Re: Provocative Query: Are firewalls obsolete in a world involving enterprise WebService SOA

[wfitzgerald () tssg org]

Hi Joe and AMuse,

I agree there are many more services within an enterprise environment.

I am referring to the specific case of Web Service deployment whereby I
have had remarks in the past that since web services tunnel through http,
requiring network admins to sanction controls is trival over even
pointless given that port 80 is usually open.

I quote: "...I do not see this as a relevant problem as most deployed Web
Service applications use the HTTP protocol over port 80 with is usually
open..." and "...Also remember that one of the early arguments for Web
Services was, that they use HTTP and thus not conflict with most
firewalls. Most Web applications handle access control on application
level and not on HTTP or TCP level..."

while I agree, I am saying its not just as trivial as opening port 80 and
443. In my opinion, deploying Web Services is not simply about opening
port 80 on the server for all traffic; one may wish to deny certain nodes
(IP addresses, etc.), only accept HTTP traffic from some nodes, require
other nodes to use HTTPS and also deal with HTTP traffic that is tunneled
through proxies available on other ports.

My initial arguement was that Enterprise Web Service applications,
particularly those involving access control, are typically focused at the
application-domain only, rather than taking a more holistic approach to
also include the underlying infrastructure (for example, firewalls). As a
result, infrastructure configurations may unintentionally hinder and
prohibit the normal operation of the Web Service.

Maybe port 80 is not open! maybe the rule for port 80 is too promiscuous
and access to port 80 needs to be restricted to trusted business partners
who need to access the web service via port 80.

Thus there needs to be some sort of ALIGNMENT of web services to firewalls
even though application developers suggest just open port 80 as a trivial
solution.




> We definitely still need firewalls.
>
> Yes, web services (J2EE) tunnel through HTTP, but I may have 30,000
> hosts on my network.  Without a firewall, how do I prevent them from
> advertising services to the world, then poorly configuring those services?
>
> And how does J2EE tunneling across HTTP have anything to do with the
> above risk and the use of a firewall to mitigate it?
>
> Joe Nall wrote:
> > On Mar 21, 2008, at 4:50 AM, william fitzgerald wrote:
> >
> > > Dear Firewall Experts,
> > >
> > > Provocative Question:
> > > ++++++++++++++++++++
> > > Are firewalls obsolete in a world involving enterprise Webservice SOA?
> > >
> > > What do I mane by the above question: given that Web Services (J2EE
> > > and
> > > so forth) tend to tunnel through http and https (eg. SOAP) what role
> > > can
> > > a traditional network firewall play? (other than simply permitting
> > > access for all, therefore rendering the firewall as an extra cog
> > > providing no input in the overall process)
> > >
> > > I am asking this question not to be flamed but to provoke a discussion
> > > as to why we still need firewalls.
> >
> > Well there are 65534 other ports :)
> >
> > joe
> >
> > _______________________________________________
> > firewall-wizards mailing list
> > firewall-wizards () listserv icsalabs com
> > https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards


_______________________________________________
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards