Controlling outgoing traffic is certainly important!!!
Ron Brown wrote:
> Greetings Will,
>
> The short answer is yes... absolutely yes.
>
> The long answer would be far to lengthy for this reply (plus my dinner would get cold).
>
> Aside from the obvious benefits for filtering / verifying the inbound traffic, let's consider outbound traffic.
> Unwanted data egress is as much of a problem (if not more) than what's coming in.
>
> Let's say that I'm a bad guy.. I want your web server and I'm going to get it. Your box is only listening on TCP ports 80 and 443... you've got you web server well configured and patched... but you've got a application being delivered by that web server that has a weakness. (I know.. it could never happen to you, but humor me). I find a way to exploit that weakness that doesn't give me direct access, but I can over-run your stack and write some "special code" into system memory. Let's say that code does something very common in "bad guy land"... it initiates an outbound connection (on some other port) to a netcat listener I've got waiting on another compromised box. Zowie! I've got a console on your web server and it's mine... all mine. Now let's say that you web server is behind a well configured firewall that's doing stateful inspection.. It will let your web server respond as it wishes to complete the transaction, but it won't let the web server initiate *my* outb
ound connection because there's no inbound request in it's state table. Awww... I didn't get your machine.
>
> Another common practice is to disallow all outbound SMTP connections except those from corporate mail servers.. this keep the propagation of evil bits and SPAM(tm) to a minimum from those pesky pieces of malware that have their own SMTP engines.
>
> Let's also consider that if you're in the US and doing business on the Internet these days, there's no shortage of regulatory compliance issues to deal with. Healthcare and insurance folks have strict HIPAA laws that absolutely can not be satisfied without a firewall and detailed logging. Wanna accept credit cards? PCI compliance is going to mandate that firewall as well.
>
> At the network perimeter (with a DMZ for Internet visible hosts), at any WAN links that may exist with vendors or other Semi/Non-trusted networks, at remote offices with which you need secured (encrypted) connectivity over the Internet.. everywhere you look... those pesky firewalls :)
>
> And the most important reason that firewalls are very much needed...
>
> I want to keep my job :)
>
>
>
> ~~~~~~~~~~~~~~~~~
> Ron Brown
> Firewall Administrator
>
>
>
>
>>>> william fitzgerald <wfitzgerald (at) tssg (dot) org [email concealed]> 3/25/2008 7:56 AM >>>
> Dear Firewall Experts,
>
> Provocative Question:
> ++++++++++++++++++++
> Are firewalls obsolete in a world involving enterprise Web Service SOA?
>
> What do I mean by the above question: given that Web Services (J2EE and
> so forth) tend to tunnel through http and https (eg. SOAP) what role can
> a traditional network firewall play? If its just a matter of opening
> ports http and https for your dedicated enterprise services then is
> there even a need for a firewall!
>
> I am asking this question not to be flamed but to provoke a discussion
> as to why we still need firewalls.
>
> Assumptions:
> ++++++++++++
> I use the term firewall loosely to mean "network access control". That
> is, its a mechanism to prevent unwanted packets. Therefore, a firewall
> could be iptables (stateful, DPI etc) or even the proxy TCP Wrappers,
> cisco and so forth.
>
> In particular, I have focused on Linux iptables and TCP Wrapper. I
> realize that one can install an xml based firewall to inspect packet
> content in regard to web services.
>
> Scenario Network:
> ++++++++++++++++++
> Internet ---> Firewall ---> Enterprise SOA Server ---> Additional
> firewalls and back-end database servers etc.
>
> Is it a case that in this Enterprise SOA environment the NAC firewall is
> made redundant (as opposed to an xml firewall):
>
> Internet ---> Enterprise SOA Webservice server
>
> Assuming of course the servers are dedicated Web Service servers that
> run no other services such as DHCP, intranet web server, email and so
> forth that need to be protected?
>
> Firewall Justification:
> +++++++++++++++++++++++
>
> I am trying to find publications, white papers, reports etc that state
> the case for the need for firewalls. I need something concrete.
>
> The current information I have found (web service orientated!) tends to
> say firewalls are obsolete when talking about enterprise SOA given that
> once port 80 and 443 is open on the firewall the SOS services are
> exposed and hence protection happens at the application layer of the
> particular service.
>
> However, best practice suggests one should take a more holistic approach
> to security and apply the "belt-and-braces" approach. That is, install
> firewalls, IDS, AV, proper authentication at various OSI stack layers
> etc etc. So we get a layered security affect, thus there must be a
> justification for using a firewall still.
>
> My Opinion:
> +++++++++++
>
> My opinion on what NAC firewalls can offer to web service SOA other than
> simply opening port http and https is as follows:
>
> 1) control access to those ports via ip address ranges (eg.
> customer/business subscribers)
> 2) deep packet inspection to solicit appropriate content incoming and
> outgoing from the SOA enterprise servers.
> 3) ???? what else would be done? please comment.
>
> While I agree that there are xml based firewalls to monitor xml based
> Web Service traffic, I wonder can it perform access controls at the
> lower levels like network based firewalls (for example, block certain IP
> addresses)? My guess is they don't given the operate at the application
> layer.
>
> I also wonder why one would invest in an xml firewall that is dedicated
> to one kind of traffic profiling and not use for example a very
> expensive cisco firewall that can cover a multitude of traffic
> profiling. Presumably these expensive firewalls (or the equivalent
> unexpensive iptables firewall) can inspect the packet for malicious
> content to and from the enterprise servers (I believe we have
> snort-2-iptables to also help here). At any rate, I do not want to start
> a huge debate on the pros and cons of an xml firewall versus a network
> firewall as I am aware dedicated firewalls specialize in various traffic
> profiling. Also its best practice to install a wide range for firewall
> capabilities.
>
> The real issue is the justification of NAC's in an enterprise SOA
> environment. Of course, if this enterprise environment also included the
> company standard services such as email, dns, web server etc I can see
> the major impact of the NAC firewall. But what is the case for dedicated
> enterprise SOA?
>
>
> My shortcomings:
> ++++++++++++++++
> My inexperience in an enterprise network environment of how things are
> really carried out rather than what is done in theory.
>
>
> Summary:
> ++++++++
> What role do NAC's have to play in an environment of enterprise
> application services?
>
> All pointers to documentation and your comments are welcome.
>
> I look forward to your support,
> regards,
> Will.
>
--
William M. Fitzgerald,
PhD Student,
Telecommunications Software & Systems Group,
ArcLabs Research and Innovation Centre,
Waterford Institute of Technology,
WIT West Campus,
Carriganore,
Waterford.
Office Ph: +353 51 302937
Mobile Ph: +353 87 9527083
Web: www.williamfitzgerald.org
www.linkedin.com/in/williamfitzgerald
www.ryze.com/go/wfitzgerald
Controlling outgoing traffic is certainly important!!!
Ron Brown wrote:
> Greetings Will,
>
> The short answer is yes... absolutely yes.
>
> The long answer would be far to lengthy for this reply (plus my dinner would get cold).
>
> Aside from the obvious benefits for filtering / verifying the inbound traffic, let's consider outbound traffic.
> Unwanted data egress is as much of a problem (if not more) than what's coming in.
>
> Let's say that I'm a bad guy.. I want your web server and I'm going to get it. Your box is only listening on TCP ports 80 and 443... you've got you web server well configured and patched... but you've got a application being delivered by that web server that has a weakness. (I know.. it could never happen to you, but humor me). I find a way to exploit that weakness that doesn't give me direct access, but I can over-run your stack and write some "special code" into system memory. Let's say that code does something very common in "bad guy land"... it initiates an outbound connection (on some other port) to a netcat listener I've got waiting on another compromised box. Zowie! I've got a console on your web server and it's mine... all mine. Now let's say that you web server is behind a well configured firewall that's doing stateful inspection.. It will let your web server respond as it wishes to complete the transaction, but it won't let the web server initiate *my* outb
ound connection because there's no inbound request in it's state table. Awww... I didn't get your machine.
>
> Another common practice is to disallow all outbound SMTP connections except those from corporate mail servers.. this keep the propagation of evil bits and SPAM(tm) to a minimum from those pesky pieces of malware that have their own SMTP engines.
>
> Let's also consider that if you're in the US and doing business on the Internet these days, there's no shortage of regulatory compliance issues to deal with. Healthcare and insurance folks have strict HIPAA laws that absolutely can not be satisfied without a firewall and detailed logging. Wanna accept credit cards? PCI compliance is going to mandate that firewall as well.
>
> At the network perimeter (with a DMZ for Internet visible hosts), at any WAN links that may exist with vendors or other Semi/Non-trusted networks, at remote offices with which you need secured (encrypted) connectivity over the Internet.. everywhere you look... those pesky firewalls :)
>
> And the most important reason that firewalls are very much needed...
>
> I want to keep my job :)
>
>
>
> ~~~~~~~~~~~~~~~~~
> Ron Brown
> Firewall Administrator
>
>
>
>
>>>> william fitzgerald <wfitzgerald (at) tssg (dot) org [email concealed]> 3/25/2008 7:56 AM >>>
> Dear Firewall Experts,
>
> Provocative Question:
> ++++++++++++++++++++
> Are firewalls obsolete in a world involving enterprise Web Service SOA?
>
> What do I mean by the above question: given that Web Services (J2EE and
> so forth) tend to tunnel through http and https (eg. SOAP) what role can
> a traditional network firewall play? If its just a matter of opening
> ports http and https for your dedicated enterprise services then is
> there even a need for a firewall!
>
> I am asking this question not to be flamed but to provoke a discussion
> as to why we still need firewalls.
>
> Assumptions:
> ++++++++++++
> I use the term firewall loosely to mean "network access control". That
> is, its a mechanism to prevent unwanted packets. Therefore, a firewall
> could be iptables (stateful, DPI etc) or even the proxy TCP Wrappers,
> cisco and so forth.
>
> In particular, I have focused on Linux iptables and TCP Wrapper. I
> realize that one can install an xml based firewall to inspect packet
> content in regard to web services.
>
> Scenario Network:
> ++++++++++++++++++
> Internet ---> Firewall ---> Enterprise SOA Server ---> Additional
> firewalls and back-end database servers etc.
>
> Is it a case that in this Enterprise SOA environment the NAC firewall is
> made redundant (as opposed to an xml firewall):
>
> Internet ---> Enterprise SOA Webservice server
>
> Assuming of course the servers are dedicated Web Service servers that
> run no other services such as DHCP, intranet web server, email and so
> forth that need to be protected?
>
> Firewall Justification:
> +++++++++++++++++++++++
>
> I am trying to find publications, white papers, reports etc that state
> the case for the need for firewalls. I need something concrete.
>
> The current information I have found (web service orientated!) tends to
> say firewalls are obsolete when talking about enterprise SOA given that
> once port 80 and 443 is open on the firewall the SOS services are
> exposed and hence protection happens at the application layer of the
> particular service.
>
> However, best practice suggests one should take a more holistic approach
> to security and apply the "belt-and-braces" approach. That is, install
> firewalls, IDS, AV, proper authentication at various OSI stack layers
> etc etc. So we get a layered security affect, thus there must be a
> justification for using a firewall still.
>
> My Opinion:
> +++++++++++
>
> My opinion on what NAC firewalls can offer to web service SOA other than
> simply opening port http and https is as follows:
>
> 1) control access to those ports via ip address ranges (eg.
> customer/business subscribers)
> 2) deep packet inspection to solicit appropriate content incoming and
> outgoing from the SOA enterprise servers.
> 3) ???? what else would be done? please comment.
>
> While I agree that there are xml based firewalls to monitor xml based
> Web Service traffic, I wonder can it perform access controls at the
> lower levels like network based firewalls (for example, block certain IP
> addresses)? My guess is they don't given the operate at the application
> layer.
>
> I also wonder why one would invest in an xml firewall that is dedicated
> to one kind of traffic profiling and not use for example a very
> expensive cisco firewall that can cover a multitude of traffic
> profiling. Presumably these expensive firewalls (or the equivalent
> unexpensive iptables firewall) can inspect the packet for malicious
> content to and from the enterprise servers (I believe we have
> snort-2-iptables to also help here). At any rate, I do not want to start
> a huge debate on the pros and cons of an xml firewall versus a network
> firewall as I am aware dedicated firewalls specialize in various traffic
> profiling. Also its best practice to install a wide range for firewall
> capabilities.
>
> The real issue is the justification of NAC's in an enterprise SOA
> environment. Of course, if this enterprise environment also included the
> company standard services such as email, dns, web server etc I can see
> the major impact of the NAC firewall. But what is the case for dedicated
> enterprise SOA?
>
>
> My shortcomings:
> ++++++++++++++++
> My inexperience in an enterprise network environment of how things are
> really carried out rather than what is done in theory.
>
>
> Summary:
> ++++++++
> What role do NAC's have to play in an environment of enterprise
> application services?
>
> All pointers to documentation and your comments are welcome.
>
> I look forward to your support,
> regards,
> Will.
>
--
William M. Fitzgerald,
PhD Student,
Telecommunications Software & Systems Group,
ArcLabs Research and Innovation Centre,
Waterford Institute of Technology,
WIT West Campus,
Carriganore,
Waterford.
Office Ph: +353 51 302937
Mobile Ph: +353 87 9527083
Web: www.williamfitzgerald.org
www.linkedin.com/in/williamfitzgerald
www.ryze.com/go/wfitzgerald
[ reply ]