Firewall Wizards mailing list archives

Re: Provocative Query: Are firewalls obsolete in a world involving enterprise WebService SOA

From: "Marcus J. Ranum" <mjr () ranum com>
Date: Wed, 26 Mar 2008 13:48:42 -0400

william fitzgerald wrote:

Are firewalls obsolete in a world involving enterprise Webservice SOA?


Short answer: No

Longer answer: That's like asking if brains are obsolete in a world where
everyone is busy blowing theirs out. It's kind of one of those "does not
compute" kind of questions. Firewalls will continue to be useful to the
increasingly small population of people who actually understand anything
about security.

More importantly, your question is hard to answer because you choose to
attempt (unsuccessfully because I am not going to let you get away with
it) to redefine established terminology. For example:

I use the term firewall loosely to mean network access control. That is, 
its a mechanism to prevent unwanted packets.


Considering that firewalls were initially and foremost layer-7 devices, until
they devolved to being packet-centric in the mid 1990s, you're using the
term wrong. A firewall is a system or systems that sit between two networks
at different levels of trust and enforces a security policy on communications
between them. If you actually use the definition of "firewall" that many of us
have been using since the late 1980s, such a system will never be obsolete
as long as there are untrustworthy systems.

The current information I have found (web service orientated!) tends to 
say firewalls are obsolete when talking about enterprise SOA given that 
once port 80 and 443 is open on the firewall the SOS services are 
exposed and hence protection happens at the application layer.


What you have done is rediscovered the "incoming traffic problem" -
which is a primary property of firewalls that has been well-understood
since the early 1990s. You're correct that many firewalls (especially
the packet-oriented ones or the so-called 'stateful' ones) don't do
anything useful at layer-7, and serve primarily to force traffic to an
application service which needs to be tough enough to withstand
direct attack specific to that service. And, yes, with things like
"everything tunnelled over web services" remote procedure calls,
the complete set of protocol options at layer-7 is too large to be
controlled, enumerated, or understood - which means that effectively
you are doomed to intermittent epic failures.

Back in the old days, we had similar situations and they amounted
to "block everything except incoming telnet" - well, of course you
can do anything over telnet, just like you can over these newfangled
web frobozzes.

The XML firewalls and whatnot that people are scratching their
heads about are an attempt to regain control over the command
set of options being allowed back and forth through the firewall.
At this point, because the options-set is pretty much beyond
enumeration, you're doomed to epic fail because the only perceived
alternative is to enumerate dangerous options ('default permit' and
'enumerating badness' 'antivirus') rather than enumerating accepted options
('default deny' and 'enumerating goodness') - essentially ceding
the initiative to the bad guys.

So - to summarize - your question PREDICATES the intent
to go about the problem all wrong. That is, of course, an accurate
reflection of how the industry chooses to approach the problem,
and how "web services" are currently designed. So my response
to that is that it's an approach that is doomed to endless
small failures and lots and lots of maintenance. Because, by
choosing the path of duct tape and endless patching, it's
now inherent in the design. By the way, I use the word "design"
loosely; my observation is that there's very little that can
be called "design" about web/web2 services.

None of this should be taken (please) as an attack on you.
It's frustration because the ideas you're expressing are bad
ideas that many of us have fought a long rearguard action
against, knowing we'd fail from the beginning.

mjr. 

_______________________________________________
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards

Current thread:

Provocative Query: Are firewalls obsolete in a world involving enterprise WebService SOA william fitzgerald (Mar 26)
- Re: Provocative Query: Are firewalls obsolete in a world involving enterprise WebService SOA Joe Nall (Mar 26)
  - Re: Provocative Query: Are firewalls obsolete in a world involving enterprise WebService SOA AMuse (Mar 26)
    - Re: Provocative Query: Are firewalls obsolete in a world involving enterprise WebService SOA wfitzgerald (Mar 26)
- Re: Provocative Query: Are firewalls obsolete in a world involving enterprise WebService SOA Marcus J. Ranum (Mar 26)
  - Re: Provocative Query: Are firewalls obsolete in a world involving enterprise WebService SOA william fitzgerald (Mar 26)
  - Re: Provocative Query: Are firewalls obsolete in a world involving enterprise WebService SOA Magosányi Árpád (Mar 27)
  - Re: Provocative Query: Are firewalls obsolete in a world involving enterprise WebService SOA Paul Melson (Mar 28)
- Re: Provocative Query: Are firewalls obsolete in a world involving enterprise WebService SOA ArkanoiD (Mar 27)