Slashdot Mirror

← Back to Stories (view on slashdot.org)

IIS Security - Using a Linux Box as a Sentry?

Posted by Cliff on from the penguins-as-network-security-guards dept.

Steven Yi asks: "This is a suggestion - why not consider IIS an 'application server', similar to they way we consider BEA WebLogic an app server? Continue using your Windows Servers to process your programming logic and ASP pages - but use a box running Apache as your true web server. This is the way many other app-server driven hardware setups are like. Internet --> (Apache Web Server) --> (IIS 'App Server'). The obvious point is that there isn't an Apache plugin to redirect Microsoft/ASP page requests, but couldn't this be written fairly quickly? I think this would be a much cheaper migration path where existing Microsoft applications/hardware can be preserved and your internet security would be greatly enhanced with a Linux/UNIX Apache server guarding the internet connection." Many saavy readers should realize that a mod_rewrite + mod_proxy combination should be all you need to implement such a feature. Has anyone deployed something similar for their production systems?

2 of 13 comments (clear)

  1. Hardware device? by mini+me · · Score: 3, Insightful

    Here is an opportunity to sell a network appliance that you can just drop into your network and have it secure your IIS server.
    Just put a simple installation of Linux/*BSD/etc and a copy of Apache+modules to do this. Put a web based administration utility on it for configuring IP addresses and what-not and let it do it's thing. You could also include an update system (something along the lines of Norton Antivirus LiveUpdate) that grabs updates so it can filter any new HTTP requests that show up that can harm an IIS server as well as any holes that may show up in the appliance itself.

    PHB's seem to be fond of "black boxes" even if they do run Linux. But there is no way that they'd ever allow a regular old computer run Linux, it's not the Microsoft way! Oh, the irony, but anyway.
    I think it is now time to find myself a nice embeded computer...

  2. This still isn't a "no-brainer" solution. by dkemist · · Score: 3, Insightful

    Adding an HTTP forwarder in front of an IIS server isn't going to help for pure HTTP based attacks. If there's a legitimate HTTP request that IIS is going to mishandle, Apache in proxy mode will happily forward on that HTTP request and let IIS choke on it.

    Clueful admins can use something like mod_rewrite to sanitize HTTP requests and deny suspect (ie too long, contains a specific string..) URL requests, but if I remember correctly, even mod_rewrite doesn't let you rewrite stuff like Host: headers which can be abused as well.

    I'm not saying it's a bad solution. In fact, I've suggested it in the past. It just has to be implemented carefully. It's not going to be a drop in black box solution the PHB likes.