Dear Firewall Experts,

Provocative Question:
++++++++++++++++++++
Are firewalls obsolete in a world involving enterprise Webservice SOA?

What do I mane by the above question: given that Web Services (J2EE and
so forth) tend to tunnel through http and https (eg. SOAP) what role can
a traditional network firewall play? (other than simply permitting
access for all, therefore rendering the firewall as an extra cog
providing no input in the overall process)

I am asking this question not to be flamed but to provoke a discussion
as to why we still need firewalls.

Assumptions:
++++++++++++
I use the term firewall loosely to mean network access control. That is,
its a mechanism to prevent unwanted packets. Therefore, a firewall could
be iptables (stateful, DPI etc) or even the proxy TCP Wrappers, cisco
and so forth.

In particular, I have focused on Linux iptables and TCP Wrapper. I
realize that one can install an xml based firewall to inspect packet
content in regard to web services.

Scenario Network:
++++++++++++++++++
Internet ---> Firewall ---> Enterprise SOA Server ---> Additional
firewalls and back-end database servers etc.

Could this be replaced by taking out the first firewall:

Internet ---> Enterprise SOA Webservice server

assuming of course the servers are dedicated webservice servers that run
no other services such as DHCP, intranet web server, email and so forth?

Firewall Justification:
+++++++++++++++++++++++

I am trying to find publications, white papers, reports etc that state
the case for the need for firewalls. I need something concrete.

The current information I have found (web service orientated!) tends to
say firewalls are obsolete when talking about enterprise SOA given that
once port 80 and 443 is open on the firewall the SOS services are
exposed and hence protection happens at the application layer.

However, best practice suggests one should take a more holistic approach
to security and apply the belt-and-braces approach. That is, install
firewalls, IDS, AV, proper authentication at various stack layers etc
etc. So we get a layered security affect, thus there must be a
justification for using a firewall still.

My Opinion:
+++++++++++

My opinion on what NAC firewalls can offer to web service SOA other than
simply opening port http and https is as follows:

1) control access to those ports via ip address ranges
2) deep packet inspection to solicit appropriate content incoming and
outgoing from the SOA enterprise servers.
3) ???? what else would be done? please comment.

While I agree that there are xml based firewalls to monitor xml based
Web Service traffic, I wonder can it still perform access controls at
the lower levels like network based firewalls (for example, block
certain IP addresses)? My guess is they don't given the operate at the
application layer.

I also wonder why I would invest in an xml firewall that is dedicated to
one kind of traffic profiling and not use for example a very expensive
cisco firewall that can cover a multitude of traffic profiling.
Presumably these expensive firewalls (or the equivalent unexpensive
iptables firewall) can inspect the packet for malicious content to and
from the enterprise servers (I believe we have snort-2-iptables to also
help here). At any rate, I do not want to start a huge debate on the
pros and cons of an xml firewall versus a network firewall as I am aware
dedicated firewalls specialize in various traffic profiling.

The real issue is the justification of NAC's in an enterprise SOA
environment. Of course, if this enterprise environment also included the
company standard services such as email, dns, web server etc I can see
the major impact of the NAC firewall. But what is the case for dedicated
enterprise SOA?


My shortcomings:
++++++++++++++++
My inexperience in an enterprise network environment of how things are
really carried out rather than what is done in theory.


Summary:
++++++++

What role do NAC's have to play in an environment of enterprise web
services?

All pointers to documentation and your comments are welcome.

I look forward to your support,
regards,
Will.



--
William M. Fitzgerald,
PhD Student,
Telecommunications Software & Systems Group,
ArcLabs Research and Innovation Centre,
Waterford Institute of Technology,
WIT West Campus,
Carriganore,
Waterford.
Office Ph: +353 51 302937
Mobile Ph: +353 87 9527083
Web: www.williamfitzgerald.org
www.linkedin.com/in/williamfitzgerald
www.ryze.com/go/wfitzgerald



_______________________________________________
firewall-wizards mailing list
firewall-wizards@listserv.icsalabs.com
https://listserv.icsalabs.com/mailma...rewall-wizards