W3C home > Mailing lists > Public > semantic-web@w3.org > March 2008

Query: Semantic Web Alignment with the Underlying Security Infrastructure

From: william fitzgerald <wfitzgerald@tssg.org>
Date: Wed, 26 Mar 2008 12:25:28 +0000
Message-ID: <47EA40B8.50805@tssg.org>
To: semantic-web@w3.org

Dear Semantic Web Experts,

How do you envision Semantic Web integrating with the existing 
underlying security infrastructure (in particular, Firewalls).

It would appear to me (secure) Semantic Web applications, particularly 
those involving access control, are typically focused at the 
application-domain only, rather than taking a more holistic approach to 
also include the underlying infrastructure (for example, firewalls). As 
a result, infrastructure configurations may unintentionally hinder and 
prohibit the normal operation of the Semantic Web.

Thus, the ideal firewall configuration is one that is aligned with the 
application supported by the system, that is, it permits valid semantic 
application traffic, and, preferably, no more and no less.

While the Semantic Web services may provide applications with security 
services, I am arguing that firewalls (network and application layer) 
still have a role to play in securing the infrastructure that hosts 
services. In particular as it is considered best practice to rely on 
multiple layers of security.

It is my assumption (possibly naive) that Semantic Web (coupled with Web 
Services) developers assume the underlying infrastructure is available. 
Also there seems to be a tendency to tunnel (for example SOAP) over http 
or https. From this point of view, Semantic Web developers may form the 
opinion that firewalls are redundant as they typically have ports 80 and 
443 open. Maybe they are correct!

Have you any comments?

My initial thoughts of deploying a network-level firewall, for example, 
Linux Netfilter, to protect a Semantic Web server or Semantic Web client 
is not simply about opening port 80 and/or 443 on the server for all 
traffic; one may wish to deny certain nodes (IP addresses, etc.), only 
accept HTTP traffic from some nodes, require other nodes to use HTTPS 
and also deal with HTTP traffic that is tunneled through proxies 
available on other ports.

Of course its much easier to argue a case for application level 
firewalls in particular xml-firewalls but as I have stated earlier 
course grained access control at lower layers is also required.

Another point I would like to make is there often seems to be an 
assumption that semantic web services are executed on dedicated bastion 
hosts that do not execute any other services (for example, web, ftp, 
email, dhcp, dns and so forth). This may or may not be the case.

Outgoing traffic can be also sanitized by firewalls for services that 
have possibly been exploited. This helps prevent sensitive data leakage, 
spam attacks to other networks, DoS attacks to various target networks 
and so forth.


While low-level protective infrastructure such as firewalls do not solve 
all security issues in regard to Semantic Web applications, I believe 
they have a role to play in applying the belt-and-braces approach to 
security best practices.


I have been searching earnestly for concrete documentation and 
publications of the ongoing importance of firewalls in relation to the 
Semantic Web paradigm but to no avail.

Anxiously awaiting your comments and pointers regarding the role of 
existing security infrastructure (firewalls in particular) in regard to 
the Semantic Web.


William M. Fitzgerald,
PhD Student,
Telecommunications Software & Systems Group,
ArcLabs Research and Innovation Centre,
Waterford Institute of Technology,
WIT West Campus,
Office Ph: +353 51 302937
Mobile Ph: +353 87 9527083
Web: www.williamfitzgerald.org
Received on Wednesday, 26 March 2008 14:07:00 UTC

This archive was generated by hypermail 2.4.0 : Tuesday, 5 July 2022 08:45:05 UTC