Firewalls: Re: Web server security

Firewalls
(February 1997)

Indexed By Thread: [Previous] [Next]

Subject:	Re: Web server security
From:	jeromie @ garrison . com (Jeromie Jackson)
Date:	Thu, 20 Feb 97 12:58:12 CST
To:	long-morrow @ CS . YALE . EDU, Pierre . Beyssac @ hsc . fr
Cc:	cowboy @ home . byelex . nl, firewalls @ GreatCircle . COM

> From pb @
 hsc .
 fr Thu Feb 20 12:44:01 1997
> Date: Thu, 20 Feb 1997 19:18:45 +0100
> From: Pierre .
 Beyssac @
 hsc .
 fr (Pierre Beyssac)
> To: long-morrow @
 CS .
 YALE .
 EDU
> Cc: cowboy @
 home .
 byelex .
 nl, jeromie @
 garrison .
 com, firewalls @
 GreatCircle .
 COM
> Subject: Re: Web server security
> X-Mailer: Mutt 0.59.1e
> Mime-Version: 1.0
> Content-Length: 1405
> 
> According to long-morrow @
 CS .
 YALE .
 EDU:
> > because the server process or the Mac itself might crash during the
> > night and stay down until morning.  Unix and NT machines -- though
> > more likely to be broken into -- are more reliable at keeping server
> > processes up and running (they can even babysit them and restart them
> 
> It might be understood that you're saying that Unix and NT are
> _inherently_ less secure than MacOS (the same claim is made for Unix
> vs NT).
> 
> But it should be made clear that this is _only_ a consequence of the
> fact that many more services are available "out of the box" on Unix
> than on NT, and on NT than on MacOS. A cracker can't login on a machine
> if it allows no remote login. Even less it the OS doesn't allow that
> because you didn't purchase the option, of course.
> 
> But if you want to secure a Unix machine as much as possible, you
> can perfectly disable _all_ external services except the HTTP server,
> making it as secure as MacOS. And much more reliable. You can even
> remove rlogind, telnetd and the like if you're really paranoid.
> 
> Then you need to choose a secure HTTP server, which is a different
> thing. Having a secure OS will not magically secure your HTTP server !
> Bugs recently discovered on NT servers (for example the ../.. stuff)
> have generally been fixed two or three years ago on Unix HTTP servers.
> They're just 2 or 3 years more mature...
> -- 
> Pierre .
 Beyssac @
 hsc .
 fr
> 


	My logic was this.  In a UNIX/NT environment there is a command-line
interface, whereas a MAC has none.  In a UNIX/NT environment it may be possible to pass commands to a CLI, whereas it wouldn't be feasible in a MAC... 

	In a UNIX/NT box, you have to worry about if people can get to the CLI, 
as well as worrying if they can throw system calls into be processed.  In a MAC,
you only have to worry about if they can embed system calls... 


Jeromie Jackson
Garrison Technologies
jeromie @
 garrison .
 com

Follow-Ups:

firewall overhead when using ipfwadm
From: m* <mark @ novare . net>
Re: Web server security
From: "Robert Black" <r . black @ ic . ac . uk>

Indexed By Date	Previous:	Re: A Comment on Content From: "Fir E. Walls" <walls @ linux . silkroad . com>
Indexed By Date	Next:	Re: Pointcast - how to block.... From: claudel @ netcom . com (Claude V. Lucas)
Indexed By Thread	Previous:	Re: Web server security From: Kevin McPeake <cowboy @ home . byelex . nl>
Indexed By Thread	Next:	Re: Web server security From: "Robert Black" <r . black @ ic . ac . uk>