Does anyone make a secure web server?

Does anyone make a secure web server?

Post by CHANGE username to weste » Tue, 10 Jul 2001 10:37:17



Having gotten truly sick of keeping up with Microsoft's IIS
security problems, I wanted to know does anyone make a secure web
server?   Since OpenBSD has the reputation of being the most
secure form of free UNIX available, I thought that this group
might have a good perspective on this question.

My requirements are fairly simple:

1) I want something that can handle a load of 50 concurrent users
of Java Dynamically generated pages (servlets) on a dual
processor Pentium II 550MHz box with 1 gig of physical memory.

2) I want to set it up and never have to think about security
again, or at least not very often, because the server should be
designed from the ground up with security in mind.

OpenBSD seems to fit that bill from the perspective of the OS.
Does anyone make a web server that is equally focused on security
as its primary selling point?

--
Will
Internet: westes at uscsw.com

PLEASE READ:  To reply, CHANGE the username to westes AT
uscsw.com

 
 
 

Does anyone make a secure web server?

Post by Yamcha66 » Tue, 10 Jul 2001 10:59:05


Apache is pretty good. It can be set up to be very secure if you know the
tricks. Plus its stable.
http://www.apache.org

Yamcha
http://www.fajet.com



Quote:> Having gotten truly sick of keeping up with Microsoft's IIS
> security problems, I wanted to know does anyone make a secure web


 
 
 

Does anyone make a secure web server?

Post by Norm » Tue, 10 Jul 2001 11:09:49


When setup correctly, Apache can be extremely secure. Especially if
run as a non-root user which can be accomplished on Linux or *BSD
with various techniques. If is is also being run in a chroot environment
there is little chance for an exploit working, unless you*up.
The details of my setup are more complicated than I care to explain in
a news post, but it is possible.

http://www.veryComputer.com/

The most recent CERT advisory I can find is more than a year old. This
is extremely good in comparison to a lot of other software. 24 hits on
CERT and most are guides. 178 for bind.

http://www.veryComputer.com/

Norm.

http://www.veryComputer.com/


Quote:

> Having gotten truly sick of keeping up with Microsoft's IIS
> security problems, I wanted to know does anyone make a secure web
> server?   Since OpenBSD has the reputation of being the most
> secure form of free UNIX available, I thought that this group
> might have a good perspective on this question.

> My requirements are fairly simple:

> 1) I want something that can handle a load of 50 concurrent users
> of Java Dynamically generated pages (servlets) on a dual
> processor Pentium II 550MHz box with 1 gig of physical memory.

> 2) I want to set it up and never have to think about security
> again, or at least not very often, because the server should be
> designed from the ground up with security in mind.

> OpenBSD seems to fit that bill from the perspective of the OS.
> Does anyone make a web server that is equally focused on security
> as its primary selling point?

> --
> Will
> Internet: westes at uscsw.com

> PLEASE READ:  To reply, CHANGE the username to westes AT
> uscsw.com

--
I have watched kids testifying before Congress. It is clear that they
are completely unaware of the seriousness of their acts. There is
obviously a cultural gap. The act of breaking into a computer system
has to have the same social stigma as breaking into a neighbor's house.
It should not matter that the neighbor's door is unlocked. The press
must learn that misguided use of a computer is no more amazing than
drunk driving of an automobile.

Ken Thompson Sept. 1995 ACM



 
 
 

Does anyone make a secure web server?

Post by H C » Tue, 10 Jul 2001 11:18:28


Why not simply follow some common sense rules in configuring your IIS?
Disable
all unnecessary functionality...like unmapping unnecessary script maps.

Quote:> Having gotten truly sick of keeping up with Microsoft's IIS
> security problems, I wanted to know does anyone make a secure web
> server?   Since OpenBSD has the reputation of being the most
> secure form of free UNIX available,

OpenBSD isn't a web server.

Quote:> I thought that this group
> might have a good perspective on this question.

You cross posted to a bunch of non-*BSD 'groups, too.

Quote:> 2) I want to set it up and never have to think about security
> again, or at least not very often, because the server should be
> designed from the ground up with security in mind.

Most are, but even web servers are complex programs.  The real issue is
that
your whole approach to security is wrong....security is a process, not a
static
event.

Besides, even if you use OpenBSD and a compatible web server, if you
don't
configure it properly, you'll have problems.  Why not simply put the
effort into
configuring what you've already got?

 
 
 

Does anyone make a secure web server?

Post by CHANGE username to weste » Tue, 10 Jul 2001 12:04:07


Well, you know, if you "know the tricks" you can make almost
anything secure.   The point is I want something that is secure
out of the box, and optimally which has features that are geared
toward security specifically.

For example, a web server could provide a tool to create a binary
image database of all static input files for a web site,
encrypted using some kind of public key encryption system.   As
long as both keys aren't on the server, there is very little
chance that an intruder is going to be able to alter or even read
any of those files.

I guess I'm just feeling that there are only so many hours in
each day, and do I want to spend the rest of my life "learning
tricks" to make software safe to use?   The whole point of
OpenBSD was to build the "tricks" into the box and make it secure
by default.   I want a web server built in the same spirit.

--
Will
Internet: westes at uscsw.com

PLEASE READ:  To reply, CHANGE the username to westes AT
uscsw.com


> When setup correctly, Apache can be extremely secure.
Especially if
> run as a non-root user which can be accomplished on Linux or
*BSD
> with various techniques. If is is also being run in a chroot
environment
> there is little chance for an exploit working, unless you*
up.
> The details of my setup are more complicated than I care to
explain in
> a news post, but it is possible.

> http://www.veryComputer.com/

> The most recent CERT advisory I can find is more than a year
old. This
> is extremely good in comparison to a lot of other software. 24
hits on
> CERT and most are guides. 178 for bind.

> http://www.veryComputer.com/

> Norm.

> http://www.veryComputer.com/


> > Having gotten truly sick of keeping up with Microsoft's IIS
> > security problems, I wanted to know does anyone make a secure
web
> > server?   Since OpenBSD has the reputation of being the most
> > secure form of free UNIX available, I thought that this group
> > might have a good perspective on this question.

> > My requirements are fairly simple:

> > 1) I want something that can handle a load of 50 concurrent
users
> > of Java Dynamically generated pages (servlets) on a dual
> > processor Pentium II 550MHz box with 1 gig of physical
memory.

> > 2) I want to set it up and never have to think about security
> > again, or at least not very often, because the server should
be
> > designed from the ground up with security in mind.

> > OpenBSD seems to fit that bill from the perspective of the
OS.
> > Does anyone make a web server that is equally focused on
security
> > as its primary selling point?

> > --
> > Will
> > Internet: westes at uscsw.com

> > PLEASE READ:  To reply, CHANGE the username to westes AT
> > uscsw.com

> --
> I have watched kids testifying before Congress. It is clear
that they
> are completely unaware of the seriousness of their acts. There
is
> obviously a cultural gap. The act of breaking into a computer
system
> has to have the same social stigma as breaking into a
neighbor's house.
> It should not matter that the neighbor's door is unlocked. The
press
> must learn that misguided use of a computer is no more amazing
than
> drunk driving of an automobile.

> Ken Thompson Sept. 1995 ACM




 
 
 

Does anyone make a secure web server?

Post by wej37 » Tue, 10 Jul 2001 12:19:33



: 2) I want to set it up and never have to think about security
: again, or at least not very often, because the server should be
: designed from the ground up with security in mind.

If you don't think about security again, whatever you use will
probably end up unsecure.

Installing a secure OS is a good start, but it is not a golden
bullet.  There is no golden bullet.

Eric Johnson

 
 
 

Does anyone make a secure web server?

Post by BigDo » Tue, 10 Jul 2001 14:10:44


Security is only found through viligence of setup and upkeep on patches,
warnings and problems...there really isn't a shortcut for that that leaves
you truly secure.

BigDog



> Well, you know, if you "know the tricks" you can make almost
> anything secure.   The point is I want something that is secure
> out of the box, and optimally which has features that are geared
> toward security specifically.

> For example, a web server could provide a tool to create a binary
> image database of all static input files for a web site,
> encrypted using some kind of public key encryption system.   As
> long as both keys aren't on the server, there is very little
> chance that an intruder is going to be able to alter or even read
> any of those files.

> I guess I'm just feeling that there are only so many hours in
> each day, and do I want to spend the rest of my life "learning
> tricks" to make software safe to use?   The whole point of
> OpenBSD was to build the "tricks" into the box and make it secure
> by default.   I want a web server built in the same spirit.

> --
> Will
> Internet: westes at uscsw.com

> PLEASE READ:  To reply, CHANGE the username to westes AT
> uscsw.com



> > When setup correctly, Apache can be extremely secure.
> Especially if
> > run as a non-root user which can be accomplished on Linux or
> *BSD
> > with various techniques. If is is also being run in a chroot
> environment
> > there is little chance for an exploit working, unless you*
> up.
> > The details of my setup are more complicated than I care to
> explain in
> > a news post, but it is possible.

> > http://www.veryComputer.com/

> > The most recent CERT advisory I can find is more than a year
> old. This
> > is extremely good in comparison to a lot of other software. 24
> hits on
> > CERT and most are guides. 178 for bind.

> > http://www.veryComputer.com/

> > Norm.

> > http://www.veryComputer.com/


> > > Having gotten truly sick of keeping up with Microsoft's IIS
> > > security problems, I wanted to know does anyone make a secure
> web
> > > server?   Since OpenBSD has the reputation of being the most
> > > secure form of free UNIX available, I thought that this group
> > > might have a good perspective on this question.

> > > My requirements are fairly simple:

> > > 1) I want something that can handle a load of 50 concurrent
> users
> > > of Java Dynamically generated pages (servlets) on a dual
> > > processor Pentium II 550MHz box with 1 gig of physical
> memory.

> > > 2) I want to set it up and never have to think about security
> > > again, or at least not very often, because the server should
> be
> > > designed from the ground up with security in mind.

> > > OpenBSD seems to fit that bill from the perspective of the
> OS.
> > > Does anyone make a web server that is equally focused on
> security
> > > as its primary selling point?

> > > --
> > > Will
> > > Internet: westes at uscsw.com

> > > PLEASE READ:  To reply, CHANGE the username to westes AT
> > > uscsw.com

> > --
> > I have watched kids testifying before Congress. It is clear
> that they
> > are completely unaware of the seriousness of their acts. There
> is
> > obviously a cultural gap. The act of breaking into a computer
> system
> > has to have the same social stigma as breaking into a
> neighbor's house.
> > It should not matter that the neighbor's door is unlocked. The
> press
> > must learn that misguided use of a computer is no more amazing
> than
> > drunk driving of an automobile.

> > Ken Thompson Sept. 1995 ACM




 
 
 

Does anyone make a secure web server?

Post by Norm » Tue, 10 Jul 2001 14:51:42


I see your point. Nonetheless the MS promise of put in
a CD, click OK and everything will be fine is a pipe
dream. If a one-size fits all OS is right for you,
then great. It just doesn't work for me.

The price of freedom is eternal vigilance.
        Thomas Jefferson.

For the best chance of success, OpenBSD and Apache is a
good choice with a minimal install and no other services
running. There are a lot of easy mistakes to make and
the shear size and flexibility of UNIX systems makes them
complicated, and sometimes, difficult to administer.
I have not installed OpenBSD, but do run FreeBSD, and
I assume it has an *security install option, which
would likely set the system up to be fairly secure.
Nonetheless, every system needs to have a well thought
out security policy which outlines the risks and takes
measures to reduce those risks without being overly
intrusive. My security policy is extremely intrusive and
I would not recommend it for most corporate environments
since my users would constantly object. The trick is
to not be overly intrusive while still maintaining the
security of the system.

Learning Security on the Internet is like learning to
drive during the Indianapolis 500.

A poorly administered UNIX box is not any more secure
than a poorly administered MS box. Finding buffer over
flows on MS is actually more difficult since you do
not have the source to analyze and the way it is organized
is goofy.

http://www.veryComputer.com/~jzhou/security/overflow.html

I hope the world switches to UNIX + Apache that way maybe
I won't need do much disk space for IDS logs of IIS
attacks.

21:35:15 -0700 07/06/2001 211.53.210.94:2601  -> XX.XX.XXX.XX:80
TCP V 4 IHL 5 TOS 0 Length 151 Ident 12618 TTL 111 Checksum 14143
DF  SN=938727855 AN=2176162604 W=8760 18 ACK PSH
00 E0 29 87 F8 C4 00 50 54 61 34 A8 08 00 45 00 ..)....PTa4...E.

XX XX 0A 29 00 50 37 F3 D9 AF 81 B5 9B 2C 50 18 .5.).P7......,P.
22 38 FC C4 00 00 47 45 54 20 2F 73 63 72 69 70 "8....GET /scrip
74 73 2F 2E 2E 25 63 30 25 61 66 2E 2E 2F 77 69 ts/..%c0%af../wi
6E 6E 74 2F 73 79 73 74 65 6D 33 32 2F 63 6D 64 nnt/system32/cmd
2E 65 78 65 3F 2F 63 2B 63 6F 70 79 2B 63 3A 5C .exe?/c+copy+c:\
77 69 6E 6E 74 5C 73 79 73 74 65 6D 33 32 5C 63 winnt\system32\c
6D 64 2E 65 78 65 2B 63 3A 5C 69 6E 65 74 70 75 md.exe+c:\inetpu
62 5C 73 63 72 69 70 74 73 5C 73 68 65 6C 6C 2E b\scripts\shell.
65 78 65 0D 0A                                  exe..

I wish the best of luck and recommend keeping things simple
until you can gain the skills you need.


> Well, you know, if you "know the tricks" you can make almost
> anything secure.   The point is I want something that is secure
> out of the box, and optimally which has features that are geared
> toward security specifically.

> For example, a web server could provide a tool to create a binary
> image database of all static input files for a web site,
> encrypted using some kind of public key encryption system.   As
> long as both keys aren't on the server, there is very little
> chance that an intruder is going to be able to alter or even read
> any of those files.

> I guess I'm just feeling that there are only so many hours in
> each day, and do I want to spend the rest of my life "learning
> tricks" to make software safe to use?   The whole point of
> OpenBSD was to build the "tricks" into the box and make it secure
> by default.   I want a web server built in the same spirit.

> --
> Will
> Internet: westes at uscsw.com

> PLEASE READ:  To reply, CHANGE the username to westes AT
> uscsw.com



> > When setup correctly, Apache can be extremely secure.
> Especially if
> > run as a non-root user which can be accomplished on Linux or
> *BSD
> > with various techniques. If is is also being run in a chroot
> environment
> > there is little chance for an exploit working, unless you*
> up.
> > The details of my setup are more complicated than I care to
> explain in
> > a news post, but it is possible.

> > http://www.veryComputer.com/

> > The most recent CERT advisory I can find is more than a year
> old. This
> > is extremely good in comparison to a lot of other software. 24
> hits on
> > CERT and most are guides. 178 for bind.

> > http://www.veryComputer.com/

> > Norm.

> > http://www.veryComputer.com/


> > > Having gotten truly sick of keeping up with Microsoft's IIS
> > > security problems, I wanted to know does anyone make a secure
> web
> > > server?   Since OpenBSD has the reputation of being the most
> > > secure form of free UNIX available, I thought that this group
> > > might have a good perspective on this question.

> > > My requirements are fairly simple:

> > > 1) I want something that can handle a load of 50 concurrent
> users
> > > of Java Dynamically generated pages (servlets) on a dual
> > > processor Pentium II 550MHz box with 1 gig of physical
> memory.

> > > 2) I want to set it up and never have to think about security
> > > again, or at least not very often, because the server should
> be
> > > designed from the ground up with security in mind.

> > > OpenBSD seems to fit that bill from the perspective of the
> OS.
> > > Does anyone make a web server that is equally focused on
> security
> > > as its primary selling point?

> > > --
> > > Will
> > > Internet: westes at uscsw.com

> > > PLEASE READ:  To reply, CHANGE the username to westes AT
> > > uscsw.com

> > --
> > I have watched kids testifying before Congress. It is clear
> that they
> > are completely unaware of the seriousness of their acts. There
> is
> > obviously a cultural gap. The act of breaking into a computer
> system
> > has to have the same social stigma as breaking into a
> neighbor's house.
> > It should not matter that the neighbor's door is unlocked. The
> press
> > must learn that misguided use of a computer is no more amazing
> than
> > drunk driving of an automobile.

> > Ken Thompson Sept. 1995 ACM




--
I have watched kids testifying before Congress. It is clear that they
are completely unaware of the seriousness of their acts. There is
obviously a cultural gap. The act of breaking into a computer system
has to have the same social stigma as breaking into a neighbor's house.
It should not matter that the neighbor's door is unlocked. The press
must learn that misguided use of a computer is no more amazing than
drunk driving of an automobile.

Ken Thompson Sept. 1995 ACM



 
 
 

Does anyone make a secure web server?

Post by Marc Esp » Tue, 10 Jul 2001 19:28:07



>Installing a secure OS is a good start, but it is not a golden
>bullet.  There is no golden bullet.

The common expression is `silver bullet', for obvious reasons.
 
 
 

Does anyone make a secure web server?

Post by lbudney-use.. » Tue, 10 Jul 2001 22:31:55




>> Installing a secure OS is a good start, but it is not a golden
>> bullet.  There is no golden bullet.

> The common expression is `silver bullet', for obvious reasons.

Only obvious in the context of European (or American) culture. Americans
connect ``silver bullets'' with the Lone Ranger, a radio-show cowboy who
shot the bad guys with silver bullets. Europeans probably think first of
werewolves, which reportedly can by killed only using silver bullets.

Since wej3715 sounds like a Chinese name to me, the poster might not be
aware of this particular mythical tradition.

--Len.

--
Frugal Tip #29:
Every other day put your shoes on the wrong feet so that they wear
more evenly.

 
 
 

Does anyone make a secure web server?

Post by Keith W. McCammo » Tue, 10 Jul 2001 22:33:22


This is going to be really bad news, but...

You have to patch BSD too!  You have to patch just about everything at some
point.  Plus, slack administration (permissions, log audits, etc.) is as
much to blame for most compromises as the OS/server itself.

However, something like Stronghold or Apache will certainly cause you less
headache *once you've set it up correctly.*  They're both extremely stable
and extremely secure web environments, and although you're still going to
have to patch them at some point, you should get a lot more mileage out of
them in the meantime.

two cents...

--
Keith W. McCammon
Sr. Network Engineer
DynCorp HITS



> Well, you know, if you "know the tricks" you can make almost
> anything secure.   The point is I want something that is secure
> out of the box, and optimally which has features that are geared
> toward security specifically.

> For example, a web server could provide a tool to create a binary
> image database of all static input files for a web site,
> encrypted using some kind of public key encryption system.   As
> long as both keys aren't on the server, there is very little
> chance that an intruder is going to be able to alter or even read
> any of those files.

> I guess I'm just feeling that there are only so many hours in
> each day, and do I want to spend the rest of my life "learning
> tricks" to make software safe to use?   The whole point of
> OpenBSD was to build the "tricks" into the box and make it secure
> by default.   I want a web server built in the same spirit.

> --
> Will
> Internet: westes at uscsw.com

> PLEASE READ:  To reply, CHANGE the username to westes AT
> uscsw.com



> > When setup correctly, Apache can be extremely secure.
> Especially if
> > run as a non-root user which can be accomplished on Linux or
> *BSD
> > with various techniques. If is is also being run in a chroot
> environment
> > there is little chance for an exploit working, unless you*
> up.
> > The details of my setup are more complicated than I care to
> explain in
> > a news post, but it is possible.

> > http://www.veryComputer.com/

> > The most recent CERT advisory I can find is more than a year
> old. This
> > is extremely good in comparison to a lot of other software. 24
> hits on
> > CERT and most are guides. 178 for bind.

> > http://www.veryComputer.com/

> > Norm.

> > http://www.veryComputer.com/


> > > Having gotten truly sick of keeping up with Microsoft's IIS
> > > security problems, I wanted to know does anyone make a secure
> web
> > > server?   Since OpenBSD has the reputation of being the most
> > > secure form of free UNIX available, I thought that this group
> > > might have a good perspective on this question.

> > > My requirements are fairly simple:

> > > 1) I want something that can handle a load of 50 concurrent
> users
> > > of Java Dynamically generated pages (servlets) on a dual
> > > processor Pentium II 550MHz box with 1 gig of physical
> memory.

> > > 2) I want to set it up and never have to think about security
> > > again, or at least not very often, because the server should
> be
> > > designed from the ground up with security in mind.

> > > OpenBSD seems to fit that bill from the perspective of the
> OS.
> > > Does anyone make a web server that is equally focused on
> security
> > > as its primary selling point?

> > > --
> > > Will
> > > Internet: westes at uscsw.com

> > > PLEASE READ:  To reply, CHANGE the username to westes AT
> > > uscsw.com

> > --
> > I have watched kids testifying before Congress. It is clear
> that they
> > are completely unaware of the seriousness of their acts. There
> is
> > obviously a cultural gap. The act of breaking into a computer
> system
> > has to have the same social stigma as breaking into a
> neighbor's house.
> > It should not matter that the neighbor's door is unlocked. The
> press
> > must learn that misguided use of a computer is no more amazing
> than
> > drunk driving of an automobile.

> > Ken Thompson Sept. 1995 ACM




 
 
 

Does anyone make a secure web server?

Post by Gandalf Parke » Wed, 11 Jul 2001 01:50:07



Quote:> Having gotten truly sick of keeping up with Microsoft's IIS
> security problems, I wanted to know does anyone make a secure web
> server?   Since OpenBSD has the reputation of being the most
> secure form of free UNIX available, I thought that this group
> might have a good perspective on this question.

I dont use them myself but for alot of reasons a MAC might be your best
bet.
They have a great security record, they have the least number of
exploits available at any cracker download site, they are easy to
maintain.

Of course anything CAN be made secure. Part of a Mac advantage is that
fewer people use it, therefore fewer people are trying to figure out
ways of cracking it.
But then thats a disadvantage also in trying to find someone to run it
for you or answer questions on it. It should serve your needs though.

Gandalf  Parker
If you ask a guru what operating system, they will tell you them most
irritating one they know. To be a guru requires an irritating operating
system.

 
 
 

Does anyone make a secure web server?

Post by CHANGE username to weste » Wed, 11 Jul 2001 02:21:29


I don't want to engage in pointless "my OS is better performing
than your OS" discussions because this is supposed to be a
security thread about web servers, not OS.   But you didn't
research that remark well.  Windows 2000 has a number of very low
I/O primitives, such as support for asynchronous network and file
I/O, and extraordinary multiprocessor support up to 8 processors
(the 32-processor support is still weak).   Using I/O completion
ports all I/O events can be serviced in a completely asynchronous
fashion by a minimal number of threads, thereby minimizing
context switches and optimizing workflow.   You can't seriously
compare FreeBSD to that, because it doesn't support huge numbers
of processors as well, and it doesn't include as mature
asynchronous I/O.

And our company's own work with many UNIX variants and Windows
2000 on high performance servers suggest that there may be many
reasons to hate Windows 2000, but performance is NOT one of them.
For an application that lends itself to a purely asynchronous
operation, like serving static web pages, nothing is going to go
faster than a well designed Windows 2000 application.  Just from
an OS theory perspective, you cannot do better than a couple of
threads servicing 1000 concurrent connections, and never blocking
on any I/O operation.    Any OS that can do that is going to be
blazing fast, and I don't care whether it calls itself NT or
UNIX.

Where Windows 2000 has a real weak spot is its internal
complexity.   Unlike UNIX, which can be internally understood,
and whose administration can be simplified, Windows contains a
number of features that make it inherently complex and almost
impossible to fully understand even if you are a guru.   The
registry, for example, succeeds is making such an interwoven set
of dependencies between so many different layers of the OS,
system applications, and user applications, that it becomes
almost impossible to understand all of the side effects from
shutting down services that you don't think your application
needs.

What I like about UNIX is the idea that I can follow a clear and
simple set of guidelines for securing an application, such as:

- Do not run the web server as root;
- Do not give read/write access to the web server's static web
pages to the userid that runs the web server,
- Do not run any other services on the box (except for secure
ones like SSH)
- Make sure the rest of the file system is secured.

You want to emulate such practices on Windows 2000 as well, but
its internal complexity constantly hampers your attempts to do
that.    If you start to do the above, IIS starts to break
because it wants access to many different keys in the registry,
none of which are well documented.   You start shutting off
services, and now all of the basic administration GUI tools stop
working.   You shut off different parts of Windows 2000
networking, and the next time you go to apply a service patch it
fails because the patch assumed basic services would always be
running.

It just becomes an endless twine of detail, and it serves no
purpose other than to prove than Windows 2000 is hugely complex
undertaking of dozens of different teams, and that the system's
underlying principles were more around "how do we make all of
these things work together and work at all" and not "how can we
make it simple for people to reconfigure these services and
deploy them individually or in small groups of services."

At very least, I'm feeling that the registry as it was designed
is an abomination, and one of the most grotesque pieces of
engineering I've ever seen.   The irony of the registry is that
it was selected over the use of individual application files
primarily so that you could secure access to individual registry
keys rather secure access to config files at the file system
level.   But the size and disorganization of the beast has the
opposite effect.   Very few people understand where all of its
parts extend, and you become afraid to secure anything, because
ultimately you end up breaking other things.

I'm feeling a need to make life simple, or at least more simple.

--
Will
Internet: westes at uscsw.com

PLEASE READ:  To reply, CHANGE the username to westes AT
uscsw.com



> : >1) I want something that can handle a load of 50 concurrent
users
> : >of Java Dynamically generated pages (servlets) on a dual
> : >processor Pentium II 550MHz box with 1 gig of physical
memory.
> :
> : I don't think OpenBSD can use the second processor.

> But getting rid of NT and you might get better performance out
> of OpenBSD and one processor than with NT and two processors.

> Eric Johnson

 
 
 

Does anyone make a secure web server?

Post by BigDo » Wed, 11 Jul 2001 03:52:12


Technically it is SUPPOSED to be a thread regarding firewalls, but you
crossposted it into the wrong group.

BigDog



> I don't want to engage in pointless "my OS is better performing
> than your OS" discussions because this is supposed to be a
> security thread about web servers, not OS.   But you didn't
> research that remark well.  Windows 2000 has a number of very low
> I/O primitives, such as support for asynchronous network and file
> I/O, and extraordinary multiprocessor support up to 8 processors
> (the 32-processor support is still weak).   Using I/O completion
> ports all I/O events can be serviced in a completely asynchronous
> fashion by a minimal number of threads, thereby minimizing
> context switches and optimizing workflow.   You can't seriously
> compare FreeBSD to that, because it doesn't support huge numbers
> of processors as well, and it doesn't include as mature
> asynchronous I/O.

> And our company's own work with many UNIX variants and Windows
> 2000 on high performance servers suggest that there may be many
> reasons to hate Windows 2000, but performance is NOT one of them.
> For an application that lends itself to a purely asynchronous
> operation, like serving static web pages, nothing is going to go
> faster than a well designed Windows 2000 application.  Just from
> an OS theory perspective, you cannot do better than a couple of
> threads servicing 1000 concurrent connections, and never blocking
> on any I/O operation.    Any OS that can do that is going to be
> blazing fast, and I don't care whether it calls itself NT or
> UNIX.

> Where Windows 2000 has a real weak spot is its internal
> complexity.   Unlike UNIX, which can be internally understood,
> and whose administration can be simplified, Windows contains a
> number of features that make it inherently complex and almost
> impossible to fully understand even if you are a guru.   The
> registry, for example, succeeds is making such an interwoven set
> of dependencies between so many different layers of the OS,
> system applications, and user applications, that it becomes
> almost impossible to understand all of the side effects from
> shutting down services that you don't think your application
> needs.

> What I like about UNIX is the idea that I can follow a clear and
> simple set of guidelines for securing an application, such as:

> - Do not run the web server as root;
> - Do not give read/write access to the web server's static web
> pages to the userid that runs the web server,
> - Do not run any other services on the box (except for secure
> ones like SSH)
> - Make sure the rest of the file system is secured.

> You want to emulate such practices on Windows 2000 as well, but
> its internal complexity constantly hampers your attempts to do
> that.    If you start to do the above, IIS starts to break
> because it wants access to many different keys in the registry,
> none of which are well documented.   You start shutting off
> services, and now all of the basic administration GUI tools stop
> working.   You shut off different parts of Windows 2000
> networking, and the next time you go to apply a service patch it
> fails because the patch assumed basic services would always be
> running.

> It just becomes an endless twine of detail, and it serves no
> purpose other than to prove than Windows 2000 is hugely complex
> undertaking of dozens of different teams, and that the system's
> underlying principles were more around "how do we make all of
> these things work together and work at all" and not "how can we
> make it simple for people to reconfigure these services and
> deploy them individually or in small groups of services."

> At very least, I'm feeling that the registry as it was designed
> is an abomination, and one of the most grotesque pieces of
> engineering I've ever seen.   The irony of the registry is that
> it was selected over the use of individual application files
> primarily so that you could secure access to individual registry
> keys rather secure access to config files at the file system
> level.   But the size and disorganization of the beast has the
> opposite effect.   Very few people understand where all of its
> parts extend, and you become afraid to secure anything, because
> ultimately you end up breaking other things.

> I'm feeling a need to make life simple, or at least more simple.

> --
> Will
> Internet: westes at uscsw.com

> PLEASE READ:  To reply, CHANGE the username to westes AT
> uscsw.com




> > : >1) I want something that can handle a load of 50 concurrent
> users
> > : >of Java Dynamically generated pages (servlets) on a dual
> > : >processor Pentium II 550MHz box with 1 gig of physical
> memory.
> > :
> > : I don't think OpenBSD can use the second processor.

> > But getting rid of NT and you might get better performance out
> > of OpenBSD and one processor than with NT and two processors.

> > Eric Johnson

 
 
 

Does anyone make a secure web server?

Post by CHANGE username to weste » Wed, 11 Jul 2001 04:16:19


Since I was the original poster, and since the subject line says
web server, I guess I know the topic of the original post. :)

But there is a clear relationship to firewalls, because some
products add security to the web server by acting as a firewall
or filter and intercepting the HTTP stream and scanning it for
potential hacker tricks, then blocking those attempts to access
the web server.

--
Will
Internet: westes at uscsw.com

PLEASE READ:  To reply, CHANGE the username to westes AT
uscsw.com


Quote:> Technically it is SUPPOSED to be a thread regarding firewalls,
but you
> crossposted it into the wrong group.

 
 
 

1. question regarding securing web pages on an internal web server

I have just started using mod_auth to secure various web pages on our
intranet such that not all staff can see all pages.  The issue however is
how to best secure these same files from direct access in unix.  Currently
Apache runs as the user "nobody" which has no special permissions.
Therefore "nobody" can only server up files that have world read access
allowed.  To secure these files in unix, one would normally just tighten the
file permissions on said files and be done with it.  However, if we do this,
"nobody" cannot serve up these files to anyone, even if the user in question
has the proper permissions to view the pages based on mod_auth.  To fix
this, you would think that you could just change Apache to run as another
user (say "apache") with the same permissions as "nobody" but then add this
new user "apache" to the permission groups contolling the secured files.
The problem with this logic is that in our situation where there are lots of
files controlled by different departments, the affect of adding the new user
"apache" to this many groups means the user takes on far more power than one
might like, effectively coming closer to the scenario of runnig Apache as
"root" (which for obvious reasons one
would not want to do!).

What types of workarounds are there to this problem?  I was hoping for
something along the lines of suexec - does such a thing exist?  (As I
understand it, suexec is only for cgi scripts, not html, xls, doc, etc type
files...)  What do most companies do to resolve this situation?

If I have sent my inquiry to the wrong place, please tell me where I should
redirect it to.

Thanks in advance!

-Robin

2. egcs or gcc2.8.0 on FreeBSD2.2 stable

3. on making secure forms and databases on the WEB

4. How do I add a remote printer in AIX 4.3.1 ?

5. ANNOUNCE: Sioux, international secure web server

6. Dell Inspiron 4000 network combo not recognized

7. Secure Web Server

8. X, Mice, shared libraries, etc.

9. what's the different between RH Secure web Server and Apache+SSL?

10. Secure Web Server 2.0 Config, Please Help!

11. Building a secure web server using Apache and OpenSSL

12. Newbie trying to implement secure web server

13. Lotus Domino Web Server secure configuration.