Beefy Boxes and Bandwidth Generously Provided by pair Networks
We don't bite newbies here... much
 
PerlMonks  

Re^2: LAMP svrs - 1 or 2 is best ?

by eXile (Priest)
on May 10, 2005 at 16:00 UTC ( [id://455629]=note: print w/replies, xml ) Need Help??


in reply to Re: LAMP svrs - 1 or 2 is best ?
in thread LAMP svrs - 1 or 2 is best ?

Performance isn't the issue - it's security. If you have your webserver outside your firewall and your database inside your firewall, then you can regulate exactly who gets access to the database server. It's that simple.

I don't understand how 2 servers is more secure than 1 server, I tend to think it's the opposite, 2 servers means 2x as much chance of errors in configuration, and I don't think having webserver and database on different machines gives you security you can't achieve with one machine (you can firewall a databaseserver on the same machine in the same way as you can firewall it if it's on a different machine).

I think the biggest advantage of having one service per machine is that you can tune them specifically and independently for the service, so add 'more iron' (ie. RAM, CPU,faster disks) if the performance of one of the services is below satisfactory levels.

Update: I see gellyfish has already made the point I make in my last paragraph (see his comments below)

Replies are listed 'Best First'.
Re^3: LAMP svrs - 1 or 2 is best ?
by dragonchild (Archbishop) on May 10, 2005 at 17:39 UTC
    Assume you have a hardware firewall. This means that to cross the FW threshold, you have to be authorized in some fashion or another. The webserver is, generally, put into the DMZ outside this firewall. You're still going to lock down the ports, chroot the webserver and do all that stuff. But, it has to be outside the firewall so that the outside world knows how to get to it.

    The DB server is inside the FW. It doesn't have an outside-accessible name. The webserver, because it's physically connected to the FW, has access to the internal DNS, so it knows how to find the DB server.

    Basically, it's an additional layer protecting the only thing that's important - the data. You can't just hack the DB server - you have to hack the webserver to hack the DB, and even then, you only have the access the web application has.

    • In general, if you think something isn't in Perl, try it out, because it usually is. :-)
    • "What is the sound of Perl? Is it not the sound of a wall that people have stopped banging their heads against?"
[reply]
      While I agree that having db and webserver on a different machine can provide an additional layer of protection (for instance against an attack where the root-account on your webserver is compromised), I want to warn against a 'put a firewall inbetween and your safe'-view. I think this is too simplistic. Firewalls are often seen as a magic box that makes your network safe. To increase your network security stuff like good intrusion detection (both on network and on a local machine), good backup/recovery procedures and common sense are as important, if not more important.

      There are tons of exploits in web/database apps, and commonerrors programmers make (not using placeholders while using DBI for instance) that use the webserver-to-database channel to get to the database, no firewall will help you here, as you state yourself.

      I highly recommend reading Bruce Schneiers 'Secrets and Lies' for a good holistic view of security. Especially the part on attack trees (building a tree of the most likely way a hacker will attack you) is very interesting.

      mmm, we're deviating a lot from the OP question, I'll stop muttering.

[reply]
        I will wholeheartedly agree that a firewall isn't a magic box that will make you secure. It's a necessary, but not sufficient, requirement for being secure. And, it needs to be done with everything else in mind.

        My entire point is that you separate your servers for security-based reasons, not performance ones. The performance reasons are usually non-existent.

        • In general, if you think something isn't in Perl, try it out, because it usually is. :-)
        • "What is the sound of Perl? Is it not the sound of a wall that people have stopped banging their heads against?"
[reply]

In Section Seekers of Perl Wisdom

Log In?
Username:
Password:

What's my password?
Create A New User
Domain Nodelet?

www.com | www.net | www.org
Node Status?
node history
Node Type: note [id://455629]
help
Chatterbox?
and the web crawler heard nothing...

How do I use this?Last hourOther CB clients
Other Users?
Others browsing the Monastery: (5)
As of 2024-04-19 03:06 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    No recent polls found