tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From George Sexton <>
Subject Re: Why we need two servers (httpd and tomcat)
Date Tue, 28 Apr 2009 15:30:28 GMT

Robin Wilson wrote:
> As for your assertion that 2 layers of security is just complexity
> and not more secure - you obviously haven't run many enterprise
> production systems. Security in an enterprise system is all about
> 'layers' of protection. And sure, if they hack one layer - they are
> probably good enough to hack the next layer. But that's where
> intrusion detection and a variety of other system come into play.
> It's all about slowing down the advance of the attack until you can
> do something about it.

In theory, you're right. Defense in depth is a sound and established 
practice. I remember as a Marine, reading company level tactics books 
that laid out how to set up a rifle company for defense in depth.

In this particular instance you're just wrong. Putting apache in front 
of Tomcat makes the visible surface for attack about 10 times bigger. If 
you're running Apache httpd, you've probably got PHP running which is a 
huge security attack area, and then there are probably 20 other modules 
that are loaded by default. Instead of having a small gate to defend, 
you now have 10 gates to defend.

You believe that to get your system, they have to get through httpd, and 
then through tomcat. This is your defense in depth theory. It's just 
wrong. If there's a buffer overflow in httpd, then they just have to 
exploit that to get on your machine.

Layers of protection in an Enterprise security system would be firewalls 
protecting the perimeter, intrusion detection systems monitoring network 
traffic, monitoring systems that detect changes in the host systems.

So, by all means do defense in depth. Just don't delude yourself into 
thinking that putting httpd in front of tomcat adds a layer of security. 
It doesn't.

George Sexton
MH Software, Inc.
Voice: +1 303 438 9585

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message