[5065] in WWW Security List Archive
Re: Security issues in Apache?
daemon@ATHENA.MIT.EDU (Steve Neruda)
Mon Apr 14 16:15:21 1997
Date: Mon, 14 Apr 1997 11:56:28 -0400
From: Steve Neruda <nerudas@nationwide.com>
To: "Phillip M. Hallam-Baker" <hallam@ai.mit.edu>
CC: Paul Phillips <paulp@go2net.com>, Adam Shostack <adam@homeport.org>,
www-security@ns2.rutgers.edu
Errors-To: owner-www-security@ns2.rutgers.edu
Phillip M. Hallam-Baker wrote:
>
>
> >I have heard the suggestion to run web servers on some high numbered
> >port, and use your IP filtering/NAT software to translate incoming
> >requests to webserver:80 to webserver:8000
>
> >No impact on the web server. I haven't done this, and would
> >test heavily before deploying it.
>
> I've tried it and found that the performance hit can be considerable.
>
> The hit can be even worse on some CISCO routers where there is
> a routing engine. Turning on filtering means that the processor board
> does the routing and not the engine. This kills the machine.
I believe this was only true with older Cisco IOS's. The newer IOS's
build a hash of the filters and therefore aren't as effected by the lack
of raw CPU in most Cisco routers. Since the NAT is tied to the filters
I believe other than the initial packet the rest of the session should
be fast switched and not process switched.
> Thats why I suggested an O/S patch.
>
I agree with Phil's suggestions here. Since Unix systems are no longer
very expensive, limited access, well controlled boxes the idea of
"privledged ports" that can only be accessed by root is pretty much an
anachronism. Trusting an application to safe because it runs on a low
numbered ports is like trusting trusting the LAPD because their
policemen.
SteveN
--
Steve Neruda Steve_Neruda@Nationwide.Com
Senior Internet Consultant The Internet Technologies Group
"We must never cease from exploring. And the end of our
exploring will be to arrive where we began and know the place
for the first time." --T.S. Eliot
