This is a discussion on Re: [fw-wiz] Provocative Query: Are firewalls obsolete in a world - Firewalls ; Sure, yes. Firewalls that are not able to perform at application layer are obsolete since early 90's ;-) On Fri, Mar 21, 2008 at 09:50:45AM +0000, william fitzgerald wrote: > Dear Firewall Experts, > > Provocative Question: > ++++++++++++++++++++ > ...
Sure, yes. Firewalls that are not able to perform at application layer
are obsolete since early 90's ;-)
On Fri, Mar 21, 2008 at 09:50:45AM +0000, william fitzgerald wrote:
> Dear Firewall Experts,
> Provocative Question:
> Are firewalls obsolete in a world involving enterprise Webservice SOA?
> What do I mane by the above question: given that Web Services (J2EE and
> so forth) tend to tunnel through http and https (eg. SOAP) what role can
> a traditional network firewall play? (other than simply permitting
> access for all, therefore rendering the firewall as an extra cog
> providing no input in the overall process)
> I am asking this question not to be flamed but to provoke a discussion
> as to why we still need firewalls.
> I use the term firewall loosely to mean network access control. That is,
> its a mechanism to prevent unwanted packets. Therefore, a firewall could
> be iptables (stateful, DPI etc) or even the proxy TCP Wrappers, cisco
> and so forth.
> In particular, I have focused on Linux iptables and TCP Wrapper. I
> realize that one can install an xml based firewall to inspect packet
> content in regard to web services.
> Scenario Network:
> Internet ---> Firewall ---> Enterprise SOA Server ---> Additional
> firewalls and back-end database servers etc.
> Could this be replaced by taking out the first firewall:
> Internet ---> Enterprise SOA Webservice server
> assuming of course the servers are dedicated webservice servers that run
> no other services such as DHCP, intranet web server, email and so forth?
> Firewall Justification:
> I am trying to find publications, white papers, reports etc that state
> the case for the need for firewalls. I need something concrete.
> The current information I have found (web service orientated!) tends to
> say firewalls are obsolete when talking about enterprise SOA given that
> once port 80 and 443 is open on the firewall the SOS services are
> exposed and hence protection happens at the application layer.
> However, best practice suggests one should take a more holistic approach
> to security and apply the belt-and-braces approach. That is, install
> firewalls, IDS, AV, proper authentication at various stack layers etc
> etc. So we get a layered security affect, thus there must be a
> justification for using a firewall still.
> My Opinion:
> My opinion on what NAC firewalls can offer to web service SOA other than
> simply opening port http and https is as follows:
> 1) control access to those ports via ip address ranges
> 2) deep packet inspection to solicit appropriate content incoming and
> outgoing from the SOA enterprise servers.
> 3) ???? what else would be done? please comment.
> While I agree that there are xml based firewalls to monitor xml based
> Web Service traffic, I wonder can it still perform access controls at
> the lower levels like network based firewalls (for example, block
> certain IP addresses)? My guess is they don't given the operate at the
> application layer.
> I also wonder why I would invest in an xml firewall that is dedicated to
> one kind of traffic profiling and not use for example a very expensive
> cisco firewall that can cover a multitude of traffic profiling.
> Presumably these expensive firewalls (or the equivalent unexpensive
> iptables firewall) can inspect the packet for malicious content to and
> from the enterprise servers (I believe we have snort-2-iptables to also
> help here). At any rate, I do not want to start a huge debate on the
> pros and cons of an xml firewall versus a network firewall as I am aware
> dedicated firewalls specialize in various traffic profiling.
> The real issue is the justification of NAC's in an enterprise SOA
> environment. Of course, if this enterprise environment also included the
> company standard services such as email, dns, web server etc I can see
> the major impact of the NAC firewall. But what is the case for dedicated
> enterprise SOA?
> My shortcomings:
> My inexperience in an enterprise network environment of how things are
> really carried out rather than what is done in theory.
> What role do NAC's have to play in an environment of enterprise web
> All pointers to documentation and your comments are welcome.
> I look forward to your support,
> William M. Fitzgerald,
> PhD Student,
> Telecommunications Software & Systems Group,
> ArcLabs Research and Innovation Centre,
> Waterford Institute of Technology,
> WIT West Campus,
> Office Ph: +353 51 302937
> Mobile Ph: +353 87 9527083
> Web: www.williamfitzgerald.org
> firewall-wizards mailing list
> email protected and scanned by AdvascanTM - keeping email useful - www.advascan.com
firewall-wizards mailing list