[254] in WWW Security List Archive
Re: Secure W3 Server
daemon@ATHENA.MIT.EDU (Dorian Deane)
Tue Dec 13 12:12:10 1994
From: dorian@oxygen.house.gov (Dorian Deane)
To: hharamis@cohesive.com
Date: Tue, 13 Dec 1994 09:50:22 -0500 (EST)
Cc: www-security@ns1.rutgers.edu
In-Reply-To: <eed4adc0@nts-1.cohesive.com> from "hharamis@cohesive.com" at Dec 12, 94 11:42:08 pm
Reply-To: dorian@oxygen.house.gov (Dorian Deane)
>
> Does anybody have an opinion on which public domain w3 server is
> most secure? A lot of people talk about the fact that some of these
> servers are large in size. Sounds to me like the old sendmail problem.
...
> Harry Haramis
> hharamis@cohesive.com
>
I'm hoping someone is more well-informed than myself, but I feel I
should contribute what few semi-educated opinions I _do_ hold:
1. Anything running on a single-tasking machine, such as a Mac running
MacOS, is probably more secure than one running on something like Unix,
VMS, etc. Even MacOS, however, should be configured minimally-- no
telnet, ftp, etc., if at all possible.
2. The only DOS-based one I know of is a server that runs on top
of KA9Q. Though it may be perfectly possible to make it quite
secure, the problem is that KA9Q can do so much. The authors of
KA9Q refer to it as a "network operating system" and they're not
far off. It runs on top of DOS, and that is probably good for
security, but again, because KA9Q can do so much, it may manage
to circumvent the security-convenient disfunctionality of DOS.
My feeling is that it is probably pretty safe if it is well-configured
and all other KA9Q services are turned off. I have not looked at
its packet-filtering capabilities but, if they are carefully written,
and the filtering rules carefull configured, they probably add to the
security.
I apologize for the hand-wavy paranoia above, but perhaps it's a
starting point for further discussion. I, too, would like people's
opinions on this matter.
dorian
