Return-Path: Delivered-To: apmail-tomcat-users-archive@www.apache.org Received: (qmail 74864 invoked from network); 28 Apr 2009 16:49:49 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.3) by minotaur.apache.org with SMTP; 28 Apr 2009 16:49:49 -0000 Received: (qmail 39781 invoked by uid 500); 28 Apr 2009 16:49:45 -0000 Delivered-To: apmail-tomcat-users-archive@tomcat.apache.org Received: (qmail 39728 invoked by uid 500); 28 Apr 2009 16:49:45 -0000 Mailing-List: contact users-help@tomcat.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: "Tomcat Users List" Delivered-To: mailing list users@tomcat.apache.org Received: (qmail 39717 invoked by uid 99); 28 Apr 2009 16:49:45 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 28 Apr 2009 16:49:45 +0000 X-ASF-Spam-Status: No, hits=2.2 required=10.0 tests=HTML_MESSAGE,SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (athena.apache.org: domain of mgainty@hotmail.com designates 65.55.111.112 as permitted sender) Received: from [65.55.111.112] (HELO blu0-omc2-s37.blu0.hotmail.com) (65.55.111.112) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 28 Apr 2009 16:49:35 +0000 Received: from BLU142-W36 ([65.55.111.71]) by blu0-omc2-s37.blu0.hotmail.com with Microsoft SMTPSVC(6.0.3790.3959); Tue, 28 Apr 2009 09:49:14 -0700 Message-ID: Content-Type: multipart/alternative; boundary="_27b5f3e1-1640-41e6-966c-f9f46dd0b69f_" X-Originating-IP: [71.232.86.84] From: Martin Gainty To: Tomcat Users List Subject: RE: Why we need two servers (httpd and tomcat) Date: Tue, 28 Apr 2009 12:49:13 -0400 Importance: Normal In-Reply-To: <49F72114.7080806@mhsoftware.com> References: <5a5c29e70904270751h1d62bda5y6baad86066accba7@mail.gmail.com> <49F5DCB6.4000905@haneke.de> <6B028542C4A77D4CB7F06CCC1C1AEB1D018BA6B2FF@AUSP01VMBX03.collaborationhost.net> <327858f40904271059y17af1175g993fa51d22055afe@mail.gmail.com> <49F605B5.6090603@ice-sa.com> <327858f40904271341m3217daf8ifdc253cdf7c1fbd7@mail.gmail.com> <6B028542C4A77D4CB7F06CCC1C1AEB1D018BA6B462@AUSP01VMBX03.collaborationhost.net> <49F72114.7080806@mhsoftware.com> MIME-Version: 1.0 X-OriginalArrivalTime: 28 Apr 2009 16:49:14.0398 (UTC) FILETIME=[4337DBE0:01C9C821] X-Virus-Checked: Checked by ClamAV on apache.org --_27b5f3e1-1640-41e6-966c-f9f46dd0b69f_ Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable what do you recommend to bulletproof Robin's installation? Martin=20 ______________________________________________=20 Disclaimer and Confidentiality This message is confidential. If you should not be the intended receiver=2C= then we ask politely to report. Each unauthorized forwarding or manufactur= ing of a copy is inadmissible. This message serves only for the exchange of= information and has no legal binding effect. Due to the easy manipulation = of emails we cannot take responsibility over the the contents. > Date: Tue=2C 28 Apr 2009 09:30:28 -0600 > From: georges@mhsoftware.com > To: users@tomcat.apache.org > Subject: Re: Why we need two servers (httpd and tomcat) >=20 >=20 >=20 > Robin Wilson wrote: > > As for your assertion that 2 layers of security is just complexity > > and not more secure - you obviously haven't run many enterprise > > production systems. Security in an enterprise system is all about > > 'layers' of protection. And sure=2C if they hack one layer - they are > > probably good enough to hack the next layer. But that's where > > intrusion detection and a variety of other system come into play. > > It's all about slowing down the advance of the attack until you can > > do something about it. > >=20 >=20 > In theory=2C you're right. Defense in depth is a sound and established=20 > practice. I remember as a Marine=2C reading company level tactics books=20 > that laid out how to set up a rifle company for defense in depth. >=20 > In this particular instance you're just wrong. Putting apache in front=20 > of Tomcat makes the visible surface for attack about 10 times bigger. If= =20 > you're running Apache httpd=2C you've probably got PHP running which is a= =20 > huge security attack area=2C and then there are probably 20 other modules= =20 > that are loaded by default. Instead of having a small gate to defend=2C=20 > you now have 10 gates to defend. >=20 > You believe that to get your system=2C they have to get through httpd=2C = and=20 > then through tomcat. This is your defense in depth theory. It's just=20 > wrong. If there's a buffer overflow in httpd=2C then they just have to=20 > exploit that to get on your machine. >=20 > Layers of protection in an Enterprise security system would be firewalls= =20 > protecting the perimeter=2C intrusion detection systems monitoring networ= k=20 > traffic=2C monitoring systems that detect changes in the host systems. >=20 > So=2C by all means do defense in depth. Just don't delude yourself into=20 > thinking that putting httpd in front of tomcat adds a layer of security.= =20 > It doesn't. >=20 > --=20 > George Sexton > MH Software=2C Inc. > Voice: +1 303 438 9585 > URL: http://www.mhsoftware.com/ >=20 > --------------------------------------------------------------------- > To unsubscribe=2C e-mail: users-unsubscribe@tomcat.apache.org > For additional commands=2C e-mail: users-help@tomcat.apache.org >=20 _________________________________________________________________ Rediscover Hotmail=AE: Get e-mail storage that grows with you.=20 http://windowslive.com/RediscoverHotmail?ocid=3DTXT_TAGLM_WL_HM_Rediscover_= Storage2_042009= --_27b5f3e1-1640-41e6-966c-f9f46dd0b69f_--