News from PANUG - May 31, 2001 http://www.panug.org info@panug.org ARTICLES There's an article about Microsoft's .NET and the future of Internet-based applications at: http://iwsun4.infoworld.com/articles/op/xml/01/05/28/010528opnoise.xml There's an article about IIS at: http://securityportal.com/articles/iis20010521.html SAVING POWER by Ed Sawicki The power problems that began in California and are expected to spread should force us to have a long term strategy for dealing with the problem. As consumers, our first instincts should be conservation. We should be saving energy by consolidating services so they run on fewer computers. You're wasting energy when you use separate computers for email, web, database, file & print, etc. Consolidating services onto fewer computers needs to be done with care. You don't want to lose reliability and security in the process. You may already know that there are some programs that can't live together on the same computer without reliability problems. You're forced to use more computers and waste energy. I'm not aware of any Open Source software that cannot peacefully coexist with other software on the same computer. Security is another matter. You should separate services that don't belong together on the same computer regardless of whether you're using commercial or Open Source software. The trick is knowing what to keep separate. Sometimes it's easy to know. If you're running a program that has a rich history of security problems, like Microsoft's IIS, you need to run that on a separate computer. You don't want other services compromised when break-ins occur. When you're using programs that don't suffer from security problems, it's more difficult to know when you must separate them. With Linux, for example, services running on the same computer can be insulated from each other so a break-in to one service doesn't necessarily compromise others. This makes it difficult to know when you must separete them but this is a nice problem to have. Let's use a real example. There are two critical computers on my company network. Both run Linux because I want a solid, reliable platform for services (OpenBSD would have been a good choice as well). Linux allows me to insulate services from one another by running each service as its own user and in its own disk space. One service cannot see another service's files and cannot (if configured correctly) see any files on the hard disk other than its own. Linux also provides an effective built-in firewall. One computer runs Apache (web server), Postfix (email server), BIND (DNS server), NTP (time server), MySQL (database server), Mailman (mail list manager) and a variety of support services such as Perl, Python, PHP, cron, etc. The other computer does Network Address Translation (NAT) for my internal network. It runs Squid (web page caching), TinyDNS, and Samba for Microsoft-compatible file and print services. All of these services could have been consolidated into one computer but the security risks made me nervous. I wanted to insulate my internal network from services that were available to the outside world. Both computers have never failed and have never been broken in to. Each computer is its own firewall with rules custom tailored to it. I pay attention to the firewall logs and add rules when necessary. The payoff is having to power only two computers instead of many.