Hi Nicholas,
> -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED]]On Behalf Of > [EMAIL PROTECTED] > Sent: Tuesday, 2 October 2001 8:38 AM > To: [EMAIL PROTECTED] > Subject: Re: ERMAPPER-L Daily Digest > > > My information is that NIMDA is spread by four different methods, > one of which is email. As a specific example, NIMDA entered our > network (Dept Main Roads) through a IIS Server, which was admittedly > not properly patched, but the entry method was not email. Correct, but my point is email is the main method, especially where systems have been properly patched. Microsoft provides a free critical updates notification service, I definitely recommend using this. > >Windows in general has a bad reputation for viruses and bugs, but the > >reality is it's not really any worse than other OS's when you > factor in the > >amount of functionality it provides in comparison to your typical Unix > >system. > > How much functionality is required to run ERMapper IWS? Image Web Server currently requires a multi-threaded, asynchronous I/O ISAPI based web server. I was more referring to general functionality the system provides, not functionality required to run Image Web Server. > Would it not be best to, out of all the systems that have sufficient > functionality, choose the system with highest security? > Eg. System X has lower functionality than IIS, but sufficient > to run ERMapper IWS, and also has higher security. Would that not > make a better choise than IIS, which has extra (unused) functionality > and lower security? > This depends on wether IIS is the only web server with sufficient > functionality to run IIS. IIS is the only web server currently able to run Image Web Server. > > That's the tradeoff the majority of the market has made > >(functionality vs security), and I really don't see it changing anytime > >soon. > > As a result of the NIMDA virus, my department has increased their > minimum standards for security. The decision means that web servers that > don't have sufficient security don't run at all. At this point, having > lots of functionality is irrelevant. > > > Most "viruses" on windows are quite basic and only survive through > >end-user error (clicking on unknown attachments, failing to update virus > >checkers etc). If nothing else you have to admit Microsoft does release > >patches very quickly for real security flaws - much faster than you could > >expect from the opensource community. > > When I talked about Unix, I should have mentioned that I actually meant > Sun Solaris. They are not open source. I haven't had to deal directly with Sun for a couple of years (since ER Mapper 5.x Unix days), but out of curiosity a) How fast are they at getting patches out now days? b) What's annual support cost to be able to download those patches? > >The other thing to consider is a Unix version of Image Web Server would > >likely perform poorly due to architectural limitations. > > Could you explain the architectural limitations of Sun Solaris version 8? > The OS comes bundled with Apache for free, and there are many other > commercial web servers that run on Sun Solaris. Currently 60% of the > world's web servers are Sun Solaris. Not a limitation of Solaris or Linux themselves. The limitation is Apache. As I said above Image Web Server requires a multi-threaded web server with asynchronous I/O, neither of which Apache provides reliably (if at all, depending on the version). A Unix Image Web Server could be built using CGI exe's, shared memory transports and a server daemon process, but this would perform considerably slower than a true multi-threaded solution, and require significantly more hardware resources. It is also doubtful the cost of building and maintaining such a solution could be justified, and it would require significantly more admin effort (and hence support) to get running. > >Lastly, don't forget the first ever internet Worm was written > for Unix and > >exploited a buffer-overrun security flaw (just like Code Red and > NIMDA...)! > > The first ever internet worm occurred in 1988. The fact that it exploited > Unix over a decade ago doesn't automatically mean that Unix is vulnerable > today. Which was not my point - I was merely pointing out that no system is immune to a determined hacker, and obviously the more functionality a system provides, and the more popular that system is, the more likely it is it will be cracked at some point. Nonetheless, 80-90+% of the market has chosen the "vulnerable" solution because the productivity benefits outweigh the inherent problems. > > Thankyou for your prompt reply Simon, No problem. I really do understand your security concerns and desires for a more robust solution, unfortunately commercial reality often doesn't align with the ideal. Due to the much lower volumes involved, a Solaris 8 version would be significantly more expensive to recover costs, and it just isn't viable at present. Regards, -- Simon > Nick > > > > > > > > > ************************************************************ > Opinions contained in this e-mail do not necessarily reflect > the opinions of the Queensland Department of Main Roads, > Queensland Transport or National Transport Secretariat, or > endorsed organisations utilising the same infrastructure. > If you have received this electronic mail message in error, > please immediately notify the sender and delete the message > from your computer. > ************************************************************ > ----------------------------------------------------------- > > To make changes to your subscription, please visit our website, > http://www.ermapper.com/technicl/ermapperl/index.htm > > ----------------------------------------------------------- To make changes to your subscription, please visit our website, http://www.ermapper.com/technicl/ermapperl/index.htm
