Re: [announcement] Longwell 1.1 released from J. Steven Hughes on 2005-03-11 (stdin)

From: J. Steven Hughes <J.Steven.Hughes_at_jpl.nasa.gov>
Date: Fri, 11 Mar 2005 08:39:44 -0800

definitely.
thanks,
steve

At 07:11 AM 3/11/2005, Stefano Mazzocchi wrote:
>J. Steven Hughes wrote:
>>Hi Ryan,
>>What are the security risks associated with running Longwell? We are
>>behind a firewall and need to justify opening a port for outside access.
>
>There are two concerns here:
>
> 1) opening a new port
>
> 2) the security issues with longwell
>
>as for #1, please read
>
> http://wiki.apache.org/cocoon/ApacheModProxy
>
>as a way to use mod_proxy/mod_cache as a frontend to your java web
>applications. It's a general best practice and this is how we run the
>longwell demos on the simile server, allows to have all the
>security/performance/stability features of the apache web server up front.
>This would allow you to run it without having to open a new port (and it's
>how we do it).
>
>as of #2, unless configured to do so, longwell is a read-only application
>and as a java application it makes it very very hard to exploit a buffer
>overflow.... also longwell uses request parameters as the only input, so
>the web server and the servlet engine would filter unwanted behavior. This
>makes it pretty safe, also for the data being displayed.
>
>the only problem I see is DoS. longwell can be quite resource intensive
>and we have not implemented any sort of proxy-header ability to reduce
>load by having resource cached by transparent proxies. If under DoS
>attack, longwell would not degrade nicely and would just stop responding.
>
>Also, it has not been severely tested under concurrent load, but then
>again, being a read-only application, race conditions are easy to avoid
>and our code is very simple... we might find out bugs in the underlying
>libraries though as I'm not sure how well Jena has been stress-tested
>under concurrent load.
>
>But those issues compromise the application itself, not the system/network
>it runs on.
>
>hope this helps.
>
>--
>Stefano Mazzocchi
>Research Scientist Digital Libraries Research Group
>Massachusetts Institute of Technology location: E25-131C
>77 Massachusetts Ave telephone: +1 (617) 253-1096
>Cambridge, MA 02139-4307 email: stefanom at mit . edu
>-------------------------------------------------------------------
Received on Fri Mar 11 2005 - 16:38:23 EST

This archive was generated by hypermail 2.3.0 : Thu Aug 09 2012 - 16:39:17 EDT