Note: this post is a rambling with no solutions at all–I’m just bitching/rambling, whatever you want to call it–hell, it’s my blog, I’ll write what I please :)
There’s an interesting trend in the formerly “Gospel” OSI virtual model for the way computers talk…
It used to be that the application layer was sacred and didn’t violate lower-level protocol’s. When I say that, I mean that when you talked on TCP port 80 (i.e your IP packet was tagged with 80 in it’s TCP header) to a web server, you talked RFC HTTP lingo…the server understood your requests, your browser understood the responses, etc.
Now, the “web application layer” has become the new virtual transport layer. We have decreased the overall exposure from the packet-byte perspective, taken advantage of the proliferation of web-based “thin-client” applications, and we are now building client-server applications that transcend the browser-server barrier and utilize embedded or installed client applications, mirroring a more legacy client-server deployment strategy.
What comes immediately to mind is the .NET “Smart Client” technology (http://msdn.microsoft.com/en-us/library/ms998468.aspx), which is getting some increased discussion on some popular webappsec forums…
Basically, the technology utilizes web services technologies over HTTP to facilitate what looks more like legacy client-server technology. This scares me a little in terms of the wide-spread adoption of “web-enabled” technology.
If we take the standard user-available browser out of the picture and require a client-technology, what have we really achieved here, except take an already overly-exploited protocol and base our future on this?
So, lets close all of our firewalls except for web traffic on TCP ports 80 and 443 (sometimes 81, 8080 and others) and run all of our applications over these few ports….we haven’t closed the gap, we haven’t solved anything…we’ve just made the virtual model of understanding IP communications more consolidated to the old “application layer” of the old, old, old OSI model. (i’m not sure, but I think the “O” in OSI meant “OLD”….
Like I said at the beginning of this post…I’m just rambling/bitching/whaterver..it’s my blog