IIS vs. Apache, Reported Vulnerabilities

And round and round we go again: history repeating itself one more time.

So what’s the newest Microsoft FUD [Fear, Uncertainty, and Doubt] tactic these days…

Apparent, its getting a bunch of bloggers and security experts to regurgitate a statement containing the abstract fact that Apache has 33 reported “vulnerabilities” to IIS’ 3.

How exactly those numbers directly translate into a Web Server’s security mark, is of course left out.

Lets look at this issue a bit closer:

Apache serves 2/3rd of the internet. It has thousands of developers and companies around the world working with the codebase: constantly securing, improving, developing, and moving Apache forward.

This is considered to be a *bad thing* by the Micosoft camp? Vulnerabilities should not be looked for, nor reported and fixed.

So I have just one question: how many vulnerabilities would be reported for IIS if the source code was open?

I think it might also be prudent to…

  1. Break down the numbers of vulnerabilities for Apache core and specific modules.
  2. Reflect on the seriousness of the reported vulnerabilities… Is this just theoretical, of insignificant nature, has an exploit been developed [how about 3 years after the fact]?
  3. The time period between a vulnerability being reported and fixed.
  4. How many of the reported vulnerabilities did you actually needed to respond to?

Take a look for yourself…
Securina.com: Apache 2.0 Vulnerabilities
Apache.org: Apache 2.0 Vulnerabilities and Fixes

Throwing out abstract statistics has no purpose other than spreading FUD.

Instead, why not report on the merits of IIS itself… Specifically, on the improvements and features of IIS 6 and 7.

Move over Apache, Here Comes Lighttpd

Perhaps in a few years that will be the headline.

In the mean time, lighttpd does look very promising…

“Security, speed, compliance, and flexibility–all of these describe LightTPD which is rapidly redefining efficiency of a webserver; as it is designed and optimized for high performance environments.”

“lighttpd powers several popular Web 2.0 sites like YouTube, wikipedia and meebo. Its high speed io-infrastructure allows them to scale several times better with the same hardware than with alternative webservers.”

The configuration file for lighttpd looks more like source code, rather than a typical ini file. One feature that I am particularly impressed with, that has no Apache counterpart, is the conditional configuration.

Lets hope this project stays afloat. Competition is a good thing, for the end-user.

Also, take a look at the LiteSpeed Web Server.

Choosing Apache or IIS? Use Both

Why settle on just one Paradigm when you can have the best of both worlds? Use each Model with what it does best…

  • One Linux Server for Apache and PHP.
  • One Windows Server for IIS and ASP.NET.
  • Have one common database backend with SQL Server, MySQL, PostgreSQL, or Oracle.

Place Linux/Apache up front and ProxyPass requests/URLs to IIS, or use some other proxy server to handle the redirects.

And if you would like, everything can go under one Windows system by using WAMP. Just make sure to disable socket pooling.

In a way, with this method, you can also secure IIS by using mod_security under Apache. Though the days of IIS 5 are over, and I have to admit that IIS 6 and 7 are okay to stand on their own.

Apache vs. IIS

Recently, a few choice diagrams from the past of the mapped system calls that Apache and IIS perform have been making another round on the internet. So I thought I would add my 2 cents worth on the matter…

Why Windows is less secure than Linux

“Both images are a complete map of the system calls that occur when a web server serves up a single page of html with a single picture.”

Diagram of Apache’s internal system calls…
Apache System Calls

Diagram of IIS’s internal system calls…
IIS System Calls

I’ll let the images speak for them selfs, and comment on not the above, or the interpretation, but rather on the following…

“Apache cannot be compared to IIS. Apples and oranges!”

What… Why not? They have the same function, right?

“Apache, out-of-the-box, only serves static pages! It needs modules to add functionality. IIS, on the other hand, has all sorts of functionality built into it, such as running .NET applications and ASP.NET scripts. IIS is tied into Active Directory and many other Windows Server-specific technologies. It integrates with the OS!”

You say that like it’s a good thing.

“When you add enough extensions to Apache to provide it with abilities equivalent to IIS’s base functionality, it will make just as many system calls and be just as complex.”

We only have the baseline of what happens on one static HTML page and one image request. Anything else is a guess.

“Apache has 33 reported vulnerabilities. IIS has only 3 advisories!”

Apache? Meant to say “Apache modules”, didn’t you? As far as I know, having someone actually looking at the source, working out the bugs, *is* a good thing. The matter of people being sued and/or having their carriers ruined by reporting vulnerabilities of proprietary products also plays into this, don’t you think so?

“IIS has come quite a long way since the days of Windows NT/2000. IIS6 is a major improvement and IIS7 is a thing of beauty. When I show people how IIS 6 works, they become impressed.”

Maybe so.

Just to be fair, I will say this in defense of IIS…

Apache is written in C, while IIS is more of an OO C++ product — which can translate into more calls.

Taking another page from Apache’s playbook [good things get copied, right?]:

  • Microsoft has switched to a completely modular setup design with IIS7.
  • IIS 7 can now be configured from a text file (web.config).
  • IIS 7 can be administered from the command line with the Windows PowerShell administration environment.

“First they ignore you, then they laugh at you, then they fight you, then you win.” – Mahatma Gandhi.

Securing Your Server and Web Applications

There is no shortage of bad, incomplete, and outdated information on the Internet and in print. And if that was not bad enough, there is also the problem of information overload.

Here are a few resources that can get you up to speed…

  • Chapter 3: PHP from book “Apache Security”, by Ivan Ristic [of mod_security fame].
    A good overview of some security issues with PHP. Most of the mentioned measures will be most useful in a hosting environment.
  • Center for Internet Security (CIS) Benchmarks for the Apache Web Server.

    CIS is the only distributor of consensus best practice standards for security configuration. The Benchmarks are widely accepted by U.S. government agencies for FISMA compliance, and by auditors for compliance with the ISO standard as well as GLB, SOx, HIPAA, FIRPA and other the regulatory requirements for information security.

    I recommend CIS Level-1 security for the Apache Web-Server. A number of the steps are OS-independent, and have been implemented under the Web-Developer Server Suite.

  • The OWASP Guide to Building Secure Web Applications

    The Guide is aimed at architects, developers, consultants and auditors and is a comprehensive manual for designing, developing and deploying secure web applications.

  • Web Application Security Consortium
  • SANS Information and Computer Security Resources [with emphasis on the Reading Room]