Firewall Wizards mailing list archives
Re: Provocative Query: Are firewalls obsolete in a world involving enterprise WebService SOA
From: wfitzgerald () tssg org
Date: Wed, 26 Mar 2008 21:15:37 -0000 (GMT)
Hi Joe and AMuse, I agree there are many more services within an enterprise environment. I am referring to the specific case of Web Service deployment whereby I have had remarks in the past that since web services tunnel through http, requiring network admins to sanction controls is trival over even pointless given that port 80 is usually open. I quote: "...I do not see this as a relevant problem as most deployed Web Service applications use the HTTP protocol over port 80 with is usually open..." and "...Also remember that one of the early arguments for Web Services was, that they use HTTP and thus not conflict with most firewalls. Most Web applications handle access control on application level and not on HTTP or TCP level..." while I agree, I am saying its not just as trivial as opening port 80 and 443. In my opinion, deploying Web Services is not simply about opening port 80 on the server for all traffic; one may wish to deny certain nodes (IP addresses, etc.), only accept HTTP traffic from some nodes, require other nodes to use HTTPS and also deal with HTTP traffic that is tunneled through proxies available on other ports. My initial arguement was that Enterprise Web Service applications, particularly those involving access control, are typically focused at the application-domain only, rather than taking a more holistic approach to also include the underlying infrastructure (for example, firewalls). As a result, infrastructure configurations may unintentionally hinder and prohibit the normal operation of the Web Service. Maybe port 80 is not open! maybe the rule for port 80 is too promiscuous and access to port 80 needs to be restricted to trusted business partners who need to access the web service via port 80. Thus there needs to be some sort of ALIGNMENT of web services to firewalls even though application developers suggest just open port 80 as a trivial solution.
We definitely still need firewalls. Yes, web services (J2EE) tunnel through HTTP, but I may have 30,000 hosts on my network. Without a firewall, how do I prevent them from advertising services to the world, then poorly configuring those services? And how does J2EE tunneling across HTTP have anything to do with the above risk and the use of a firewall to mitigate it? Joe Nall wrote:On Mar 21, 2008, at 4:50 AM, william fitzgerald wrote:Dear Firewall Experts, Provocative Question: ++++++++++++++++++++ Are firewalls obsolete in a world involving enterprise Webservice SOA? What do I mane by the above question: given that Web Services (J2EE and so forth) tend to tunnel through http and https (eg. SOAP) what role can a traditional network firewall play? (other than simply permitting access for all, therefore rendering the firewall as an extra cog providing no input in the overall process) I am asking this question not to be flamed but to provoke a discussion as to why we still need firewalls.Well there are 65534 other ports :) joe _______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
_______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Provocative Query: Are firewalls obsolete in a world involving enterprise WebService SOA william fitzgerald (Mar 26)
- Re: Provocative Query: Are firewalls obsolete in a world involving enterprise WebService SOA Joe Nall (Mar 26)
- Re: Provocative Query: Are firewalls obsolete in a world involving enterprise WebService SOA AMuse (Mar 26)
- Re: Provocative Query: Are firewalls obsolete in a world involving enterprise WebService SOA wfitzgerald (Mar 26)
- Re: Provocative Query: Are firewalls obsolete in a world involving enterprise WebService SOA AMuse (Mar 26)
- Re: Provocative Query: Are firewalls obsolete in a world involving enterprise WebService SOA Marcus J. Ranum (Mar 26)
- Re: Provocative Query: Are firewalls obsolete in a world involving enterprise WebService SOA william fitzgerald (Mar 26)
- Re: Provocative Query: Are firewalls obsolete in a world involving enterprise WebService SOA Magosányi Árpád (Mar 27)
- Re: Provocative Query: Are firewalls obsolete in a world involving enterprise WebService SOA Paul Melson (Mar 28)
- Re: Provocative Query: Are firewalls obsolete in a world involving enterprise WebService SOA ArkanoiD (Mar 27)
- Re: Provocative Query: Are firewalls obsolete in a world involving enterprise WebService SOA Joe Nall (Mar 26)