Actually Tony, I believe there is a reason, and many, many, many large enterprises run their web application servers under this configuration. Granted, this is a very extreme measure of protection, and the process is not as simple as "take CF off of your IIS box, and put it on a different one", but that of running ColdFusion in distributed mode, which is fairly well documented.
The scenario is this: You have your CF running as an ISAPI or NSAPI plugin, on the same machine as your web server. You didn't realize that when you re-installed your web server after last weeks system crash, you had not patched one of the holes (say the .htr bug in IIS 4), or, better yet, say you have not closed off all ports besides 80 and 443. Now a hacker has discovered that your ip address is 111.111.11.11, and that he can access your files from some other port without them being processed (and thus protected) by CF. So he enters 111.111.11.11:9999/application.cfm into his TCP program, and lands upon all of the source code for your application, complete with database ip's and passwords. Ok, I agree that is far fetched, but it has happened, and is not outside of the scope of possibility. So how does running a distributed infrastructure help you? 1. There is a firewall between the external Web server (serving HTML & Graphics) and the modified internal Application Server (also needs a web server) to protect your source code. 2. Your firewall is configured to only pass requests to the app server that come from the Web Server (no direct access from anywhere else). 3. Your users will never find the explicit ip address of you application server... the most they can get is the ip of your Load Balancer, or your external web server, Thus they can not find your Application server, and do malicious things to it. Now, I admit, I have not set this sort of infrastructure up since CF 4.5, so my memory may not be exact. But I believe that this is the basic principal behind running applications in distributed mode. -Igor -----Original Message----- From: Tony Weeg [mailto:[EMAIL PROTECTED] Sent: Thursday, August 07, 2003 2:23 PM To: CF-Talk Subject: RE: Separating IIS from CF we had a security audit one time tell us to take our webservers offline so that hackers couldn't see them. my point is... there is no clear reasoning as to why a security company would tell you to take your cf server and put that on a different machine than your iis machine...it just doesn't make sense....not in the least bit. how many developers/web shops on this list, have iis and cf on the same machine? I bet 100% of us. tony weeg uncertified advanced cold fusion developer tony at navtrak dot net www.navtrak.net office 410.548.2337 fax 410.860.2337 -----Original Message----- From: Venable, John [mailto:[EMAIL PROTECTED] Sent: Thursday, August 07, 2003 11:10 AM To: CF-Talk Subject: Separating IIS from CF We just had a security audit and one of the recommendations was to separate Cold Fusion and IIS onto two separate systems. I hadn't heard of doing this, and am really wary of doing this since we are using Commonspot and I have no idea what ramifications would result. Their reasoning for this was pretty vague, so can anyone give me reasons why we should and shouldn't do this? The motivation in this particular case being improved security. Thanks John --- John Venable Director of Web Architecture Epilepsy Foundation ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Archives: http://www.houseoffusion.com/cf_lists/index.cfm?forumid=4 Subscription: http://www.houseoffusion.com/cf_lists/index.cfm?method=subscribe&forumid=4 FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Your ad could be here. Monies from ads go to support these lists and provide more resources for the community. http://www.fusionauthority.com/ads.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
