November 7, 2001

Solve IIS security problems -- pretend it's Apache

Author: JT Smith

- by Robin "Roblimo" Miller -

Mark Douglas, senior engineering v.p. of commercial Apache provider Covalent, says there's an easy way to make Microsoft's famously insecure IIS server impervious to Nimda, Code Red, and other worms and viruses: hide your IIS servers behind Apache."Simply," Mark says, "even with all the viruses that are proliferating over the Web, if IIS is not directly on the Web it is not subject to them."

Covalent has a number of security experts on staff who not only work to make the company's own products secure, but feed their code back into Open Source versions of Apache. Plus, there are thousands of other Apache developers out there who don't work for Covalent but also have their eagle eyes on the code, constantly seeking out and destroying security holes.

The $64,000 question here is, of course, "Why not just ditch IIS and switch to Apache?"

Because, Mark explains, a lot of companies have huge investments in Microsoft-based software that will only run on IIS servers, and they don't want to throw away all that work -- at least, not immediately. But Mark expects that "a lot of these companies will migrate [to Apache] over time..."

We couldn't help asking one more question: If a company that wants to curry favor with the Open Source community couldn't (sneakily) hide their IIS servers behind a Covalent or generic Apache Webserver; would Netcraft, for instance, be fooled?

"Yes, Netcraft would see it [a IIS server behind Apache] as Apache," Mark says.

Covalent marketing v.p. Jim Zemlin points out, though, that "this is like putting a Mercedes hood ornament on a Chevy. The true way to solve IIS problems is to migrate to Apache."


  • Open Source
Click Here!