Firewall Wizards: Re: Application-level Attacks

[Crispin Cowan <crispin () immunix com>]

Marcus J. Ranum wrote:

> So, I guess what I am saying is that, in Marcus-land, almost all
> attacks are application level. :)   They always have been.
>  
This assertion begs the question of "what is an application".

I'm sympathetic to this argument. I have argued to my marketing dweebs 
:) that an "application" is everything that is not the kernel. That is 
the software person's perspective.
At the opposite extreme, the business perspective is that an 
"application" is stuff that you purchased or wrote to stick on top of 
your Red Hat or SuSE installation, i.e. an "application" is something 
that does not normally come with a distro.
Both of these views are extreme. I think that a sound case can be made 
that things like sshd, telnetd, and bind are really part of the OS and 
not "applications", even though they do not run in kernel space. 
Conversely, an argument can be made that things like Mozilla and 
OpenOffice are applications, even though they come with the distro.
What makes it tough to decide is gray-area programs like Apache and 
MySQL. Some would call them "applications", while others would call them 
"infrastructure" on top of which you place applications.
All of which, while interesting, is not the question I was trying to 
answer :) I'm looking for global epidemiological trends that would 
substantiate the conjecture that attacks are migrating from the OS end 
of the spectrum to the application end of the spectrum. This conjectured 
trend is independent of where you personally draw the line between "OS" 
and "application", unless you are MJR and they have all been 
applications since the dawn of time :)
Crispin

--
Crispin Cowan, Ph.D.  http://immunix.com/~crispin/
CTO, Immunix          http://immunix.com

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards