Robin Wilson wrote:
I like how your argument presumes the most foolish configuration for
Apache vs. the ideal configuration if you only use tomcat. If you
If you're doing the "ideal configuration" and only using tomcat, then
what's the point of putting httpd on in the first place? Even if you
only use apache w/ mod_jk, you're tripling your attack surface. Why do
that?
Really, why insert httpd at all if you're not going to have PHP or other
things involved. You're just adding an extra two layers into your request.
With the Tomcat connector, the request goes to the connector and is
serviced.
With Apache httpd, it gets the connection. The request gets handed to
mod_jk. Via the URI Worker map, mod_jk shoves the data to the
appropriate worker's connector for servicing.
From a practical standpoint, it's much easier to not have Apache httpd
in the process. If you deploy a new host using the host manager
application, it starts working. With httpd, you have to modify the
configuration files and reload it. I run hundreds of tomcat virtual
hosts spread across three servers, so this is something I understand
pretty well.
want to go that route, the default tomcat install includes a bunch of
'examples' and other exploitable stuff - why not assume that they
left all that at the default values as well?
As far as a "default" tomcat install goes, I use the catalina
base/catalina home deployment methodology, so I'm not carrying all of
the sample application baggage with me, not even by accident. As a side
benefit, it makes upgrading new tomcat releases a little less painful.
-- Robin D. Wilson Director of Web Development KingsIsle
Entertainment, Inc. WORK: 512-623-5913 CELL: 512-426-3929
www.KingsIsle.com
-----Original Message----- From: George Sexton
[mailto:geor...@mhsoftware.com] Sent: Tuesday, April 28, 2009 10:30
AM To: Tomcat Users List Subject: Re: Why we need two servers (httpd
and tomcat)
Robin Wilson wrote:
As for your assertion that 2 layers of security is just complexity
and not more secure - you obviously haven't run many enterprise
production systems. Security in an enterprise system is all about
'layers' of protection. And sure, if they hack one layer - they are
probably good enough to hack the next layer. But that's where
intrusion detection and a variety of other system come into play.
It's all about slowing down the advance of the attack until you can
do something about it.
In theory, you're right. Defense in depth is a sound and established
practice. I remember as a Marine, reading company level tactics
books that laid out how to set up a rifle company for defense in
depth.
In this particular instance you're just wrong. Putting apache in
front of Tomcat makes the visible surface for attack about 10 times
bigger. If you're running Apache httpd, you've probably got PHP
running which is a huge security attack area, and then there are
probably 20 other modules that are loaded by default. Instead of
having a small gate to defend, you now have 10 gates to defend.
You believe that to get your system, they have to get through httpd,
and then through tomcat. This is your defense in depth theory. It's
just wrong. If there's a buffer overflow in httpd, then they just
have to exploit that to get on your machine.
Layers of protection in an Enterprise security system would be
firewalls protecting the perimeter, intrusion detection systems
monitoring network traffic, monitoring systems that detect changes in
the host systems.
So, by all means do defense in depth. Just don't delude yourself into
thinking that putting httpd in front of tomcat adds a layer of
security. It doesn't.
--
George Sexton
MH Software, Inc.
Voice: +1 303 438 9585
URL: http://www.mhsoftware.com/
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
