Cordialement,
Christian Mennequin
Barclays IRCB / DI
183 avenue Daumesnil 75575 Paris Cedex 12
Phone : 0033 (0)1.55.78.43.05
Email : christian.mennequin@(protected)
"Leon Rosenberg" <rosenberg.leon@(protected)>
09/01/2007 22:04
Veuillez répondre à
"Tomcat Users List" <users@(protected)>
A
"Tomcat Users List" <users@(protected)>
cc
Objet
Re: Securing Tomcat Article for Review
On 1/9/07, Christopher Schultz <chris@(protected):
> Leon's message says flat out that adding Apache httpd reduces security,
> and provides no basis for that statement. A more appropriate statement
> might have been that Apache does not add any appreciable measure of
> security as Tomcat provides the same kinds of protections against
> unauthorized access, etc.
Allow to explain this. As other posters already explained puting a
httpd in front of tomcat doesn't increase security. The only way it
could increase it, would be if it could handle known security issues
and protects the tomcat from the usage of such exploits. Personally I
don't know of any, and even I did, I would doubt that putting httpd in
front would be the best solution, or that httpd can protect something
better than a firewall, which is actually desinged to protect. Httpd
is not.
Can we agree that httpd doesn't increase security now?
Now, moving on, if httpd doesn't increase security, it has a) zero
impact or b) decreases it.
As for option a) (despite I don't believe it) even if it would have
zero effect, there is always a possibility for human factor
(mistakenly released configs or something). So even with the option a)
the solely presence of httpd wouldn't reduce security, it's presence
would give more opportunity for the human to fail, and therefor reduce
security indirectly.
As for option b): httpd is a lot of code. Any contains bugs. So
chances are good that httpd will add own bugs to the existing tomcat
bugs without hiding some of them. So the overall bug count will
increase therefor increasing the number of possbile security-relevant
bugs. Therefore decreased security.
q.e.d :-)
However, puting a firewall in front of any webserver to protect it the
host and the server from attacks he can't deal with, seems a very good
idea to me :-)
best regards
Leon
---------------------------------------------------------------------
To start a new topic, e-mail: users@(protected)
To unsubscribe, e-mail: users-unsubscribe@(protected)
For additional commands, e-mail: users-help@(protected)
Ce courriel et ses éventuelles pièces attachées sont confidentiels et ne concernent que le destinataire.
Si vous nêtes pas le destinataire ou si vous lavez reçu par erreur, informez en immédiatement lémetteur,
effacez le de votre ordinateur et nen faites aucune copie ni diffusion.
Ceci sapplique à tout ou partie du document ainsi quaux pièces attachées.
La communication à travers le réseau Internet ne présente aucune garantie de sécurité ni de protection
contre les virus. Le groupe Barclays nest pas responsable en cas de perte résultant de laction
dun tiers par des accès non autorisés, par des interventions sur les moyens de communication ou par la
transmission de virus. Barclays se réserve un droit de surveillance sur les réponses qui pourront être
faites à ce message.
Toute information ou opinion, contenue dans ce courriel ou dans ses pièces attachées,
qui serait sans rapport avec lactivité commerciale du groupe Barclays doit être considérée comme
personnelle à lémetteur et nengage en aucune façon le groupe Barclays.
