Provocative Query: Are firewalls obsolete in a world involving enterprise WebService SOA

[william fitzgerald <wfitzgerald () tssg org>]

Dear Firewall Experts,

Provocative Question:
++++++++++++++++++++
Are firewalls obsolete in a world involving enterprise Webservice SOA?

What do I mane by the above question: given that Web Services (J2EE and 
so forth) tend to tunnel through http and https (eg. SOAP) what role can 
a traditional network firewall play? (other than simply permitting 
access for all, therefore rendering the firewall as an extra cog 
providing no input in the overall process)

I am asking this question not to be flamed but to provoke a discussion 
as to why we still need firewalls.

Assumptions:
++++++++++++
I use the term firewall loosely to mean network access control. That is, 
its a mechanism to prevent unwanted packets. Therefore, a firewall could 
be iptables (stateful, DPI etc) or even the proxy TCP Wrappers, cisco 
and so forth.

In particular, I have focused on Linux iptables and TCP Wrapper. I 
realize that one can install an xml based firewall to inspect packet 
content in regard to web services.

Scenario Network:
++++++++++++++++++
Internet ---> Firewall ---> Enterprise SOA Server  ---> Additional 
firewalls and back-end database servers etc.

Could this be replaced by taking out the first firewall:

Internet ---> Enterprise SOA Webservice server

assuming of course the servers are dedicated webservice servers that run 
no other services such as DHCP, intranet web server, email and so forth?

Firewall Justification:
+++++++++++++++++++++++

I am trying to find publications, white papers, reports etc that state 
the case for the need for firewalls. I need something concrete.

The current information I have found (web service orientated!) tends to 
say firewalls are obsolete when talking about enterprise SOA given that 
once port 80 and 443 is open on the firewall the SOS services are 
exposed and hence protection happens at the application layer.

However, best practice suggests one should take a more holistic approach 
to security and apply the belt-and-braces approach. That is, install 
firewalls, IDS, AV, proper authentication at various stack layers etc 
etc. So we get a layered security affect, thus there must be a 
justification for using a firewall still.

My Opinion:
+++++++++++

My opinion on what NAC firewalls can offer to web service SOA other than 
  simply opening port http and https is as follows:

1) control access to those ports via ip address ranges
2) deep packet inspection to solicit appropriate content incoming and 
outgoing from the SOA enterprise servers.
3) ???? what else would be done? please comment.

While I agree that there are xml based firewalls to monitor xml based 
Web Service traffic, I wonder can it still perform access controls at 
the lower levels like network based firewalls (for example, block 
certain IP addresses)? My guess is they don't given the operate at the 
application layer.

I also wonder why I would invest in an xml firewall that is dedicated to 
one kind of traffic profiling and not use for example a very expensive 
cisco firewall that can cover a multitude of traffic profiling. 
Presumably these expensive firewalls (or the equivalent unexpensive 
iptables firewall) can inspect the packet for malicious content to and 
from the enterprise servers (I believe we have snort-2-iptables to also 
help here). At any rate, I do not want to start a huge debate on the 
pros and cons of an xml firewall versus a network firewall as I am aware 
dedicated firewalls specialize in various traffic profiling.

The real issue is the justification of NAC's in an enterprise SOA 
environment. Of course, if this enterprise environment also included the 
company standard services such as email, dns, web server etc I can see 
the major impact of the NAC firewall. But what is the case for dedicated 
enterprise SOA?


My shortcomings:
++++++++++++++++
My inexperience in an enterprise network environment of how things are 
really carried out rather than what is done in theory.


Summary:
++++++++

What role do NAC's have to play in an environment of enterprise web 
services?

All pointers to documentation and your comments are welcome.

I look forward to your support,
regards,
Will.



-- 
William M. Fitzgerald,
PhD Student,
Telecommunications Software & Systems Group,
ArcLabs Research and Innovation Centre,
Waterford Institute of Technology,
WIT West Campus,
Carriganore,
Waterford.
Office Ph: +353 51 302937
Mobile Ph: +353 87 9527083
Web: www.williamfitzgerald.org
      www.linkedin.com/in/williamfitzgerald
      www.ryze.com/go/wfitzgerald



_______________________________________________
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards