Traditional firewalls are not going to go away. It does not mean that
Web security firewalls are not required. Web application firewalls only
work on HTTP protocol and it is required to protect your HTTP Server
infrastructure and provide access control at the application level.
Traditional firewalls are required at the Enterprise Edge and Enterprise
core to provide control among different zones for different services.
Short answer: Both are required and they complement each other.
Srini
Provocative Question:
++++++++++++++++++++
Are firewalls obsolete in a world involving enterprise Web Service SOA?
What do I mean by the above question: given that Web Services (J2EE and
so forth) tend to tunnel through http and https (eg. SOAP) what role can
a traditional network firewall play? If its just a matter of opening
ports http and https for your dedicated enterprise services then is
there even a need for a firewall!
I am asking this question not to be flamed but to provoke a discussion
as to why we still need firewalls.
Assumptions:
++++++++++++
I use the term firewall loosely to mean "network access control". That
is, its a mechanism to prevent unwanted packets. Therefore, a firewall
could be iptables (stateful, DPI etc) or even the proxy TCP Wrappers,
cisco and so forth.
In particular, I have focused on Linux iptables and TCP Wrapper. I
realize that one can install an xml based firewall to inspect packet
content in regard to web services.
Scenario Network:
++++++++++++++++++
Internet ---> Firewall ---> Enterprise SOA Server ---> Additional
firewalls and back-end database servers etc.
Is it a case that in this Enterprise SOA environment the NAC firewall is
made redundant (as opposed to an xml firewall):
Internet ---> Enterprise SOA Webservice server
Assuming of course the servers are dedicated Web Service servers that
run no other services such as DHCP, intranet web server, email and so
forth that need to be protected?
Firewall Justification:
+++++++++++++++++++++++
I am trying to find publications, white papers, reports etc that state
the case for the need for firewalls. I need something concrete.
The current information I have found (web service orientated!) tends to
say firewalls are obsolete when talking about enterprise SOA given that
once port 80 and 443 is open on the firewall the SOS services are
exposed and hence protection happens at the application layer of the
particular service.
However, best practice suggests one should take a more holistic approach
to security and apply the "belt-and-braces" approach. That is, install
firewalls, IDS, AV, proper authentication at various OSI stack layers
etc etc. So we get a layered security affect, thus there must be a
justification for using a firewall still.
My Opinion:
+++++++++++
My opinion on what NAC firewalls can offer to web service SOA other than
simply opening port http and https is as follows:
1) control access to those ports via ip address ranges (eg.
customer/business subscribers)
2) deep packet inspection to solicit appropriate content incoming and
outgoing from the SOA enterprise servers.
3) ???? what else would be done? please comment.
While I agree that there are xml based firewalls to monitor xml based
Web Service traffic, I wonder can it perform access controls at the
lower levels like network based firewalls (for example, block certain IP
addresses)? My guess is they don't given the operate at the application
layer.
I also wonder why one would invest in an xml firewall that is dedicated
to one kind of traffic profiling and not use for example a very
expensive cisco firewall that can cover a multitude of traffic
profiling. Presumably these expensive firewalls (or the equivalent
unexpensive iptables firewall) can inspect the packet for malicious
content to and from the enterprise servers (I believe we have
snort-2-iptables to also help here). At any rate, I do not want to start
a huge debate on the pros and cons of an xml firewall versus a network
firewall as I am aware dedicated firewalls specialize in various traffic
profiling. Also its best practice to install a wide range for firewall
capabilities.
The real issue is the justification of NAC's in an enterprise SOA
environment. Of course, if this enterprise environment also included the
company standard services such as email, dns, web server etc I can see
the major impact of the NAC firewall. But what is the case for dedicated
enterprise SOA?
My shortcomings:
++++++++++++++++
My inexperience in an enterprise network environment of how things are
really carried out rather than what is done in theory.
Summary:
++++++++
What role do NAC's have to play in an environment of enterprise
application services?
All pointers to documentation and your comments are welcome.
I look forward to your support,
regards,
Will.
--
William M. Fitzgerald,
PhD Student,
Telecommunications Software & Systems Group,
ArcLabs Research and Innovation Centre,
Waterford Institute of Technology,
WIT West Campus,
Carriganore,
Waterford.
Office Ph: +353 51 302937
Mobile Ph: +353 87 9527083
Web: www.williamfitzgerald.org
www.linkedin.com/in/williamfitzgerald
www.ryze.com/go/wfitzgerald
Hi,
Traditional firewalls are not going to go away. It does not mean that
Web security firewalls are not required. Web application firewalls only
work on HTTP protocol and it is required to protect your HTTP Server
infrastructure and provide access control at the application level.
Traditional firewalls are required at the Enterprise Edge and Enterprise
core to provide control among different zones for different services.
Short answer: Both are required and they complement each other.
Srini
Provocative Question:
++++++++++++++++++++
Are firewalls obsolete in a world involving enterprise Web Service SOA?
What do I mean by the above question: given that Web Services (J2EE and
so forth) tend to tunnel through http and https (eg. SOAP) what role can
a traditional network firewall play? If its just a matter of opening
ports http and https for your dedicated enterprise services then is
there even a need for a firewall!
I am asking this question not to be flamed but to provoke a discussion
as to why we still need firewalls.
Assumptions:
++++++++++++
I use the term firewall loosely to mean "network access control". That
is, its a mechanism to prevent unwanted packets. Therefore, a firewall
could be iptables (stateful, DPI etc) or even the proxy TCP Wrappers,
cisco and so forth.
In particular, I have focused on Linux iptables and TCP Wrapper. I
realize that one can install an xml based firewall to inspect packet
content in regard to web services.
Scenario Network:
++++++++++++++++++
Internet ---> Firewall ---> Enterprise SOA Server ---> Additional
firewalls and back-end database servers etc.
Is it a case that in this Enterprise SOA environment the NAC firewall is
made redundant (as opposed to an xml firewall):
Internet ---> Enterprise SOA Webservice server
Assuming of course the servers are dedicated Web Service servers that
run no other services such as DHCP, intranet web server, email and so
forth that need to be protected?
Firewall Justification:
+++++++++++++++++++++++
I am trying to find publications, white papers, reports etc that state
the case for the need for firewalls. I need something concrete.
The current information I have found (web service orientated!) tends to
say firewalls are obsolete when talking about enterprise SOA given that
once port 80 and 443 is open on the firewall the SOS services are
exposed and hence protection happens at the application layer of the
particular service.
However, best practice suggests one should take a more holistic approach
to security and apply the "belt-and-braces" approach. That is, install
firewalls, IDS, AV, proper authentication at various OSI stack layers
etc etc. So we get a layered security affect, thus there must be a
justification for using a firewall still.
My Opinion:
+++++++++++
My opinion on what NAC firewalls can offer to web service SOA other than
simply opening port http and https is as follows:
1) control access to those ports via ip address ranges (eg.
customer/business subscribers)
2) deep packet inspection to solicit appropriate content incoming and
outgoing from the SOA enterprise servers.
3) ???? what else would be done? please comment.
While I agree that there are xml based firewalls to monitor xml based
Web Service traffic, I wonder can it perform access controls at the
lower levels like network based firewalls (for example, block certain IP
addresses)? My guess is they don't given the operate at the application
layer.
I also wonder why one would invest in an xml firewall that is dedicated
to one kind of traffic profiling and not use for example a very
expensive cisco firewall that can cover a multitude of traffic
profiling. Presumably these expensive firewalls (or the equivalent
unexpensive iptables firewall) can inspect the packet for malicious
content to and from the enterprise servers (I believe we have
snort-2-iptables to also help here). At any rate, I do not want to start
a huge debate on the pros and cons of an xml firewall versus a network
firewall as I am aware dedicated firewalls specialize in various traffic
profiling. Also its best practice to install a wide range for firewall
capabilities.
The real issue is the justification of NAC's in an enterprise SOA
environment. Of course, if this enterprise environment also included the
company standard services such as email, dns, web server etc I can see
the major impact of the NAC firewall. But what is the case for dedicated
enterprise SOA?
My shortcomings:
++++++++++++++++
My inexperience in an enterprise network environment of how things are
really carried out rather than what is done in theory.
Summary:
++++++++
What role do NAC's have to play in an environment of enterprise
application services?
All pointers to documentation and your comments are welcome.
I look forward to your support,
regards,
Will.
--
William M. Fitzgerald,
PhD Student,
Telecommunications Software & Systems Group,
ArcLabs Research and Innovation Centre,
Waterford Institute of Technology,
WIT West Campus,
Carriganore,
Waterford.
Office Ph: +353 51 302937
Mobile Ph: +353 87 9527083
Web: www.williamfitzgerald.org
www.linkedin.com/in/williamfitzgerald
www.ryze.com/go/wfitzgerald
************************************************************************
********
This email message (including any attachments) is for the sole use of the intended recipient(s)
and may contain confidential, proprietary and privileged information. Any unauthorized review,
use, disclosure or distribution is prohibited. If you are not the intended recipient,
please immediately notify the sender by reply email and destroy all copies of the original message.
Thank you.
Intoto Inc.
[ reply ]