enterprise servers.<br>
3) ???? what else would be done? please comment.<br>
<br>
While I agree that there are xml based firewalls to monitor xml based<br>
Web Service traffic, I wonder can it perform access controls at the<br>
lower levels like network based firewalls (for example, block certain IP<br>
addresses)? My guess is they don't given the operate at the application<br>
layer.<br>
<br>
I also wonder why one would invest in an xml firewall that is dedicated<br>
to one kind of traffic profiling and not use for example a very<br>
expensive cisco firewall that can cover a multitude of traffic<br>
profiling. Presumably these expensive firewalls (or the equivalent<br>
unexpensive iptables firewall) can inspect the packet for malicious<br>
content to and from the enterprise servers (I believe we have<br>
snort-2-iptables to also help here). At any rate, I do not want to start<br>
a huge debate on the pros and cons of an xml firewall versus a network<br>
firewall as I am aware dedicated firewalls specialize in various traffic<br>
profiling. Also its best practice to install a wide range for firewall<br>
capabilities.<br>
<br>
The real issue is the justification of NAC's in an enterprise SOA<br>
environment. Of course, if this enterprise environment also included the<br>
company standard services such as email, dns, web server etc I can see<br>
the major impact of the NAC firewall. But what is the case for dedicated<br>
enterprise SOA?<br>
<br>
<br>
My shortcomings:<br>
++++++++++++++++<br>
My inexperience in an enterprise network environment of how things are<br>
really carried out rather than what is done in theory.<br>
<br>
<br>
Summary:<br>
++++++++<br>
What role do NAC's have to play in an environment of enterprise<br>
application services?<br>
<br>
All pointers to documentation and your comments are welcome.<br>
<br>
I look forward to your support,<br>
regards,<br>
Will.<br>
<br>
--<br>
William M. Fitzgerald,<br>
PhD Student,<br>
Telecommunications Software & Systems Group,<br>
ArcLabs Research and Innovation Centre,<br>
Waterford Institute of Technology,<br>
WIT West Campus,<br>
Carriganore,<br>
Waterford.<br>
Office Ph: +353 51 302937<br>
Mobile Ph: +353 87 9527083<br>
Web: <a href="http://www.williamfitzgerald.org" target="_blank">www.williamfitzgerald.org</a><br>
<a href="http://www.linkedin.com/in/williamfitzgerald" target="_blank">www.linkedin.com/in/williamfitzgerald</a><br>
<a href="http://www.ryze.com/go/wfitzgerald" target="_blank">www.ryze.com/go/wfitzgerald</a><br>
<br>
<br>
<br>
</blockquote></div><br>
[ reply ]