In-Depth

6 Reasons to Consider Apache

Even though IIS gets more secure with each generation, having at least a few Apache Web servers in your shop makes sense.

• By Scott Bekker
• 04/01/2005

Every month, the U.K.-based firm Netcraft takes a survey of all the sites on the Web and publishes the percentage run by each type of Web server software. Out of nearly 60 million sites Netcraft found this February, the open source Apache Web server ran 40 million of them. Microsoft Web servers, mainly IIS, ran 12 million sites. Moreover, after months of little change in market share between those two leading Web server families, Netcraft is starting to notice a slight break toward Apache with a 1.4 percentage point gain over IIS in two months. Can 40 million Web sites be wrong?

Maybe. Another firm, Web server tools vendor Port80 Software, contends the number isn't relevant to the enterprise. Netcraft's total takes into account every Apache server running in every enthusiast's basement, as well as the massive farms of Apache (and IIS servers) run by the largest hosting companies, whose experience and requirements are dissimilar from those of most enterprises. The better question, according to Port80, which focuses on IIS-improvement tools, is: What software does the Fortune 1000 use? The answer to that question is much more favorable to IIS. According to a November survey by Port80, IIS runs 53.8 percent of Fortune 1000 servers, compared with Apache's 21.2 percent.

When all you've got is a hammer, the saying goes, every problem looks like a nail. When you look at guidance from Microsoft and its partners, the obvious conclusion when you need a Web server is IIS. In many cases, that's the correct choice, given familiarity with Windows and the increasingly locked-down characteristics of IIS 6.0. But there are instances where that approach isn't best.

IIS Rules the Fortune 1000 While Apache dominates the Netcraft survey of the whole Web, a look at the Web sites of the Fortune 1000 skews toward IIS. IIS tools firm Port80 Software regularly analyzes the HTTP replies received from the main Web site of each Fortune 1000 company to determine the Web server software and operating system run by that host. The results of its November 2004 survey:

Security
John Marten, IT specialist with Balzhiser & Hubbard Engineers in Eugene, Ore., picked the Apache Web server to run the firm's corporate Web site for a reason cited by many for using the open source Web server. "It's secure," he says.

The drumbeat to switch from IIS to Apache for security reached its fever pitch in September 2001, when Gartner analyst John Pescatore called for enterprises to consider a move to Apache or the Sun-Netscape Web server. At the time, the blended threats of Code Red and Nimda were exploiting IIS vulnerabilities. IIS 5.0, by default, was enabled generally wide open on servers for maximum usability and compatibility. The famous Trustworthy Computing memo from Microsoft Chairman and Chief Software Architect Bill Gates, in which Microsoft officially decided that security took priority over functionality, was still a few months off. The first major fruit of the Trustworthy Computing code review, Windows Server 2003 with its tightly locked-down IIS 6.0, was about a year-and-a-half in the future.

With the release of IIS 6.0, a free Microsoft IIS lockdown tool and copious security guidance for Windows 2000/IIS 5.0, the security picture around IIS has changed. A look at the advisory database maintained by security firm Secunia, which sends and tracks security advisories on more than 4,500 products, shows the rate of discovery of new security vulnerabilities in IIS has settled down in recent years. Indeed, IIS and Apache are fairly well matched and patched when it comes to vulnerabilities, and neither appears to have any unpatched vulnerabilities that rate as highly critical. (See "Mixed Bag").

Mixed Bag
Security firm Secunia monitors vulnerabilities in more than 4,500 products. Below is a chart showing the number of patched and unpatched vulnerabilities in Secunia's database as of late February. Information in the database doesn't make a clear case for one Web server being more secure than the other.
Product	Vulnerabilities	Unpatched Vulnerabilities	Max Severity of Unpatched Vulnerabilities
IIS 5.x	11	1	Not critical
IIS 6.0	3	1	Moderately critical
Apache 1.3x	15	1	Less critical
Apache 2.0x	24	2	Less critical
Source: www.secunia.com

Other things haven't changed so much. The SANS Institute, which annually produces a list of the top vulnerabilities for both Windows and Unix (including Linux) systems, continues to put IIS at the top of the Windows vulnerability list, a position it's held for three consecutive years. Apache also shows up as a big problem on the SANS Unix list, but only in the No. 2 or No. 3 spot—not as the top priority problem.

In the SANS view, it's not that IIS itself is inherently insecure, it's that many users still haven't taken the time to lock down their pre-IIS 6.0 installations. "Windows 2000 Server ships with IIS installed by default, as many administrators discovered during the infamous Nimda and Code Red outbreaks," the security organization notes. In reality, if you're equally diligent about securely configuring and adequately patching IIS and Apache, your Web server is going to be roughly as secure.

What's potentially more troubling about older systems is that many applications use some IIS services, and turn them on without the user or administrator knowing it. A lot of shops only discovered IIS was enabled when the Code Red and Nimda attacks exploited the Web server. That problem doesn't have much to do with a firm's conscious choice of one Web server over another. Instead, it's a problem for Microsoft and its vendors to address together.

Some customers run Apache Web servers in front of an IIS server farm to add a layer of security, says Mark Brewer, president and CEO of Covalent Technologies, a company that adds value to Apache Web servers and Tomcat application servers.

"Clearly there have been, over the last three years, worms and viruses that have attacked the Web server as a point of entry," Brewer says. "What a lot of big companies have done is put up a proxy in front of that Web server farm. More than half of the people who we have as IIS customers are using Apache primarily as a security method in front of those IIS servers. It doesn't necessarily violate their corporate standard [on IIS]."

Interestingly, the security drumbeat of late 2001 didn't result in much of a switch to Apache. "We wanted to capture people moving to .NET as well as people saying ‘I've got to get off of IIS.' We picked up some, but certainly didn't get the traction we thought. We got over 1,000 leads, but about 1 percent of those were real," Brewer says.

Of course, the security of a Web server isn't just about the security of the Web server software, a point illustrated by the problem of third-party applications enabling IIS without sufficient warning. When it came time for Marten to pick a Web server for his engineering firm, Apache was an obvious choice for him even though the 50-person firm uses Windows servers for file serving and to run the special engineering blueprint printer. "It's [Apache] on an [OpenBSD] server, which is a real secure operating system. For me, having a real secure operating system like that is the No. 1 priority," Marten says. "That's just the way it just comes, even out of the box. Running Apache on that platform, it just makes it more secure."

Some organizations use Apache gateway servers in the same way that Microsoft recommends using Internet Security & Acceleration Server—as a way of protecting an IIS Web server farm from the Internet. The method puts the IIS boxes in a more protected network and obscures the structure of the protected network from outside attackers. Below is an illustration of how the servers are configured with the rest of the network. (Click image to view larger version.)

Cost
For a long time, open source was synonymous with free. It remains true that in the very largest and very smallest settings, the Apache/Linux proposition can have significant cost benefits over Microsoft. When you're talking more than a few servers, and less than a truly colossal infrastructure, costs tend to even out.

"Some organizations believe that Linux combined with Apache will lower their software and hardware acquisition costs when compared with Microsoft's products. When one takes a long view and considers all of the costs of operations, administration and the like, it is not at all clear that this perception is true in all cases," says Dan Kusnetzky, an analyst with the research firm IDC. "Organizations seeking a short-term reduction in acquisition costs might act on this perception and try Linux combined with Apache."

There are two obvious areas where you can save a lot of money by going with Apache instead of IIS.

One is on extremely small "skunk works" kinds of projects. In a case where you need a Web server for a project with no initial budget, it's possible to get a Linux/Apache server running on some surplus hardware for virtually nothing but the cost of your time. At the other end of the spectrum, Covalent's Brewer says some pharmaceutical companies that must spin out a new Web server application for every clinical trial realize massive licensing savings by running the applications on Apache servers.

A bigger opportunity for long-term savings comes from migrating Unix-based Web applications to less expensive x86 hardware. Yes, you can make the switch to Microsoft-IIS, but why go through the trouble of porting the application to Windows/IIS when the move to Linux/Apache is much more transparent to the application? All the cost savings inherent in industry-standard hardware apply without an expensive application migration effort. Many financial companies have already taken advantage of the savings from migrating proprietary Unix-based solutions to Apache and Linux or BSD.

Security and cost are by far the best reasons to consider Apache. But a handful of lesser considerations exist, as well.

Apache Dominates the Web Take all Web sites into account and Apache dominates the Internet. According to the Netcraft Web Server Survey, of the nearly 60 million sites on the Web in February 2005, Apache ran 40 million of them.

Spread It Around
Many real cost-savings benefits arise from building an entire infrastructure on Microsoft technologies. When you're designing your ASP.NET pages in Visual Studio to pull files from the SQL Server databases, applications can pop up extremely rapidly. But that also means a Windows-targeted virus can bring down your network in a hurry, a point made by a group of security researchers last year; those same viruses or worms likely wouldn't put non-Microsoft servers out of commission, leading to better reliability. Putting up a few Web servers running Apache on Linux is a quick and easy way to get some variety into your infrastructure.

SANS Institute Top Vulnerabilities
IIS and Apache both figure prominently in the SANS Institute's annual list of the most common vulnerabilities. IIS usually figures slightly more prominently, however.
SANS Top Vulnerabilities for Windows Systems
Year	Rank	Label
2004	1	Web Servers & Services (IIS mentioned first)
2003	1	IIS
2002	1	IIS
SANS Top Vulnerabilities for Unix Systems
Year	Rank	Label
2004	2	Web Server (Apache mentioned first)
2003	3	Apache Web Server
2002	2	Apache Web Server
Source: www.sans.org

Professional Development
A corollary to the heterogeneity rule is that giving your administrative staff or yourself another platform to work on can be a good thing. It offers an opportunity for the kind of variety that makes the work more interesting and provides the professional development of experience with another platform. For the IT organization as a whole, it also never hurts to have additional skill sets.

Lost in Translation
While Microsoft has a huge stable of languages and capabilities, it doesn't cover all the bases. Putting an entire Web infrastructure on Microsoft software means locking yourself in to only those capabilities that Microsoft chooses to enable and only those development languages Microsoft chooses to create or support. Running Web applications on Apache might provide opportunities to take full advantage of Java development capabilities, for example. Some of your staff may have development expertise built up through time spent working in BEA WebLogic or IBM WebSphere that they can apply to your organization in Web applications on Apache.

It Runs on Windows
It's possible to take baby steps into Apache. Consider that Apache can run on Windows OSes. While this was a somewhat tricky proposition in the Apache 1.3x generation, the Apache Software Foundation made a big effort to improve compatibility with Windows in Apache 2.0.x.

Obviously, you're not getting some of the benefits of an Apache migration if you keep the whole Web server on Windows, but it can give you a taste of whether Apache is right for your organization.

If you've never tried Apache, now you've got several good reasons to give it a shot. Like anything when it comes to IT infrastructure, change shouldn't be made lightly. According to IDC's Kusnetzky, though, a switch to Apache, when appropriate, can work out. "For the most part, the anecdotal information I have indicates that organizations that try this approach seem to be happy with the decision."