IISvs. Apache: which is the first choice for security?

Not long ago, network administrators had not studied their institution's network service platforms. If part of their work is Windows, they will run Microsoft's Internet Information Server (IIS). if part of their work is Linux/Unix,

Not long ago, network administrators had not studied their institution's network service platforms. If part of their work is Windows, they will run Microsoft's Internet Information Server (IIS). if part of their work is Linux/Unix, they will apply Apache. IIS and Apache will never meet each other. However, the Times have changed. Apache HTTP Server plans to push down the walls of a network server's Windows edition by announcing it. The network server history can be traced back to the original NCSA httpd server. Now, there are two "big kids" in this category, and the Windows administrator has at least some mobility (not to mention Microsoft's soon announced Linux platform's IIS !).

From a security perspective, this choice is controversial. The following four factors may affect your decision-making on the safest platform for your organization:

· Inherent server security vulnerabilities. Despite a lot of media criticism of Microsoft, these two platforms are almost equally vulnerable to attacks. According to a recent study published by the Computer Emergency Response Team Security Vulnerability Database, IIS security vulnerabilities were attacked 28 times, and Apache security vulnerabilities were attacked 25 times. In the field of information security, this is very close like the gap in horse racing.

· Existing network governance knowledge. If your network administrator has applied a platform and is very familiar with its security settings, it is an extremely important factor. A large number of security breakthroughs are caused by incorrect settings of skilled network administrators. When you apply a new platform, it is easy to present errors.

· Familiar with the controller of the control system. The security of a network server is the same as that of the basic control system. If an attacker is able to gain the administrator privilege of the system, attacking the network server is a trivial matter. Therefore, consider the skills of your system administrator when making this decision. If you are part of an application Windows control system, this is not an important factor because IIS and Apache are both running on Windows platforms. However, if some of your applications use Unix, you need to add an additional score for Apache in your analysis, because the conversion to IIS still needs to be retained by the administrator who works in the Windows environment.

· Skills of developers. If you are creating a dynamic web page (ASP, PHP, CGI, etc.), consider the security skills of your developers. Like the control system administrator, developers are unlikely to make errors in a familiar environment. If your developer prefers a development environment, consider this factor. However, you should also know that there are many ways to port common network development systems to other platforms on the Internet. For example, the Sun Java System ASP and Apache: ASP both promise to apply ASP on the RedHat server. Similarly, installing and setting PHP on the IIS server is also possible.

We discuss this title from the perspective of information security. It is important to remember this. Although IIS and Apache have the same efficacy, if your technical staff grasp the skills closely related to your organization, this factor must be taken into account in risk and benefit analysis. Happy network service!