Thoughts on IIS Security vs Apache, Part 2
I got some interesting comments on my prior blog post, and since I started typing out a big essay in response, I figured I should just blog and link it instead. :-)
Question:
Hello, i have subscription of Redmond magainze and wow i can't believe i still remeber the artcle about Apache and IIS since the issue is dated back April 2005. anywho...
https://mcpmag.com/images/0405red_F2Apache_chart1.jpg
that's how some comapnies run Apache, they run it like MS ISA like the photo said a way to protect an IIS web server farm from the Internet.
It look like Apache in front and IIS at back of more secure network is very common.
forgot to add, if you like to read the article about using Apache as front use . here is the link https://redmondmag.com/features/article.asp?EditorialsID=471&a=#findit
Answer:
Thanks for the URL.
At the risk of starting a flame war (I have never met the author nor know anything about him), I have to say that in my opinion, the RedmondMag.com URL that you posted is unfortunately trivially non-substantive. It simply selectively rehashes a lot of the same words and rhetoric that has already been said the past five years, spinning the selected information in favor of the author's "point" of "there may be 6 good reasons to consider introducing/switching to Apache".
I don't know about you, but I am a simple techie, so I have no secret agenda nor care about Media/Spin. I believe in "improving technology to improve people's lives", so I believe in elucidating and explaining facts and letting them speak for themselves. Of course, I am aware of the political process and how it tends to slander and destroy voices like mine, but hey, that is why I am in Technology and not Politics; the political process mostly turns me off, but that is a whole other topic for another time... :-)
Thus, I am going to voice and add my own commentary based on the points from that aforementioned URL, against my better judgement (I really rather focus on the facts and not this commentary/opinion stuff)...
So, here goes my first big attempt at this...
40 Million Websites cannot be Wrong
Actually, the author admits that many Apache websites are held in the hands of a small number of mass web Hosters.
I think that reality is probably closer to 1000 mass web Hosters vs Fortune 1000 companies, except that each Hoster puts thousands of sites per server while Fortune 1000 companies just put up their corporate site - so it looks like millions of websites "vote" for Apache vs far fewer sites voting for IIS. These are the votes that Netcraft counts, so you can see their concern at Port80's methodology.
In other words, I do not look at the raw numbers and think "40 million websites cannot be wrong." It is like a couple thousand people which controls millions of "votes" - are those millions of votes really meaningful? Instead, I look at the number of entities that are pulling the strings BEHIND the numbers... and the competition there is a lot closer between Apache and IIS than what the numbers and media portrays.
And with efforts like Shared Hosting Accelerator for IIS6, I think that the mass web Hosting landscape is finally under contention... so stay tuned.
I run Apache because it is Secure
If you have read my earlier blog entry, you should quickly realize that this sort of statement is vacuous. Security is not just about the Software; it also involves Configuration and Policy. With IIS6, the IIS team, in conjunction with the predecessor of the Microsoft Security Business Unit, went all-out on security to analyze, understand, and quantify security, and the IIS team methodically improved and applied all aspects of the learning.
I think the proof is in the pudding, and the numbers and results have proven the approach for IIS6. Now, the author acknowledges this with numbers from Secunia, but he seems to ignore the order of MAGNITUDE less vulnerabilities in IIS6 vs Apache 2.0.x in the same comparable period of time and calls it a "mixed bag." Huh? Isn't the latest and greatest supposed to represent the current state-of-the-art? Then why is Apache 2.x regressing against Apache 1.x?
Meanwhile, he neglects to mention that Apache is the most defaced and hacked web server platform in the world in recent years... mostly due to software running on top of Apache... which definitely does not prove his point. See how Spin works? Did my statement just support or detract Apache security? Or did I do both? ;-)
Anyways, enough Spinning exercises... I think that all of the arguments simply reinforce the notion that secure Configuration is just as important as Software or Policy when it comes to overall "security." Thus, I would never heed statements such as "I run X because it is secure" or "X is more secure than Y" because those statements neglect the whole picture. Your system is as secure as the weakest link in the combination of Software, Configuration, and Policy.
More flamboyant readers may want to head over to Michael Howard's blog and read some of his past entries examining IIS/Apache security...
Customers run Apache in front of IIS to add a layer of Security
Once again, if you read my earlier blog entry, you should realize that this statement is also sketchy.
Running more code per request CANNOT make it more secure. Reducing the Attack Surface by introducing "layers" in your defenses, closing off ports and reducing exposed functionality CAN make it more secure.
Thus, putting web servers into a DMZ isolated from direct Internet access and then forwarding requests to it is a reasonable approach to improve security by layering and reducing Attack Surface, but these are general security concepts non-specific to Apache. Apache is simply one way to implement it. Simple Firewall plus URLScan can accomplish comparable goals with no extra hardware/system required. And with IIS6 on Windows Server 2003 SP1, it is all "built-in" with no extra cost.
Personally, I find this very amusing... because I don't know about you, but I find information and rationale more useful than Spin or anecdotes. I rather enlighten you with the raw facts, digested rationale, and let you make your own decisions; not spoon-feed you things that tell you how to think. :-)
Open Source "Costs" Less
Ok, this is standard rhetoric that has already been hashed over and over so I will not belabor the point. The general conclusions run something like:
- Cost of acquisition is only part of the Total Cost of Ownership (TCO).
- If you are already on *nix then moving to Linux on x86 is a viable cost-cutting move to take advantage of commodity hardware.
- If you are on Windows then the migration really depends on your situation (though most of the time, TCO would favor Windows when you factor in things like training, support, migration, maintenance).
My instinct is to evaluate ALL your costs and stick with doing whatever you are most comfortable.
For example, some people say that IIS5 and Windows 2000 security is too costly to maintain, so Apache/Linux has to be cheaper. Well, what is commonly forgotten is that both are systems that need to be securely configured and maintained... and if you did not know to do this for Windows 2000, you certainly will not magically start doing so on Linux. At this point, I am willing to bet that your new system will be similarly attacked and compromised (remember, security is more than just the Software)... so is your migration worth it? Or is it cheaper to identify and quantify HOW you are insecure and address that deficiency?
Long-time readers should know that I believe the best way to address an issue is to identify the root problem and address that; then, the instance problems usually take care of themselves. Addressing the root problem is usually the most direct, fastest, and cost-effective way to resolve an issue. Thus, if your issue is that you do not know how to securely maintain an OS/Platform, then the best solution is to learn how to do it - you can then repeat that success on any platform and truly free yourself from lock-in.
I know, I know, I am not appealing to your inner penguin to bash evil Microsoft, but bear with me. :-)
Heterogenous Infrastructure is a Good Thing
This rhetoric sounds good on paper (i.e. homogenous systems are fertile grounds for catestrophic attacks, so heterogeneity must be better), but say this to any IT Administrator for networks, applications, or databases that is worth his/her salt, and s/he will probably laugh hysterically at your suggestion. Heterogenous infrastructure increases support costs, not to mention double/triple the amount of education/learning involved in maintaining and CONFIGURING multiple systems (recall that secure Configuration is an aspect of overall system security). So, the end result is really muddled: your network may not fall to one attack, but are you really safer with multiple systems, each with their own seams and incompatibilities that give attackers more Attack Surface to penetrate and more headache to you?
In my mind, it is better to stay with a homogenous but COMPARTMENTALIZED infrastructure so that you keep the best benefits of homogenous and heterogeneous systems at the same time. This way, you only have one system to learn, apply, and protect, and knowledge/skills easily scales across the entire infrastructure, but when it comes to deal with intrusions, damage is limited to compartment(s). Gee... Governments have been using this concept to protect Top Secret information for a long time; maybe the Public should consider adopting this approach when implementing security...
For example, a couple of IIS team members had a lively debate at TechEd 2005 with one customer who tenaciously defended his position of running his Web Services on multiple OS platforms, network stacks, and hardware switches simply because he did not want one single exploit to take down his entire system. Of course, the counterpoint revolved around the doubling of management, security, and configuration costs, not to mention twice the number of potential bugs in the combined system and the resulting LOWER reliability... but the notion of compartmentalized infrastructure really did not hit home. Sigh.
Another example: people nowadays like building security egg-shells - Single firewall separating the Internet from Intranet and completely unprotected machines in the Intranet because security can get in the way of productivity applications. Once you compromise the outer firewall, your internal, homogenous environment is child's play.
Now, the solution should not be to introduce Solaris, Windows, Linux, and BSD machines to make the internal environment heterogenous because that just gives the Intranet administrator MORE and DIFFERENT things to learn and secure. In my mind, it is easier to stay with a homogenous environment but make each internal machine more secure with a firewall, appropriate port/access policies, and maybe user policies that force users to login and run as non-admin... so that even if the outer egg-shell is penetrated, attackers simply find more egg-shells underneath. In other words, you get more bang-for-the-buck by focusing on introducing security layers to compartmentalize the issue of homogeneity INSTEAD of the reflexive "heterogenous infrastructure is a good thing."
Using Microsoft is lock-in and excludes other Platforms and Opportunities
Now, this is just BS... Java runs well on Windows and is supported by IIS. Microsoft is actually banned by Sun from providing such a plugin for you (remember, there was a certain lawsuit on this...), so you have to use third party plugins to do it. Java is supposed to be "Write Once, Run Anywhere" assuming you have a stable Java Virtual Machine, and Sun does provide a reference JVM for Windows, so it seems that the only exclusion going on is the Law preventing Microsoft from improving the situation, and other vendors do not seem to want Java to succeed on Windows/IIS for whatever reason. And the Customer suffers in the middle.
For example, IBM WebSphere runs on both Apache/IIS and Linux/Windows, though it definitely favors Apache since that is a platform they can control. Their ISAPI Filter plugin for IIS is really, really badly written and has not improved for years despite constant customer complaint - I had to debug it a few times and found that it does not follow basic quality coding guidelines like initializing variable values or checking for NULL pointers, etc. So, I always question their disparaging remarks/bias against Windows/IIS "crashing" WebSphere.
Why? Because I believe that Code cannot lie. Computers do exactly what program Code tells it to do, and Programmers of Organizations write the Code. The actions of the WebSphere ISAPI Filter plugin Code does not match their stated intentions... so you either fix the Code or you change your stated intentions...
Anyways...
Ok, that is about enough ranting from me. I will have to see how people respond. :-)
Really, I have no problems with criticisms of IIS and Security. You just have to back it up with proper support and acknowledgement of all sides of the argument, and focus on the facts!
//David