Cordialement, Christian Mennequin Barclays IRCB / DI 183 avenue Daumesnil 75575 Paris Cedex 12 Phone : 0033 (0)1.55.78.43.05 Email : [EMAIL PROTECTED]
"Leon Rosenberg" <[EMAIL PROTECTED]> 09/01/2007 22:04 Veuillez répondre à "Tomcat Users List" <users@tomcat.apache.org> A "Tomcat Users List" <users@tomcat.apache.org> cc Objet Re: Securing Tomcat Article for Review On 1/9/07, Christopher Schultz <[EMAIL PROTECTED]> wrote: > Leon's message says flat out that adding Apache httpd reduces security, > and provides no basis for that statement. A more appropriate statement > might have been that Apache does not add any appreciable measure of > security as Tomcat provides the same kinds of protections against > unauthorized access, etc. Allow to explain this. As other posters already explained puting a httpd in front of tomcat doesn't increase security. The only way it could increase it, would be if it could handle known security issues and protects the tomcat from the usage of such exploits. Personally I don't know of any, and even I did, I would doubt that putting httpd in front would be the best solution, or that httpd can protect something better than a firewall, which is actually desinged to protect. Httpd is not. Can we agree that httpd doesn't increase security now? Now, moving on, if httpd doesn't increase security, it has a) zero impact or b) decreases it. As for option a) (despite I don't believe it) even if it would have zero effect, there is always a possibility for human factor (mistakenly released configs or something). So even with the option a) the solely presence of httpd wouldn't reduce security, it's presence would give more opportunity for the human to fail, and therefor reduce security indirectly. As for option b): httpd is a lot of code. Any contains bugs. So chances are good that httpd will add own bugs to the existing tomcat bugs without hiding some of them. So the overall bug count will increase therefor increasing the number of possbile security-relevant bugs. Therefore decreased security. q.e.d :-) However, puting a firewall in front of any webserver to protect it the host and the server from attacks he can't deal with, seems a very good idea to me :-) best regards Leon --------------------------------------------------------------------- To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] Ce courriel et ses éventuelles pièces attachées sont confidentiels et ne concernent que le destinataire. Si vous nêtes pas le destinataire ou si vous lavez reçu par erreur, informez en immédiatement lémetteur, effacez le de votre ordinateur et nen faites aucune copie ni diffusion. Ceci sapplique à tout ou partie du document ainsi quaux pièces attachées. La communication à travers le réseau Internet ne présente aucune garantie de sécurité ni de protection contre les virus. Le groupe Barclays nest pas responsable en cas de perte résultant de laction dun tiers par des accès non autorisés, par des interventions sur les moyens de communication ou par la transmission de virus. Barclays se réserve un droit de surveillance sur les réponses qui pourront être faites à ce message. Toute information ou opinion, contenue dans ce courriel ou dans ses pièces attachées, qui serait sans rapport avec lactivité commerciale du groupe Barclays doit être considérée comme personnelle à lémetteur et nengage en aucune façon le groupe Barclays.
