Peter Johnson wrote:
It is possible for Apache to be compromised without Tomcat being compromised e.g. an overflow in Apache. So if Apache (or other service on the front box) is compromised and the systems are tiered then the intruder can only impersonate local actions. If all tiers reside on the same server then by compromising Apache or Tomcat the intruder can effectively impersonate as either tier.
Well, it is not as easy as it may sound. Both TC and Apache run under unprivileged users. Apache is started by root, but will drop to "apache" or "http" user as soon as it has bound itself to port 80 (which requires root). So, compromising Apache leads to someone controlling a process with Apache privileges. That *is* a starting point to further compromise the system, but doesn't automatically open TC to the intruder. If the intruder can easily compromize "tomcat" user, then most likely it can compromize "root", too.
Of course, having a rogue apache process on a box that has no other service makes it easier to isolate the attacker, which is a good option. Providing you know what to do, once you've realized the compromize took place.
From the security point of view this "reverse" approach is actually good. Ask yourself, "what am I supposed to do, if the Apache gets compromized?". When you answer that question, you will have a clearer picture of the prefered system architecture. Also, ask yourself, " what is the system supposed to do? How should it perform?" and you will have even clearer picture.
Nix. --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
