Slashdot Mirror

← Back to Stories (view on slashdot.org)

IIS Security - Using a Linux Box as a Sentry?

Posted by Cliff on from the penguins-as-network-security-guards dept.

Steven Yi asks: "This is a suggestion - why not consider IIS an 'application server', similar to they way we consider BEA WebLogic an app server? Continue using your Windows Servers to process your programming logic and ASP pages - but use a box running Apache as your true web server. This is the way many other app-server driven hardware setups are like. Internet --> (Apache Web Server) --> (IIS 'App Server'). The obvious point is that there isn't an Apache plugin to redirect Microsoft/ASP page requests, but couldn't this be written fairly quickly? I think this would be a much cheaper migration path where existing Microsoft applications/hardware can be preserved and your internet security would be greatly enhanced with a Linux/UNIX Apache server guarding the internet connection." Many saavy readers should realize that a mod_rewrite + mod_proxy combination should be all you need to implement such a feature. Has anyone deployed something similar for their production systems?

4 of 13 comments (clear)

  1. Came up not long ago. by crisco · · Score: 4, Informative
    There was an article titled Securing an Unpatchable Webserver that detailed an IIS 3.0 server that had a custom application that wouldn't run on newer IIS. Microsoft's solution to one of the IIS 3 vulnerabilities was upgrading to IIS 4 or greater but becuause of the custom app this wasn't a short term option. These guys set up a box with Hogwash and Snort to filter the requests to the IIS server.

    Unfortunately the article seems to have disappeared but you might have better luck finding it than I did.

    --

    Bleh!

    1. Re:Came up not long ago. by thebabelfish · · Score: 4, Informative

      Here's Google's cache of the article I think your talking about.

      --
      "I don't trust goats," --To Catch a Spy
  2. It's pretty close to no-brainer by alienmole · · Score: 3, Informative
    Most of the attacks on IIS have had very predictable URL structures, which could easily be filtered out. The classic one is of the form:

    http://www.microsoft.com/scripts/../../winnt/syste m32/cmd.exe?/c+dir

    Stuff like this, or URLs containing Unicode characters or known-bad sequences like ::$DATA, would be easy to filter out. In fact, Microsoft has a program designed to install on IIS servers to do just that, called something like URLCheck, I forget exactly. This job could just as easily be done by a separate dedicated box, with a config page to allow the level of paranoia to be specified, or new URL blocking templates to be installed.

  3. Re:Anti-virus scanners in hardware by SyniK · · Score: 3, Informative

    Stateful Packet Inspection. Application Gateways. Enough buzzwords:
    http://www.avolio.com/apgw+spf.html

    You might want to look up the 7 layer OSI model as well. Routers live in level 3. Stateful packet inspection firewalls live in level 4. It takes a little faster network and muscle to keep up with routers, but it's being done all across the 'net as we speak.
    (I think the levels are right! Lord knows I'm going to be crucified if I'm wrong...)

    --
    -Tom