tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Martin Gainty <>
Subject RE: Why we need two servers (httpd and tomcat)
Date Tue, 28 Apr 2009 16:49:13 GMT

what do you recommend to bulletproof Robin's installation?

Disclaimer and Confidentiality
This message is confidential. If you should not be the intended receiver, then we ask politely
to report. Each unauthorized forwarding or manufacturing of a copy is inadmissible. This message
serves only for the exchange of information and has no legal binding effect. Due to the easy
manipulation of emails we cannot take responsibility over the the contents.

> Date: Tue, 28 Apr 2009 09:30:28 -0600
> From:
> To:
> Subject: Re: Why we need two servers (httpd and tomcat)
> Robin Wilson wrote:
> > As for your assertion that 2 layers of security is just complexity
> > and not more secure - you obviously haven't run many enterprise
> > production systems. Security in an enterprise system is all about
> > 'layers' of protection. And sure, if they hack one layer - they are
> > probably good enough to hack the next layer. But that's where
> > intrusion detection and a variety of other system come into play.
> > It's all about slowing down the advance of the attack until you can
> > do something about it.
> > 
> In theory, you're right. Defense in depth is a sound and established 
> practice. I remember as a Marine, reading company level tactics books 
> that laid out how to set up a rifle company for defense in depth.
> In this particular instance you're just wrong. Putting apache in front 
> of Tomcat makes the visible surface for attack about 10 times bigger. If 
> you're running Apache httpd, you've probably got PHP running which is a 
> huge security attack area, and then there are probably 20 other modules 
> that are loaded by default. Instead of having a small gate to defend, 
> you now have 10 gates to defend.
> You believe that to get your system, they have to get through httpd, and 
> then through tomcat. This is your defense in depth theory. It's just 
> wrong. If there's a buffer overflow in httpd, then they just have to 
> exploit that to get on your machine.
> Layers of protection in an Enterprise security system would be firewalls 
> protecting the perimeter, intrusion detection systems monitoring network 
> traffic, monitoring systems that detect changes in the host systems.
> So, by all means do defense in depth. Just don't delude yourself into 
> thinking that putting httpd in front of tomcat adds a layer of security. 
> It doesn't.
> -- 
> George Sexton
> MH Software, Inc.
> Voice: +1 303 438 9585
> URL:
> ---------------------------------------------------------------------
> To unsubscribe, e-mail:
> For additional commands, e-mail:

Rediscover HotmailĀ®: Get e-mail storage that grows with you.
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message