Re: [announcement] Longwell 1.1 released from Stefano Mazzocchi on 2005-03-11 (stdin)

From: Stefano Mazzocchi <stefanom_at_mit.edu>
Date: Fri, 11 Mar 2005 10:11:14 -0500

J. Steven Hughes wrote:
> Hi Ryan,
>
> What are the security risks associated with running Longwell? We are
> behind a firewall and need to justify opening a port for outside access.

There are two concerns here:

  1) opening a new port

  2) the security issues with longwell

as for #1, please read

    http://wiki.apache.org/cocoon/ApacheModProxy

as a way to use mod_proxy/mod_cache as a frontend to your java web
applications. It's a general best practice and this is how we run the
longwell demos on the simile server, allows to have all the
security/performance/stability features of the apache web server up
front. This would allow you to run it without having to open a new port
(and it's how we do it).

as of #2, unless configured to do so, longwell is a read-only
application and as a java application it makes it very very hard to
exploit a buffer overflow.... also longwell uses request parameters as
the only input, so the web server and the servlet engine would filter
unwanted behavior. This makes it pretty safe, also for the data being
displayed.

the only problem I see is DoS. longwell can be quite resource intensive
and we have not implemented any sort of proxy-header ability to reduce
load by having resource cached by transparent proxies. If under DoS
attack, longwell would not degrade nicely and would just stop responding.

Also, it has not been severely tested under concurrent load, but then
again, being a read-only application, race conditions are easy to avoid
and our code is very simple... we might find out bugs in the underlying
libraries though as I'm not sure how well Jena has been stress-tested
under concurrent load.

But those issues compromise the application itself, not the
system/network it runs on.

hope this helps.

-- 
Stefano Mazzocchi
Research Scientist                 Digital Libraries Research Group
Massachusetts Institute of Technology            location: E25-131C
77 Massachusetts Ave                   telephone: +1 (617) 253-1096
Cambridge, MA  02139-4307              email: stefanom at mit . edu
-------------------------------------------------------------------

Received on Fri Mar 11 2005 - 15:09:52 EST

This archive was generated by hypermail 2.3.0 : Thu Aug 09 2012 - 16:39:17 EDT