Guidelines on Securing Public Web Servers

Are the additional costs of purchasing and supporting a TOS outweighed by the 

benefits?   

Is the TOS compatible with the organization's existing Web applications and scripts? 

3.6.2  Web Server Appliances 

A relatively recent development in the area of Web servers has been the development of Web 

appliances.  A Web appliance is a software/hardware combination that is designed to be a 

 plug and play  Web server.  These appliances employ the use of a simplified operating 

system that is optimized to support a Web server.  The simplified operating system improves 

security by minimizing unnecessary features, services, and options.  The Web server 

application on these systems is often pre hardened and pre configured for security.   

These systems offer other benefits in addition to security.  Performance is often enhanced since 

the system (operating system, Web server application, and hardware) are designed and built 

specifically to operate as a Web server.  Cost is often reduced since hardware and software is 

not specifically required by a Web server is included.  These systems can be an excellent 

option for smaller to mid sized organizations that cannot afford a full time Web administrator.   

The greatest weakness in these systems is that they are not suitable for large complex and 

multi layered Web sites.  They may also be inappropriate for organizations that require more 

than one server, unless the organization is willing to purchase Web appliances from a single 

vendor, since their simplicity makes it difficult to configure Web appliances from different 

vendors to work together.  Web appliances are available from most major hardware vendors 

and from a variety specialized vendors who concentrate solely on Web appliances.   

Some items to consider when contemplating the purchase of a Web appliance: 

What is the underlying operating system and how has it fared in security testing?   

How has the Web appliance itself fared in security testing?  (Note that the 

configuration options of Web appliances are necessarily limited so a Web appliance 

will generally only be as secure as its default install.)  

How heterogeneous is the organization's Web server infrastructure?  (Different brand 

of Web appliances do not generally work well together.)   

Are the limited expansion options inherent in Web appliances acceptable to the 

organization?  (Organizations who are anticipating or experiencing rapid growth in 

Web traffic may not wish to limit themselves to a Web appliance.)   

3.6.3  Pre hardened Operating Systems and Web Servers 

There are a growing number of pre hardened operating system and Web server packages being 

distributed today.  These packages include an operating system and Web server application 

that are modified and pre configured to provide high security.  Some of these packages include 

the hardware platform while others are software distributions that include only the operating 

system and Web server application.  These distributions are generally based on hardened 

and/or modified general purpose operating systems (e.g., Linux, Unix, and, less often, 

Windows) that are specifically designed to support a secure Web server.  The Web server 

18