My web server project

[tm1776]

Hi there. I really need a point in the right direction here as I have been procrasonating on this for a while due to not knowing what to do. For my honours dissertation I am comparing web servers "Apache" and "IIS" mesuring performance and security. There are also other objectives such as finding trends in the global market for the more dominant web server for different types of websites (I.E., I've found that Apache is used a lot more in the Finacial sector for secure bank related sites) However, I really need to start working on my main objective. I cannot compare these 2 web servers if I cannot create a baseline configuration. As they both differ greatly in their configuration methods. I have 2 books "Apache Essentials" and "The Complete reference IIS 6" but I'm still not sure how to configure both of these so they have the same level of security/performance. One of my solutions although I am not entirely sure about this, is to find a third party tool that will allow me to set up Apache through a GUI. At least then it makes things simpler. So can anybody give me a hint as to how I can try and set up these web servers so that all testing will be fair?

 

[tm1776]

No suggestions? I really want to move on from this baseline config. I know it's not going to be perfect. I mean, how can a 4th year student with little prior knowlege of these 2 web servers configure them to be 100% equal? I did my best however to make sure they were roughly set up similar. Apache has soooooo many modules that can be loaded, or are enabled and the amount of configuration options seems a lot more than the IIS 6.0 web server options. I've made sure bandwith throttling is disabled for both servers (in apache, you can't even set it up without putting in the module yourself) so that's fine, I've set the time out values to 120 seconds in both web servers, also no SSL runnin on either server. HTTP KEEP ALIVE is enabled on both. I've also commented out a few modules in Apache that I don't feel are needed in the baseline configuration. These are mod_actions, mod_alias, mod_cgi, mod, env, mod_setenvif

Other than what I've done, is there anything else anyone can think of? There isn't a whole lot of performance configurations in IIS web server anyway. I'm still to look at the security side of things but like I said, I have no SSL running and using port 80 for both. And I can't think of anything else. I will need to move on to try and finish this dissertation as I only have about 1 month and a half left and I will need to start measuring the performance of them, making comparions, and then using Denial of Service Attacks to see how security is affected by firstly the baseline config. I made, and then how it changes when I change certain server options, or load in modules etc.

Help very much appreciated, thanks.

 

[JustAGuy51]

Performancewise:
It also depends on what kind of site you run, static or dynamic pages. For Apache, if JEE based, it will be Tomcat server. For IIS (I know little about it), the equivalent technology will be something like .asp/.net stuffs. In my belief, running PHP-based site will be faster than either JEE or ASP based sites.

Security:
I believe Apache is much more secure than IIS. I'll only talk about Apache here.

You can run Apache under a dedicated user; you should never run under 'root' which means that you should use either 'chroot' or 'jail' to run it under dedicated user. Chrooting Apache and its gang is much harder than using 'jail'. Jail is FreeBSD native but you can port it under Linux or other *nix.

Concerning CGI programs/customized/site-specific stuffs, if Apache is running as root, you can tell Apache to run them under different user. If Apache is running as one user, then all those programs will run under the same user; this is due to the fact that chroot() call can only be made by root.

Apache and its core modules themselves are pretty well-audited and secure. It is 3rd party modules and customized stuffs that usually open up compromises.

Hope it helps a bit.