- From: william fitzgerald <wfitzgerald@tssg.org>
- Date: Wed, 26 Mar 2008 12:25:28 +0000
- To: semantic-web@w3.org
Dear Semantic Web Experts, How do you envision Semantic Web integrating with the existing underlying security infrastructure (in particular, Firewalls). It would appear to me (secure) Semantic Web applications, particularly those involving access control, are typically focused at the application-domain only, rather than taking a more holistic approach to also include the underlying infrastructure (for example, firewalls). As a result, infrastructure configurations may unintentionally hinder and prohibit the normal operation of the Semantic Web. Thus, the ideal firewall configuration is one that is aligned with the application supported by the system, that is, it permits valid semantic application traffic, and, preferably, no more and no less. While the Semantic Web services may provide applications with security services, I am arguing that firewalls (network and application layer) still have a role to play in securing the infrastructure that hosts services. In particular as it is considered best practice to rely on multiple layers of security. It is my assumption (possibly naive) that Semantic Web (coupled with Web Services) developers assume the underlying infrastructure is available. Also there seems to be a tendency to tunnel (for example SOAP) over http or https. From this point of view, Semantic Web developers may form the opinion that firewalls are redundant as they typically have ports 80 and 443 open. Maybe they are correct! Have you any comments? My initial thoughts of deploying a network-level firewall, for example, Linux Netfilter, to protect a Semantic Web server or Semantic Web client is not simply about opening port 80 and/or 443 on the server for all traffic; one may wish to deny certain nodes (IP addresses, etc.), only accept HTTP traffic from some nodes, require other nodes to use HTTPS and also deal with HTTP traffic that is tunneled through proxies available on other ports. Of course its much easier to argue a case for application level firewalls in particular xml-firewalls but as I have stated earlier course grained access control at lower layers is also required. Another point I would like to make is there often seems to be an assumption that semantic web services are executed on dedicated bastion hosts that do not execute any other services (for example, web, ftp, email, dhcp, dns and so forth). This may or may not be the case. Outgoing traffic can be also sanitized by firewalls for services that have possibly been exploited. This helps prevent sensitive data leakage, spam attacks to other networks, DoS attacks to various target networks and so forth. comments? While low-level protective infrastructure such as firewalls do not solve all security issues in regard to Semantic Web applications, I believe they have a role to play in applying the belt-and-braces approach to security best practices. comments? I have been searching earnestly for concrete documentation and publications of the ongoing importance of firewalls in relation to the Semantic Web paradigm but to no avail. Anxiously awaiting your comments and pointers regarding the role of existing security infrastructure (firewalls in particular) in regard to the Semantic Web. regards, Will. -- William M. Fitzgerald, PhD Student, Telecommunications Software & Systems Group, ArcLabs Research and Innovation Centre, Waterford Institute of Technology, WIT West Campus, Carriganore, Waterford. Office Ph: +353 51 302937 Mobile Ph: +353 87 9527083 Web: www.williamfitzgerald.org www.linkedin.com/in/williamfitzgerald www.ryze.com/go/wfitzgerald
Received on Wednesday, 26 March 2008 14:07:00 UTC