[WEB4LIB] apache v. netscape enterprise security

Mark Pecaut pecautm at missouri.edu
Fri Jan 26 11:00:12 EST 2001 

I think you are right - They are saying `we aren't sure how to make
it secure'.  Quite honestly, they won't know how to make Enterprise
secure either, but since it has web-based administration instead
of text configuration files, they feel like they understand it a 
bit more.  

I'm sorry you are stuck with such hokey-pokey system people.  
Go to securityfocus.com and under `vulnerabilities', look under
(apache group, apache) and compare this to (netscape, enterprise).
They have about the same number of problems, with enterprise having
a slightly higher number.   In all reality, it probably doesn't 
matter that much between the products.  I think what will
probably make the difference is good system people.  Many, many 
system people don't have a clue what security is about, what makes
systems insecure and how crackers exploit vulnerabilities.  This
is unfortunate.  

Besides, what does OpenBSD.org run?  They are generally considered
to be number 1 in security - see for yourself:

http://uptime.netcraft.com/up/graph?site=openbsd.org

Since the source code to apache is available and millions of
people have been through it, plus the fact that 60% of the 
internet is run by apache, I would guess Apache is pretty safe 
to run.

A more relavent concern is the entire setup.  Are they going to
use a RedHat default install and leave all the services turned on?
Are they going to be using telnet and ftp?  These are horrible
services to run because they send passwords in the clear.   Crackers
usually don't pursue Apache exploits since there have been several
easy ftp exploits recently and there are much easier ways to get into
a system than through Apache.

I'm sorry to be so critical, but it really irritates me to see
people being served poorly by their tech people's ignorance.

-Mark

On Fri, Jan 26, 2001 at 07:17:06AM -0800, Kenneth Irwin wrote:
> Hi folks,
> 
> Can anyone tell me how Apache and Enterprise compare as far as security
> goes? Our local systems folks are anti-Apache on security grounds; since
> everyone else in the world seems to be pro-Apache, I figure good security
> must be possible -- please tell me I'm right? 
> 
> I've not actually heard much from them yet about the specifics of their
> concerns -- when I meet with them next week I'd like to have some clue
> about *other* people's perceptions of the relative security merits. I know
> our folks haven't used Apache much, so I have a feeling that "the security
> is insufficient" may really be "we aren't sure how to make it secure".
> 
> Any ideas on the general comparison or on where to get good information on
> making Apache secure would be appreciated.
> 
> Thanks,
> Ken
> 
> Ken Irwin	                            		kirwin at wittenberg.edu
> Reference/Electronic Resources Librarian	(937) 327-7594
> Thomas Library, Wittenberg University

More information about the Web4lib mailing list