Apache vs. IIS

Recently, a few choice diagrams from the past of the mapped system calls that Apache and IIS perform have been making another round on the internet. So I thought I would add my 2 cents worth on the matter…

Why Windows is less secure than Linux

“Both images are a complete map of the system calls that occur when a web server serves up a single page of html with a single picture.”

Diagram of Apache’s internal system calls…
Apache System Calls

Diagram of IIS’s internal system calls…
IIS System Calls

I’ll let the images speak for them selfs, and comment on not the above, or the interpretation, but rather on the following…

“Apache cannot be compared to IIS. Apples and oranges!”

What… Why not? They have the same function, right?

“Apache, out-of-the-box, only serves static pages! It needs modules to add functionality. IIS, on the other hand, has all sorts of functionality built into it, such as running .NET applications and ASP.NET scripts. IIS is tied into Active Directory and many other Windows Server-specific technologies. It integrates with the OS!”

You say that like it’s a good thing.

“When you add enough extensions to Apache to provide it with abilities equivalent to IIS’s base functionality, it will make just as many system calls and be just as complex.”

We only have the baseline of what happens on one static HTML page and one image request. Anything else is a guess.

“Apache has 33 reported vulnerabilities. IIS has only 3 advisories!”

Apache? Meant to say “Apache modules”, didn’t you? As far as I know, having someone actually looking at the source, working out the bugs, *is* a good thing. The matter of people being sued and/or having their carriers ruined by reporting vulnerabilities of proprietary products also plays into this, don’t you think so?

“IIS has come quite a long way since the days of Windows NT/2000. IIS6 is a major improvement and IIS7 is a thing of beauty. When I show people how IIS 6 works, they become impressed.”

Maybe so.

Just to be fair, I will say this in defense of IIS…

Apache is written in C, while IIS is more of an OO C++ product — which can translate into more calls.

Taking another page from Apache’s playbook [good things get copied, right?]:

  • Microsoft has switched to a completely modular setup design with IIS7.
  • IIS 7 can now be configured from a text file (web.config).
  • IIS 7 can be administered from the command line with the Windows PowerShell administration environment.

“First they ignore you, then they laugh at you, then they fight you, then you win.” – Mahatma Gandhi.

Suhosin Extension for PHP

Suhosin is a security patch/extension for PHP.

Suhosin is an advanced protection system for PHP installations. It was designed to protect servers and users from known and unknown flaws in PHP applications and the PHP core.

Here is a recent SecurityFocus talk/article with the author of this package, that goes into the details of the project and what is ahead…
PHP Security From The Inside

While this patch [or extension] is simple to setup under Linux, the Windows side is a bit more difficult: as no binaries are provided, which necessitates a build of PHP w/extension from source…

And anyone thats ever tried to build win32 PHP knows what a headache that can be. What PHP.net provides in source is about 20% of whats needed, and contains extension libs that are from year 2000.

_Though I will say_ that some extensions/dlls CAN be built, that do not depend on anything else.

Securing Your Server and Web Applications

There is no shortage of bad, incomplete, and outdated information on the Internet and in print. And if that was not bad enough, there is also the problem of information overload.

Here are a few resources that can get you up to speed…

  • Chapter 3: PHP from book “Apache Security”, by Ivan Ristic [of mod_security fame].
    A good overview of some security issues with PHP. Most of the mentioned measures will be most useful in a hosting environment.
  • Center for Internet Security (CIS) Benchmarks for the Apache Web Server.

    CIS is the only distributor of consensus best practice standards for security configuration. The Benchmarks are widely accepted by U.S. government agencies for FISMA compliance, and by auditors for compliance with the ISO standard as well as GLB, SOx, HIPAA, FIRPA and other the regulatory requirements for information security.

    I recommend CIS Level-1 security for the Apache Web-Server. A number of the steps are OS-independent, and have been implemented under the Web-Developer Server Suite.

  • The OWASP Guide to Building Secure Web Applications

    The Guide is aimed at architects, developers, consultants and auditors and is a comprehensive manual for designing, developing and deploying secure web applications.

  • Web Application Security Consortium
  • SANS Information and Computer Security Resources [with emphasis on the Reading Room]

Googlebot Likes 404s

I’ve been playing around with the Google Webmaster Tools and have noticed one thing on the site verification process, that is not present on the Diagnostics/Crawl Errors tab…

Last attempt [date]: We’ve detected that your 404 (file not found) error page returns a status of 200 (Success) in the header.

Google will be unable to verify your site [for this service] if it is setup in a way where all URLs that do not exist, redirect back to the main page. But more importantly, from the look of things, this also has an effect of receiving a penalty and/or keeping your site out of the Google index.

DynamicSide.NET was like that, and Enotarize.com was even worse, not redirecting back, but rather just displaying the main page on any and all URLs [what can I say, its a very simple site, pre-beta].

And I was wondering why I have not been seeing much traffic on those two from Google search.

With DynamicSide.NET, there seemed to be some type of a penalty [nothing under the webmaster tools, but I have a feeling something is going on]. And with Enotarize.com, it looked like it was not being indexed at all, for some time. I’m sure that also had/has an effect on DeveloperSide.NET, as I’m linking back to both sites.

On another note, content that did exist on your site at one point, that has been removed, should return HTTP Status code ‘410’ “gone”, over the ‘404’ “not-found”.

And what about a situation where content has moved URLs, yet there is no simple way for you to redirect… A good example of this situation is under our Forums, with the switch from phpBB to SMF. They both have non-compatible ways of associating URLs to posts and topics. Right now I’m just redirecting everything hitting the old phpBB ‘viewtopic.php’ URLs to the main forum URL. Perhaps I should be using a ‘303’ “see-other” code…

Status Code Definitions
Webmaster Guidelines

Lets Start a VPS/VDS WAMP Hosting Service

I’ve got an idea, lets start a VPS/VDS WAMP [Windows,Apache,MySQL,PHP] Hosting Service, using Windows Server 2003 as the guest OS.

First, we will need a dual CPU setup with the Intel-VT or AMD-V architecture extensions, lots of RAM, and SCSI drives under RAID. As you really do need a dual cpu setup to run these solutions.

The top two choices for a Virtualization Solution (aside from VMware) that supports Windows as a guest OS are…

  • Virtuozzo
    A true VPS solution with operating system-level virtualization. Provides multiple Virtual Environments (VE), that multiplex between one main Kernel. Lowest-overhead, fastest-performing solution. Can probably manage 100 linux-based VE/VPS instances on a Server; 3 times the number compared to other solutions.

    Cost is an issue… $1000 per socket [physical CPU]

    You will need to license their management tools. Good luck trying to figure out what you do need, and the difference between these two [I think the later is a web-based interface to the former?]…

    Management Console VZMC (GUI based)
    Single Server License $200 per seat.
    Unlimited server license $1000 per seat

    Control Center VZCC (web-based management)
    Single Server License $300 per seat

    Support will also run you $400+.

    The end-user will need the Virtuozzo Power Panel (VZPP).

  • XenServer
    A paravirtualization solution that has the industry’s support and backing. Modifies the guest OS [or makes use of the mentioned cpu extensions] to cooperate in the virtualization process.

    Cost, for 2 sockets, per year…
    XenServer $99 [licensed to run 8 virtual machines on each system]
    XenEnterprise $488 [has no limit, maybe could handle 30 linux-based VPS instances]

    A number of third-party tools are available.

Lets note that the above products can only handle 2-3 times less the number of Windows-based instances [just a guess on my part].

Lets look into the licensing costs/issues of a setup like this…

Virtual Machine Technology FAQ

Each copy of Microsoft Windows Server, whether used as the OS for a virtual machine (“guest OS”) or as the OS for the server (“host OS”), must be separately licensed. For example, if a user is running Windows Server 2003 Enterprise Edition as a host OS on a server and creates two virtual machines, each with its own copy of Windows 2000 Server (each a guest OS), the user would require one Windows Server 2003 Enterprise Edition license and two Windows 2000 Server licenses.

Licensing does not depend on which virtualization technology is used. With a license for Windows Server 2003 R2, Enterprise Edition, you can run one instance of the software in a physical operating system environment and up to four instances in virtual operating system environments.

The MSRP on Windows Server 2003 R2 is $999 for the Standard Edition, and $3999 for the Enterprise Edition. So for 1 host and 40 max win32 guests, that would cost us $25,000 (~60% of retail). There is one problem with this… Microsoft can’t make up its mind on whether the License ties into the device or the end-user, and who exactly the licensee is. In this VH context, this might break a few clauses.

Luckily, Microsoft does have the Service Provider License Agreement (SPLA) which would allow us to lease the OS on a month to month basis for hosting. Its pay as you go, so if we only have 1 customer, we are paying for 1 license and for 1 month. While I cannot locate a pricing list, it is my understanding that the cost is usually at 3% of the perpetual price (retail, or average?).

Lets add another $5000 for the cost of renting the server and another $5000 that Virtuozzo will extort in licensing fees (for 40 users) [both for one year].

At this point, assuming 12 months and 40 accounts, we are in for $25,000. To break even, we would have to charge $50 per month. Which is still about $20 more than what you could charge for a Linux VPS. And at those prices we would be working for free. For one person to do this, and make a living, well, you would need lots of paying customers and farm of servers. Hosting is a cutthroat business.

More info on the subject…

There are also other noteworthy solutions like VMware (full virtualization) and Virtual Iron (based on Xen, except with Native Virtualization).

VMware has some really great things going for it, like ease of use, and their appliance initiative.

Spry seems to offer a dedicated server with Virtuozzo already setup, with 100 VE/VPS licenses — Linux as host/guest OS.

DynamicSide.NET Now Accepting DNS Records

Dynamic DNS at DynamicSide.NET

I’ve put up a working Dynamic DNS solution. Record update is immediate. Though your ISP/system/browser DNS cache might make you wait 10-15 minutes.

Mail and Web-Forwarding functionality have been temporarily disabled. But the dynamic dns part is good to go…

Create an account, and try it out.

*.dynside.net sub-domains are out for the time being — as I deal with our new DNS situation… but if you have a registered domain name, and can point it with your registrar to nameservers ns1.dynside.net and ns2.dynside.net, you are good to go.

I’m going to have to lose the Host’s nameserver entries for dynside.net, and just do my own authoritative DNS entirely. Not the best situation, but its the only way I can give away sub-domains, without entering a wildcard record with Linode DNS and delegating all unknown hosts back to me [there system will not accept an ‘*’ type of record].

I think I can get that up tomorrow.

Update 01/28/07
DNS for dynside.net sub-domains has been enabled.