Re: Are firewalls obsolete in a world involving enterprise applications SOA?

Thanks Geoffrey,

I agree firewalls are an important point of demarcation narrowing access 
 (intended access) between various intranets.

In your experience what kinds of rules or policies are put in place when 
an enterprise application goes live? What are the kinds of policies that 
application developers demand from system administrators?

My argument is that it appears to me that (secure) Enterprise Web 
Service applications, particularly those involving access control, are 
typically focused at the application-domain only, rather than taking a 
more holistic approach to also include the underlying infrastructure 
(for example, firewalls). As a result, infrastructure configurations may 
unintentionally hinder and prohibit the normal operation of the Web Service.

Thus, the ideal firewall configuration is one that is aligned with the 
application supported by the system, that is, it permits valid 
application traffic, and, preferably, no more and no less.

As I stated in my original post, Web Service developers assume the 
underlying infrastructure is automatically available. Also there seems 
to be a tendency to tunnel (for example SOAP) over http or https. From 
this point of view, Web Service developers may form the opinion that 
firewalls are redundant as they typically have ports 80 and 443 
accessible (and forward traffic to specialized user-space programs for 
further packet processing).

Maybe this is correct! comments?

In my opinion, deploying a network level firewall  (such as Linux 
Netfilter) provisioned for Enterprise Web Services is not simply about 
opening port 80 on the server for all traffic; one may wish to deny 
certain nodes (IP addresses, etc.), only accept HTTP traffic from some 
nodes, require other nodes to use HTTPS and also deal with HTTP traffic 
that is tunneled through proxies available on other ports.

Comments?

While low level infrastructure such as network firewalls may not solve 
all security issues ( as a more suitable application based XML firewall 
mite) in regard to Web Service applications, I believe as stated in my 
previous post, they have a role to play in applying the belt-and-braces 
approach to security best practices.

Comments?

What I am really looking for is some concrete documents, publications, 
administrator experience that helps clarify the important role of 
Network Access Controls (firewalls, IPS etc) within an enterprise SOA 
environment, if any.

regards,
Will.

Geoffrey Gowey wrote:
> To be succinct: yes, firewalls are still very much a necessity.  If one 
> ignores the more advanced features of firewalls and only focuses on the 
> basic features of ip packet source/destination filtering there's still 
> evidence of a clear need for them before even seeing what the usage of 
> other technologies such as SMLI or SPF bring to the table.  Relying on 
> operating system and application security alone is insufficient in a 
> networked environment.
>
> By putting internal and external firewalls in place, a corporation has 
> choke points that can enforce corporate policy of what an application 
> really should be limited to doing.  A for instance would be the 
> limitation of IP access from a DMZ web server to a middle tier server 
> for its data.  A firewall between the DMZ server and the middle tier 
> server can be configured to ensure that this is the only access the 
> server has and not access to other systems that it has no reason to be 
> interacting with (such as a mail server).  This helps reduce exposure 
> should the DMZ server be compromised.  Also, if the firewall between the 
> DMZ server and the middle tier server is configured properly, you will 
> be able to discover irregular activity that could indicate a misbehaving 
> application or a server compromise by traffic trying to conduct actions 
> that were not part of the agreed on policy.
>
>
> On Tue, Mar 25, 2008 at 4:56 AM, william fitzgerald 
> <wfitzgerald@tssg.org <mailto:wfitzgerald@tssg.org>> wrote:
>
>     Dear Firewall Experts,
>
>     Provocative Question:
>     ++++++++++++++++++++
>     Are firewalls obsolete in a world involving enterprise Web Service SOA?
>
>     What do I mean by the above question: given that Web Services (J2EE and
>     so forth) tend to tunnel through http and https (eg. SOAP) what role can
>     a traditional network firewall play? If its just a matter of opening
>     ports http and https for your dedicated enterprise services then is
>     there even a need for a firewall!
>
>     I am asking this question not to be flamed but to provoke a discussion
>     as to why we still need firewalls.
>
>     Assumptions:
>     ++++++++++++
>     I use the term firewall loosely to mean "network access control". That
>     is, its a mechanism to prevent unwanted packets. Therefore, a firewall
>     could be iptables (stateful, DPI etc) or even the proxy TCP Wrappers,
>     cisco and so forth.
>
>     In particular, I have focused on Linux iptables and TCP Wrapper. I
>     realize that one can install an xml based firewall to inspect packet
>     content in regard to web services.
>
>     Scenario Network:
>     ++++++++++++++++++
>     Internet ---> Firewall ---> Enterprise SOA Server  ---> Additional
>     firewalls and back-end database servers etc.
>
>     Is it a case that in this Enterprise SOA environment the NAC firewall is
>     made redundant (as opposed to an xml firewall):
>
>     Internet ---> Enterprise SOA Webservice server
>
>     Assuming of course the servers are dedicated Web Service servers that
>     run no other services such as DHCP, intranet web server, email and so
>     forth that need to be protected?
>
>     Firewall Justification:
>     +++++++++++++++++++++++
>
>     I am trying to find publications, white papers, reports etc that state
>     the case for the need for firewalls. I need something concrete.
>
>     The current information I have found (web service orientated!) tends to
>     say firewalls are obsolete when talking about enterprise SOA given that
>     once port 80 and 443 is open on the firewall the SOS services are
>     exposed and hence protection happens at the application layer of the
>     particular service.
>
>     However, best practice suggests one should take a more holistic approach
>     to security and apply the "belt-and-braces" approach. That is, install
>     firewalls, IDS, AV, proper authentication at various OSI stack layers
>     etc etc. So we get a layered security affect, thus there must be a
>     justification for using a firewall still.
>
>     My Opinion:
>     +++++++++++
>
>     My opinion on what NAC firewalls can offer to web service SOA other than
>      simply opening port http and https is as follows:
>
>     1) control access to those ports via ip address ranges (eg.
>     customer/business subscribers)
>     2) deep packet inspection to solicit appropriate content incoming and
>     outgoing from the SOA enterprise servers.
>     3) ???? what else would be done? please comment.
>
>     While I agree that there are xml based firewalls to monitor xml based
>     Web Service traffic, I wonder can it perform access controls at the
>     lower levels like network based firewalls (for example, block certain IP
>     addresses)? My guess is they don't given the operate at the application
>     layer.
>
>     I also wonder why one would invest in an xml firewall that is dedicated
>     to one kind of traffic profiling and not use for example a very
>     expensive cisco firewall that can cover a multitude of traffic
>     profiling. Presumably these expensive firewalls (or the equivalent
>     unexpensive iptables firewall) can inspect the packet for malicious
>     content to and from the enterprise servers (I believe we have
>     snort-2-iptables to also help here). At any rate, I do not want to start
>     a huge debate on the pros and cons of an xml firewall versus a network
>     firewall as I am aware dedicated firewalls specialize in various traffic
>     profiling. Also its best practice to install a wide range for firewall
>     capabilities.
>
>     The real issue is the justification of NAC's in an enterprise SOA
>     environment. Of course, if this enterprise environment also included the
>     company standard services such as email, dns, web server etc I can see
>     the major impact of the NAC firewall. But what is the case for dedicated
>     enterprise SOA?
>
>
>     My shortcomings:
>     ++++++++++++++++
>     My inexperience in an enterprise network environment of how things are
>     really carried out rather than what is done in theory.
>
>
>     Summary:
>     ++++++++
>     What role do NAC's have to play in an environment of enterprise
>     application services?
>
>     All pointers to documentation and your comments are welcome.
>
>     I look forward to your support,
>     regards,
>     Will.
>
>     --
>     William M. Fitzgerald,
>     PhD Student,
>     Telecommunications Software & Systems Group,
>     ArcLabs Research and Innovation Centre,
>     Waterford Institute of Technology,
>     WIT West Campus,
>     Carriganore,
>     Waterford.
>     Office Ph: +353 51 302937
>     Mobile Ph: +353 87 9527083
>     Web: www.williamfitzgerald.org <http://www.williamfitzgerald.org>
>          www.linkedin.com/in/williamfitzgerald
>     <http://www.linkedin.com/in/williamfitzgerald>
>          www.ryze.com/go/wfitzgerald <http://www.ryze.com/go/wfitzgerald>
>
>
>
>
>
>
> --
> Kindest Regards,
>
> Geoff

--
William M. Fitzgerald,
PhD Student,
Telecommunications Software & Systems Group,
ArcLabs Research and Innovation Centre,
Waterford Institute of Technology,
WIT West Campus,
Carriganore,
Waterford.
Office Ph: +353 51 302937
Mobile Ph: +353 87 9527083
Web: www.williamfitzgerald.org
     www.linkedin.com/in/williamfitzgerald
     www.ryze.com/go/wfitzgerald