Example Of Research Paper On Designing An Application Server
Type of paper: Research Paper
Topic: Internet, Server, Windows, Security, Disaster, Services, Business, Information
Suitability of IIS for application servers
There are a number of server application vendors in the market. The servers have different functionalities and while others are commercial software, others are not. The efficiency of a server will depend on the functionality that is needed. There are many developments that have been added n the servers that are available on the net today. This paper will focus on the server types and the efficiency of the servers depending on the functionality of the servers. It will have a comparison of the different servers and what they serve in the entire process.
Microsoft Internet Information Service is the most popular web server software. It is one of the most widely use servers that has been installed by many entities. It has a lot of online support because of the wide use. IIS consist of a series of services including File Transfer Protocol (FTP). There is also Simple Mail Transfer Protocol (SMTP), and Hypertext Transfer Protocol (HTTP). All these services enable Windows machines to manage Websites. There are also additional services provided by the later versions which include filtering, caching, ASP.net integration, redirections, compression, diagnostics, logging and security.
Windows IIS is the best choice for this server. It is because IIS provides all the services required in the case which includes hosting websites, application server, FTP sites and streaming media. A caveat is that IIS is provided by the Windows systems and necessitates the use of a Windows Server such as the Windows Server 2012. Another one is that Windows is prone to malware attacks and has a reputation of the less secured server. However, with the support from Microsoft, this server is suited due to the following reasons:
Windows and IIS are supported by Microsoft
IIS supports Microsoft’s .NET framework and ASPX scripts
There are media pack modules that are available to facilitate audio and video content streaming
IIS offers in-depth diagnostic features such as failed request tracing, request monitoring and runtime data
The list below shows the ports that are used for HTTP, FTP, HTTPS and media streaming.
Security implications of open ports
A web server has ports that listen to specific functions such as incoming requests. The ports are used in handling the different tasks that have been defined. Usually, IIS pay attention to HTTP and HTTPs requests on port 80 and 443 consecutively. There is no additional requirement for IIS to have additional ports open other than those required for communication. An attacker will look for all the open ports the server has opened and launch eavesdropping attacks. This creates a vulnerability where the attacker can get into the internal parts of the networks and launch attacks. It is therefore advisable the number of ports and services opened be reduced to a bare minimum if it is exposed to an unsecure network.
A firewall is applied in IIS to filter out all the traffic that does not satisfy security requirements. Firewalls are effective systems, but sometimes, they can be compromised if management practices are not deployed correctly. It is therefore recommended that defense-in-depth practices be conducted or the site be designed in such a manner that firewall appears to be local on the IIS server. Additionally, to achieve extra security, disabling unnecessary services on the console is highly advised.
With respect to FTP, PORT-mode requests made from FTP clients need to be handled in some way. There should be knowledge of inbound and outbound connections to support PORT-mode FTP client requests originating from behind the firewall. TCP port 21 has outbound traffic while TCP port 1025 has inbound traffic. As noted, packet filters used to support PORT-mode FTP clients do not create a secure firewall/router configuration due to the wide range of ports that is left open to the masses. Additionally, inbound connections should be given access to the internal network. A s a result, unsolicited inbound connections to a wide range of ports create a definite security hazard.
One solution to this is allowing inbound connections to high number ports originating exclusively from source port TCP 20. It is done through the process of limiting access to the FTP server data port. However, with the current security architecture, many tools have been developed to help administrators and, by extension, hackers to set source port manually. This creates confusion on whether the incoming connections from the TCP port 20 are from the legitimate FTP server.
In the case where the firewall/router manager has to deal with FTP server behind the device the outbound TCP port 1025 need to be opened. On the other hand, inbound TCP port 21 and TCP ports 1025 and above also need to be opened.. The only way to have strong control over what transverses through the network are by limiting what IP addresses have access but with the same problems witnessed by PASV clients. The only solution is to use smart networks such as the stateful packet filtering. Stateful packet filtering does not require opening of static response ports because they include frameworks for reading data portions of FTP packets that include PORT and PASV-mode commands.
A common security precaution is to have separate servers for internal and external applications. Organizations typically contain two separate classes of Web applications, those for use by internal users and those for use by external users. Placing those applications in different servers is a common security recommendation. It is prudent because it reduces the risks of an attacker, or user-turned-attacker, trying to get into the external server and accessing internal resources that are sensitive and private in nature. Where there are resources to implement this recommendation, it is always advisable to use technical controls in order to protect external applications from getting in contact with one another. One mechanism is process isolation. One of the features offered by IIS 8.5 is application isolation. Applications for internal users are isolated from application for external users. This provides a firm security grip. Also, IIS 8.5 in Windows Server 2012provides a secure, modular and extensible, and easy to manage platform for hoisting websites, services and applications. Choice and control is available in handy without compromising in security and reliability. There are a lot of IIS extensions that allow customization of existing features and addition of new features. For example, application request routing and load balancing are an example of applications that can be customized. Other benefits include the ability to maximize web security while reducing server footprint, easy deployment and running on ASP.NET framework and PHP web applications on the same network.
Disaster recovery plan
A disaster recovery plan can developed on IIS servers but there are important considerations that should be conducted at installation. For instance, making the hardware redundant in as many processes as possible and using Norton Ghost to backup the partition that the fresh installation is on are just a few examples of the best practices. Also, backing up all the data on the website and documenting all file locations is advisable. Important among all the ability to store the backup tapes on or off site securely.
A disaster recovery plan starts with the hardware documentation. Aspects such as speed of the CPU, theserver machine, and thenumber of processors among others need to be considered.
Second, backup routines are as essential as the process itself. For instance, it is important to test backup servers and their operational capacity by assuming a disaster has already occurred.
Third, the hot fixes that have been applied need to be tracked. For instance, using Q numbers will allow exploration of the hot fixes that have been applied by accessing Microsoft’s Online Knowledge Base. IIS 5.0 have a proactive tool that checks that applications have been installed (Hotfix Checking tool).
Finally, there are processing for backing up the servers. They include backing up the metabase, backing up the ODBC drivers and change management processes. Backing up the metabase is the first process to server backups. If the metabase is not backed up, there is a higher probability of recreating the IIS configurations in case of a disaster. With respect to ODBC drivers, (where this is applicable to database driven sites), there is need to document which data sources are used for drivers and backed up appropriately.
A change management system of some kind needs to be in place. A management system needs to be taken as a control strategy. Documentation should be placed near the servers and this information should be part of the procedure such that any time a person need to make a change, the procedure and the change must be written down.
Other methods of server recovery involve having others servers offsite to take over operations in case of a failure or having vendor who can provide new equipments in a short time.
The strengths with backing up files, processes and systems using the approach recommended above is that the organization will recover quickly no matter the intensity of the disaster. Knowing where to start, the location of all backup files and folders and all the hotfixes thathavebeen effected in the system will guide whoever is conducting the recovery process efficiency and effectively.
Challenges and mitigation
A level of preparedness is required for any emergency. There should always be a plan A and a plan B. For a well-laid plan, the systems could be running in hours or days. However, this is not the case in most times. Organizations with better recovery plans get to recover much quicker than those with sketchy plans.
Mark Minasi, D. G. (2010). Mastering Microsoft Windows Server 2008 R2. John Wiley & Sons.
Shankar, S. (2013). Web Server Hardening. Retrieved 2013, from Slideshare: http://www.slideshare.net/null0x00/web-server-hardening
Stanek, W. (2014). Web Server Administration: The Personal Trainer for IIS 7.0 and IIS 7.5. RP Books & Audio.
Zambelli, A. .. (2009). IIS smooth streaming technical overview. Microsoft Corporation, 3.