> I did note one thing in your email below. You state that > you want to separate the web server from the application > server for security reasons. JRUN is a web server, and we > have had no issues putting JRUN and IIS onto the same box. > Our firewall is BEFORE our box that contains the JRUN/IIS > software, so I am confused as to what security issues you > think you are exposing yourself to by putting JRUN and IIS > together on the same box. As long are your IIS/JRUN server > is BEHIND your firewall, and you have a good firewall, then > I don't see that you gain anything security wise by putting > JRUN on a separate box from IIS. But perhaps I am missing > something.
While I agree with you that this configuration probably is more trouble than it's worth, there are valid security reasons for separating the application server from the web server. First of all, the use of a firewall between the outside world and the web server doesn't automatically provide the necessary level of security. The firewall has to let HTTP traffic reach the web server, but web servers can be compromised by malformed HTTP requests - and those HTTP requests may be perfectly valid requests from the firewall's perspective. If the web server is compromised this way, and it also hosts the application, all kinds of bad things can ensue. All of this stuff is especially true for IIS, which by default is vulnerable to all kinds of buffer overflow and directory traversal exploits. If you're using IIS in a production environment, it's essential to learn how to properly secure it. Fig Leaf Software offers a course on this topic, focused on CF developers, called "Securing ColdFusion Servers for Windows", and in the course, there are several demonstrations of IIS exploits that will pass right through the firewall by default - as well as SQL injection attacks, which pass through the firewall, web and application servers and attack the database directly! However, I'd recommend that you're better off securing your web/application server than separating the two, in most cases, for performance reasons. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ voice: (202) 797-5496 fax: (202) 797-5444 ______________________________________________________________________ Your ad could be here. Monies from ads go to support these lists and provide more resources for the community. http://www.fusionauthority.com/ads.cfm Archives: http://www.mail-archive.com/[email protected]/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
