Web server round up

Kurt Seifried, [email protected]


 

Availability

There are a variety of secure webservers, but which one is right for you? In this article I will start the process of helping you to choose the right server for your environment. In this series of closet articles I will cover legality, availability, features, and so on of the major secure server packages, using Linux primarily for my testing. The choice of operating system is important, but the choice of www server is usually more important, since that will define your feature set, and long term potential. In conjunction with these articles will be a series of individual product reviews of the more popular servers. This review will only cover 128 bit platforms as I feel 128 bit encryption is relatively weak, and 40 and 56 bit encryption is worthless, please keep this in mind as it will affect availability quite a bit.

 

Export/Import, Platform availability and Licensing issues

This is the first hurdle, if the webserver available in your country, and for your platform of choice? Servers made in the USA for example are generally not much use outside the USA since the export of strong crypto is heavily restricted (to Canada only). Free servers that have not paid for RSA data licenses are generally not used in the USA since RSA is patented there, and you must pay for the use of RSA data components. This first table is a list of server products, their origin and the countries you may or may not use them in:

Server Made in Available to Restricted from
Apache-SSL uses OpenSSL from Australia Most countries unknown (suspected none)
Apache mod-ssl uses OpenSSL from Australia Most countries unknown (suspected none)
Netscape Enterprise 4.0SP2 USA USA, Canada unknown (7 crypto restricted countries possibly)
Raven USA USA, Canada unknown (7 crypto restricted countries possibly)
Red Hat Secure Server USA USA, Canada unknown (7 crypto restricted countries possibly)
Roxen Sweden Australia, Austria, Belgium, Canada, Denmark, Finland, France, Germany, Greece, Ireland, Italy, Japan, Luxembourg, Netherlands, New Zealand, Norway, Portugal, Spain, Sweden, Switzerland, United Kingdom

United States (they are negotiating with RSA, it should be legal to use in the USA in the near future)

Restricted from all countries not listed, however you can apply for an export permit, availability will vary
Stronghold Britain Most countries None (although you might want to check as there are British export laws that may effect you)
Zeus Britain Most countries Restricted from: Afghanistan, Angola, Armenia, Azerbaijan, Bosnia and Herzegovina, Burma (Myanmar), Burundi, Croatia, Democratic Republic of the Congo, Ethiopia, Eritrea, Iran, Iraq, Liberia, Libya,  Nigeria, North Korea,  People's Republic of China (excluding Hong Kong SAR), Rwanda, Sierra Leone, Somalia, Sudan, Tanzania, Uganda, Yugoslavia (Federal Republic of)

Platform availability is your next concern, if you are experienced with Solaris and have no experience with Linux you'd probably be best off with a server that runs on Solaris. When handling secure web serving the server platform MUST be secure otherwise it isn't worth bothering in the first place. In the following chart I have attempted to be as precise as possible, yes is more likes a "probably", no is "definitely not", blank means I don't know.

 

OS/Server Apache-SSL * Apache mod-ssl * Netscape Enterprise 4.0SP2 Raven Red Hat Secure Server 3.1 Roxen Stronghold Zeus
AIX     4.1.2.0 rs6000 4.1.x+ no Yes 4  
BSDi yes yes no 3.x+ no   2.x, 3.x, 4.x yes
DG/UX     4.0D x86 4.x no Yes    
FreeBSD yes yes no x86 3.x no Yes 2.1, 2.2, 3.0 yes
HP-UX yes yes 11.x 10.x / 11.x no Yes 10 yes
IRIX yes yes 6.5 5.3, 6.x no   5.3, 6.2 yes
Linux libc** x86 / Sparc / Most x86 / Sparc / Most no x86 / Sparc / Alpha no Yes x86 / Sparc / Most yes
Linux glibc** x86 / Sparc / Most x86/Sparc/Most no x86 / Sparc / Alpha x86 Red Hat 5.x, 6.x Yes x86 / Sparc / Most yes
NetBSD x86 / Sparc / Most x86 / Sparc / Most no x86 1.3.x no   x86 / Sparc  
OpenBSD x86 / Sparc / Most x86 / Sparc / Most no x86 2.x no      
QNX     no 4.x no      
SCO     no   no   Openserver 3.2, 5.0 x86 / Sparc
Solaris x86 / Sparc x86 /Sparc x86 /Sparc Sparc 2.x / x86 2.x no x86 /Sparc Sparc 2.x / x86 2.x x86 / Sparc
Tru64 Alpha Alpha no 4.x no     yes
UnixWare     no 7.x no   2, 7  

 

*Apache and OpenSSL support most platforms.

**Linux glibc is Red Hat 5.x and beyond, Slackware 7.0, or basically any modern distribution (I can't think of any current Linux distributions that are not glibc based).

These software packages are OpenSource, so if your platform is not supported you can port it yourself or pay someone to, chances are an effort is underway

As you can see the most prolific platforms are Linux and Solaris, both of which service their respective markets ver well. Apache has a variety of SSL options, either relying on "free" SSL implementations, like OpenSSL, or commercial ones, like Raven. Apache currently has 50%+ of the non secure server market, so if you are looking for a familiar face Apache with an SSL module, or an Apache derived server (Like Red Hat's, or Stronghold's) are a good bet.

Another major factor in choosing your webserver will be the license, cost and support options available. For many people it is preferable to simply get a quick answer from a support organization rather then spend time trying to figure it out themselves, just as some people will be opposed to anything that is not open source. Luckily the RSA patent has expired in the USA and you can now legally use OpenSource software with OpenSSL without having to disable RSA, use RSAREF (a broken implementation) or paying RSA for a license.

 

Server License Cost Support
Apache-SSL BSD style Free No vendor, so support is limited to third party organizations and other online (mailing lists, newsgroups, IRC, etc.) support options
Apache mod-ssl BSD style Free No vendor, so support is limited to third party organizations and other online (mailing lists, newsgroups, IRC, etc.) support options
Netscape Enterprise 4.0SP2 Commercial ????? Vendor support
Raven Commercial $357 USD Vendor support, and since it is Apache based the usual online support options are available (mailing lists, newsgroups, IRC, etc.)
Red Hat Secure Server Commercial $149.95 USD Vendor support, and since it is Apache based the usual online support options are available (mailing lists, newsgroups, IRC, etc.)
Roxen GPL (however additional server add-ons are not) Free Vendor support
Stronghold Commercial $995 Vendor support, and since it is Apache based the usual online support options are available (mailing lists, newsgroups, IRC, etc.)
Zeus Commercial $1699 USD Vendor support

 

Other variables

The various secure web servers can be broadly broken into two categories, those based on Apache, and those that are not. The Apache based servers tend to be somewhat barebones, with no fancy web based GUI's for setup and management of servers, which some people dislike in any case. On advantage is the sheer number of non secure Apache www sites have resulted in a large number of people that are very proficient with Apache, so finding online support is less difficult then one would think, however if it is a secure server issue as opposed to a generic Apache issue, finding support will be somewhat more difficult. Another decision is to use an OpenSource server (such as Apache or Roxen) or a closed source, there are arguments both ways, but ultimately it will be more of a political issue then anything else in most cases. Another issue is the use of hardware cryptographic accelerators. These range from a plug in PCI card to a full blown network appliance you plug in between the www server and the internet. Depending on the cryptographic accelerator you buy you may not even need a secure www server (this generally is only for the high end network appliances).

 

Summary

There is no overall "best" www server even just taking availability issues into account. Various servers are appropriate for various situations. In the following articles and product reviews I will attempt to cover the major areas of www server considerations such as configuration, features, security, flexibility, scalability, and so on. Next week I'll be covering smart cards (which tie in nicely to secure web serving), the week after that we'll start comparing features of the various www server products.

Comparision

 

Last month I started the web server round up, and unfortunately it looks like I bit off a lot more then I can chew. Properly testing each web server takes a lot of time (10-30 hours), and that doesn't include any time to actually write about the results. Well I've finally worked my way through most of the servers, and it's been interesting. A web server isn't any good if you can't get it installed properly, configured properly, or if it simply does not posses the feature set you require. The majority of these products do allow you to download demonstration versions (or are completely free in some cases), I would advise trying them out first to make sure you end up with the one you want (in other words don't believe everything you read, including this =).

 

Ease of installation

This is an obvious choice for the first thing to cover, if you can't get the server installed properly it's probably not going to do you much good. In some cases the installation required compiling of software components, but the majority of the commercial products that are OpenSource (and partially or completely available as source code) came in binary format, easing installation. Where possible I used binary installations, as this is what the majority of users will opt to do (I have nothing against compiling personally, but most people will take the path of least resistance, myself included). For the "free" SSL based server that use OpenSSL you also have to compile or find a binary of OpenSSL, so I included that in the process where it was required. In all cases I would recommend getting the most recent version, they will contain any needed bug fixes, and any installation/compiling problems that exist in older ones have probably been fixed. All my installations were done on a stock Red Hat 6.1 box, and in no case did I hit any significant difficulties, in most cases the installs took less then 5 minutes.

 

Configuration

The next big item on the road to "getting it to work". All but one of the Apache based servers don't have any significant improvements (i.e. any tools for configuration), which shouldn't be a problem for most administrators, but for maintaining many sites automated tools and templates are useful. In addition to this is the degree of detail allowed, can you easily set one virtual site to have access to Java servlets, and no others sites for example? If you plan to host more then one site chances are you will find yourself wanting a high degree of control over who gets access to what, especially if you charge people for features (think virtual web hosting).

 

Server Compiling Configuration Granularity of Configuration
Apache-SSL OpenSSL takes a while to compile (also available in binary formats for RedHat, etc.), I personally have not had OpenSSL give me any trouble. Apache-SSL is a simple patch to the Apache source code, and it never gave me any problems as well. Default Apache style, edit the config file(s) by hand. There are automated tools but many of them do a poor job on the server server configs. Some functionality but you cannot for example restrict things like who gets access to various services such as authentication or Java servlets very easily, some control given by the access configurations, but more control would be nice.
Apache mod-ssl OpenSSL takes a while to compile (also available in binary formats for RedHat, etc.), I personally have not had OpenSSL give me any trouble. Apache mode-ssl is a bit more tricky then installing Apache-SSL, but assuming your platform is reasonably sane you shouldn't have any real problems. Default Apache style, edit the config file(s) by hand. There are automated tools but many of them do a poor job on the server server configs. Some functionality but you cannot for example restrict things like who gets access to various services such as authentication or Java servlets very easily, some control given by the access configurations, but more control would be nice.
Netscape Enterprise Binary only installation (proprietary package), installs to a self contained directory, asks a few simple questions that setup the www based config. Really nice www interface, cleanly laid out, very easy to use, Netscape put a lot of work into it. High granularity, relatively easy to use. The only product that had an obvious method to setting the encryption strength required to access the server (very nice feature).
Raven Run the install script and stand back, there's not much to do. Default Apache style, edit the config file(s) by hand. There are automated tools but many of them do a poor job on the server server configs. Some functionality but you cannot for example restrict things like who gets access to various services such as authentication or Java servlets very easily, some control given by the access configurations, but more control would be nice.
Red Hat Secure Server This product is designed for Red hat Linux, and installing it is extremely simple (rpm -Uvh). Please note you do need Red Hat 6.x for the latest version of Red hat Secure Server. Default Apache style, edit the config file(s) by hand. There are automated tools but many of them do a poor job on the server server configs. Some functionality but you cannot for example restrict things like who gets access to various services such as authentication or Java servlets very easily, some control given by the access configurations, but more control would be nice.
Roxen Available as source and binary, the binary package installs painlessly into a self contained directory, asks a variety of simple questions that setup the www based config. Really nice www interface, a bit quirky, but easy to learn. High granularity, relatively easy to use. You can easily grant certain sites access to items like www-auth, or restrict them from using them.
Stronghold Stronghold has a very nice install script that installs itself to a self contained directory, asks a variety of easy to answer questions and walks you through setup of your first secure host. Default Apache style, edit the config file(s) by hand. Initial setup of one site handled during install by prompting user with questions. Some functionality but you cannot for example restrict things like who gets access to various services such as authentication or Java servlets very easily, some control given by the access configurations, but more control would be nice.
Zeus Binary only installation (proprietary package), installs to a self contained directory, asks a few simple questions that setup the www based config. One of the best www interfaces to a piece of software I have seen, allows you to control multiple Zeus servers, group multiple sites into standard configurations (like allow Java or not). High granularity, extremely easy to use. Unlike Roxen it scales well to, you can create groups of servers with common config files (i.e. access to FrontPage extensions, but not Java servlets), reduces mistakes significantly.

 

Features (a.k.a. bells and whistles).

This is one area where most people exhibit interest, in all honesty most of these web servers do a pretty fair job of serving data, they are all pretty stable (almost all the above products are used at a variety of large sites). All the servers provide a certain baseline of functionality, they can server static documents, a variety of dynamic documents (such as server side includes), they have a CGI interface (so you can tie programs into your site), and so on. One major feature more and more sites (especially sites doing virtual hosting) are using is FrontPage extensions, which are full of security holes under UNIX and not really recommended (the vendor that wrote the FrontPage extensions for UNIX has a less then stellar track record security wise). One way around this is to use Samba to share out the www files selectively to clients (the username and password can be encrypted, the data is not, so it isn't any worse from a security point of view then FrontPage extensions are), however it does not allow them to make use of some of FrontPages more advanced features. I actually started an HTML table with a listing of all the important features, but in almost all cases all the servers supported the features listed, so it struck me as rather pointless. The Zeus, Roxen and Netscape Enterprise web servers do have some additional features not currently available in Apache, Roxen for example has RXML, a server side scripting language that allows for dynamic content (similar to PHP).

 

Support / Documentation

As with any products chances are at some point you will need assistance with it. When that time comes you will need to find help, if you're lucky it will be covered in the documentation. The Apache based products of course are the best documented, there are many books available, and the apache web site which has pretty much full documentation on the server itself (although some of the SSL directives are not covered or are different). All the vendors support their own products, and several will probably support Apache-SSL, and Apache mod-ssl if you pay them (since in some cases the commercial products makes use of the same OpenSSL that the two free ones do). There is a definite advantage to choose an Apache based product, with over 50% of the non-secure market, finding a competent Apache administrator or support organization is not to difficult.

 

Server Online documentation and help Vendor / Commercial support
Apache-SSL Yes, http://www.apache.org/, help is also available by a variety of mailing lists, www boards and IRC. Some commercial support available
Apache mod-ssl Yes, http://www.apache.org/, help is also available by a variety of mailing lists, www boards and IRC. Some commercial support available
Netscape Enterprise Yes, http://www.netscape.com/, help is also available by a variety of mailing lists, www boards and IRC, product ships with excellent context sensitive help. Various vendor support options available
Raven Yes, http://www.apache.org/, help is also available by a variety of mailing lists, www boards and IRC. Various vendor support options available, they also support Apache
Red Hat Secure Server Yes, http://www.apache.org/, help is also available by a variety of mailing lists, www boards and IRC. Various vendor support options available, they also support Apache
Roxen Extensive documentation at http://www.roxen.com/, product ships with excellent context sensitive help. Various vendor support options available
Stronghold Yes, http://www.apache.org/, help is also available by a variety of mailing lists, www boards and IRC. Various vendor support options available
Zeus Extensive documentation at http://www.zeustechnology.com/ Various vendor support options available

 

Summary

For the cost conscious, especially if only running one or two sites, an Apache based solution is ideal. For high volume web serving, or serving many sites with similar configurations Apache also works very well, but you will need to apply a lot of elbow grease in administration and maintenance (basically you will probably want to write scripts and other automation tools to assist you). The Apache based servers are in some ways the simplest to configure (one nicely commented text file), and the easiest to find support for online (there are many books devoted to Apache) as well as being very cheap (ranging from free to $160 USD, $357 USD and up). If you want something with a few more bells and whistles, and a nice www interface Roxen is the next logical step, Roxen is OpenSource and free (for the basic server), however you cannot yet use it legally in the US (due to the RSA patent). If you're willing to spend the money then Roxen probably wins for sheer number of features and add-ons (but $11,800 USD might be seen as a bit pricey for many people). If you don't mind spending money, and want to get an extremely high performance server then Zeus is the ticket (every single web record I have seen uses Zeus). Zeus has the best configuration interface I have seen, allowing you to manage multiple servers, multiple sites, and it scales well. Netscape seems like a very popular secure web server for major sites, it has great java servlet support, and a wonderful www interface, making it very simple to setup and maintain. They are all very good server products, if used in the right environment and administered properly (unfortunately there is no way around that yet). Fortunately with almost all the products you can get evaluation versions, so try before you commit to a web server, and make sure it supports features you think you might need in the future (because chances are you will need them).

 

Related links:

http://www.apache-ssl.org/

http://www.modssl.org/

http://www.covalent.net/raven/ssl/

http://www.iplanet.com/downloads/testdrive/index.html

http://www.iplanet.com/downloads/iwsonlinux.html

http://www.c2.net/products/sh3/

http://www.roxen.com/

http://www.c2.net/products/sh2/

http://www.zeustechnology.com/

 


Back

Last updated 4/10/2001

Copyright Kurt Seifried 2001