-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Pid,
On 4/12/13 1:54 PM, Pïd stèr wrote: > On 11 Apr 2013, at 21:36, Christopher Schultz > <ch...@christopherschultz.net> wrote: >> [...] though I would run Apache httpd and Tomcat on different >> hosts, so localhost-binding is not possible unless you are doing >> something like stunnel (which also might be a good idea if you >> are traversing an untrusted network). > > Respectfully, I have to disagree. Unless the Apache HTTPD is > loaded with IDS that can sniff the inbound traffic, you've not > achieved much, and now you have two boxes that have to be > maintained, secured & patched. HTTPD != firewall. While httpd != firewall, it's traditional to allow external-access to your web server but not your app servers (databases, etc.). That means that external threats can only directly-attack the web server. Obviously, suffering a web server break-in sucks, but at least the attacker then needs to break-into the application server after that. If it's a one-box wonder, you've been owned in a one fell swoop. Also, running a heterogeneous environment can thwart attackers who have some kind of zero-day that got them into the web server (e.g. running httpd on Linux). Then they try the app server and surprise! It's NetBSD and they have to stop and find another attack to proceed. - -chris -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJRazW0AAoJEBzwKT+lPKRYCW0QAIV46+zOy9OQkn/gWhN0JyQF 4KdCXv/TCeItAKLNwcx5cmWFwIOT8HgpTS9Z0Zuj0taUOFM4Rnw2b/ODafhvyRsn d8Xfh8q5voz5GtXeirXYC4qDLEKVUFifZNj1FCF3ZnX0zIjBxErXQCiRSsD7SWSH 6UMMXUADbvNo4A9KJiQZgM0gX/4IAGJp9DKil5Wx23pJn+poPXIP1FfT87wn/E5b xpbtjd6yUq0hmJ8dStxxzMlAtVp6EXeAdjODTpoWrDQRzo7CLf0FJ/x72PtbHrTd ozQ5zUlmEIZEW3DlMbwoJYuXXIlJs/RW+WMMgtJ1YnUjFXsHNBbm7VwMr7SyMom2 ByVDJHCjzEfKmojgYSIOBB9oajg5XFdflzyqhE89X115zpDRHUYYq2ExT4uh8kXv /Du01Mqo7X8+GBO1vAklESm0P9ejd1OUxeE1dlnNcDtji+pZPZgSdnHKWlZkBpie p5grsttRMAd/a4J00yKlWSZNbG8ufhIl4fi4zX572bLjc4A/vUX0G6CDWop/U/8Y MD701ou2pUPPI8opzRc8Vu4bwu+dfBYwIWuId6eczfkxHagN0v3grYUOLiuVTsH0 aDGONfxS27QEUvMKDF1cdZ1+T2L90PW6uk7LTmiy7eXQCgKqCyPLEsIlijyn3chE pebh9gxK12hQlQzYUsCz =yDKl -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org