I've seen a couple of Windows servers where some clueless genius installed IIS4, SQL Server and Exchange Server on the same machine, and put it up on the 'Net. I wouldn't be surprised if most of the machines whose SQL Server was attacked were actually dual IIS/SQL machines.

Cramming apps on the same machine is obviously not a good idea, because the machine in question becomes vulnerable to more than one type of attack. Additionally, it's not good network optimization, because all client/server traffic is forced through the same uplink. It's better to spread the apps among several servers: the risk is distributed, and uplink/downlink traffic capacity is increased.

If you are supervising a 35-server server farm, putting 5 servers on the 'Net instead of all 35 limits your exposure. It also helps you to optimize patch management, because you can put afford to put a much higher priority on patching the 5 servers that are exposed to the 'Net than on the 30 that are not.

Finally, consider introducing redundancy by load balancing or clustering those servers that are on the 'Net. Load balancing or clustering are good, because you can do a patch on a couple of members of the cluster and check that nothing untoward happens before you patch the rest of the embers of the clusters. Without load balancing or clustering, you patch and you cross your fingers.

Load balancing or clustering enable you to do your patching during the day rather than have to wait until 3:00 AM. Of course, if you are running a 7x24 op, then you should start rapping your employer's fingers about getting load balancing and clusters in.

I kind of like the name "Messalina" for the worm, because the original Messalina was quite a sexual predator when she was alive and most of those who had the misfortune to cross her path were less than thrilled about the experience.

[ reply ]

Link to this comment: http://www.securityfocus.com/comments/columns/174/21003#21003