- From: william fitzgerald <wfitzgerald@tssg.org>
- Date: Wed, 26 Mar 2008 12:25:28 +0000
- To: semantic-web@w3.org
Dear Semantic Web Experts,
How do you envision Semantic Web integrating with the existing
underlying security infrastructure (in particular, Firewalls).
It would appear to me (secure) Semantic Web applications, particularly
those involving access control, are typically focused at the
application-domain only, rather than taking a more holistic approach to
also include the underlying infrastructure (for example, firewalls). As
a result, infrastructure configurations may unintentionally hinder and
prohibit the normal operation of the Semantic Web.
Thus, the ideal firewall configuration is one that is aligned with the
application supported by the system, that is, it permits valid semantic
application traffic, and, preferably, no more and no less.
While the Semantic Web services may provide applications with security
services, I am arguing that firewalls (network and application layer)
still have a role to play in securing the infrastructure that hosts
services. In particular as it is considered best practice to rely on
multiple layers of security.
It is my assumption (possibly naive) that Semantic Web (coupled with Web
Services) developers assume the underlying infrastructure is available.
Also there seems to be a tendency to tunnel (for example SOAP) over http
or https. From this point of view, Semantic Web developers may form the
opinion that firewalls are redundant as they typically have ports 80 and
443 open. Maybe they are correct!
Have you any comments?
My initial thoughts of deploying a network-level firewall, for example,
Linux Netfilter, to protect a Semantic Web server or Semantic Web client
is not simply about opening port 80 and/or 443 on the server for all
traffic; one may wish to deny certain nodes (IP addresses, etc.), only
accept HTTP traffic from some nodes, require other nodes to use HTTPS
and also deal with HTTP traffic that is tunneled through proxies
available on other ports.
Of course its much easier to argue a case for application level
firewalls in particular xml-firewalls but as I have stated earlier
course grained access control at lower layers is also required.
Another point I would like to make is there often seems to be an
assumption that semantic web services are executed on dedicated bastion
hosts that do not execute any other services (for example, web, ftp,
email, dhcp, dns and so forth). This may or may not be the case.
Outgoing traffic can be also sanitized by firewalls for services that
have possibly been exploited. This helps prevent sensitive data leakage,
spam attacks to other networks, DoS attacks to various target networks
and so forth.
comments?
While low-level protective infrastructure such as firewalls do not solve
all security issues in regard to Semantic Web applications, I believe
they have a role to play in applying the belt-and-braces approach to
security best practices.
comments?
I have been searching earnestly for concrete documentation and
publications of the ongoing importance of firewalls in relation to the
Semantic Web paradigm but to no avail.
Anxiously awaiting your comments and pointers regarding the role of
existing security infrastructure (firewalls in particular) in regard to
the Semantic Web.
regards,
Will.
--
William M. Fitzgerald,
PhD Student,
Telecommunications Software & Systems Group,
ArcLabs Research and Innovation Centre,
Waterford Institute of Technology,
WIT West Campus,
Carriganore,
Waterford.
Office Ph: +353 51 302937
Mobile Ph: +353 87 9527083
Web: www.williamfitzgerald.org
www.linkedin.com/in/williamfitzgerald
www.ryze.com/go/wfitzgerald
Received on Wednesday, 26 March 2008 14:07:00 UTC