The ability to host multiple Web sites on a single server system represents a significant priority for many corporate customers and ISPs. By providing this capability, a considerable amount of resources can be saved by not using multiple servers, by reducing administration costs, and so forth. Things to look for in a multiple-site hosting solution are as follows:
-
Ability to host multiple sites from a single software installation.
-
Each site should have its own unique configuration but be centrally manageable.
-
Host headers and multiple TCP/IP address hosting should be supported.
-
Bandwidth throttling to ensure that all traffic can get through and that no site can overtax the Web server system.
-
CPU throttling to ensure that no Web application can overcome the CPU, and that adequate processor time is available for all Web applications.
Through Sun WebServer 2.1, Solaris 7 supports a scalable virtual hosting service. Virtual hosting allows multiple sites to be hosted on a single server. Multiple sites are supported either via multiple TCP/IP addresses or host headers, allowing for multiple sites to be hosted on a machine with a single or limited number of TCP/IP addresses.
Sun WebServer 2.1 supports server-level and site-level administration as well as delegation of administration. Domain-based virtual hosting allows unique name spaces (user domains) to be assigned to each site on the server. Administration delegation and domain-based hosting are especially beneficial to ISPs hosting multiple sites. They can have separate account databases for each site, and each domain can be securely controlled by its own administrator.
Sun WebServer offers the ability to host multiple virtual Web sites (up to eight according to the documentation, 24 according to the information on the Sun WebServer website). Also, the Solaris 7 product license for Sun WebServer 2.1 allows the Web server software to be installed on up to four machines.
Windows NT Server 4.0 Implementation Details
Virtual Servers (multiple Web sites) are supported per machine, providing for maximum flexibility in environments where multiple site hosting is required. Multiple sites are supported either via multiple TCP/IP addresses or host headers, allowing for multiple sites to be hosted on a machine with a single or limited number of TCP/IP addresses.
In addition to support for virtual servers, Windows NT Server 4.0 provides a number of other features to enhance the multi-site hosting capabilities of the Web server. These include:
-
Web Site Operators – Administrator can be assigned management privileges on an individual Web site basis. This allows organizations to host multiple Web sites on a single server, while keeping the administration of the individual Web sites separate.
-
Bandwidth Throttling –Where bandwidth is limited, the server administrator can set the amount of bandwidth each site on a server with multiple sites can use.
Windows 2000 Server Implementation Details
Windows 2000 Server builds on the features in Windows NT Server 4.0 to provide an even stronger solution for hosting multiple Web sites on a single server. New features include:
-
Process Accounting, which provides system administrators information about how Web sites use CPU resources on the server. This feature can be enabled and customized on a per-site basis. It provides many benefits to administrators, especially in multi-site environments. It can identify rogue scripts that are eating CPU cycles or malfunctioning processes, helping to ensure that processor time is available to other Web sites or applications.
-
CPU Throttling, which uses the Job Object in Windows 2000 Server to allow administrators to limit the amount of CPU processing time a Web application or site can use over a period of time. CPU Throttling provides several benefits to users, especially those running multiple sites or applications on the same server. It limits the amount of time a Web site’s applications are allowed to use the CPU, ensuring that processor time is available to other Web sites or non-Web applications.
-
Multiple User Domains, which allow unique name spaces to be assigned to each site on the IIS server. This feature is especially beneficial to ISPs hosting multiple sites. It allows separate account databases for each site and allows each domain to be securely controlled by its own administrator.
Multi-Site Web Hosting Summary
Windows 2000 Server provides Process Accounting, which allows administrators to track CPU usage on a per-site basis, greatly easing management tasks. It also provides CPU Throttling, allowing CPU time to be limited on a per site or per application basis. Finally, the ability to have multiple user databases (domains) for each site makes it an excellent choice for Internet Service Providers.
Windows NT Server 4.0 provides a true multiple site hosting environment, multiple virtual servers each centrally manageable but with their own unique configurations. In conjunction with Windows 2000 Server, it is the only solution to provide bandwidth throttling and delegated administration capabilities.
Sun WebServer 2.1 offers the ability to host multiple virtual Web sites and to delegate administration. While these features are adequate for most needs, administrators will miss the throttling and process accounting functions of more full-featured Web servers, such as IIS 5.0.
Internet Security
Internet security is a major concern to any organization providing information and services over the Internet. It is critical that a Web server solution provide:
-
Authentication – A way for clients using a Web browser to authenticate themselves to the Web server. The solution should include support for standard authentication protocols such as Basic and Digest Authentication for use over the Internet, and single sign on services for authentication in a trusted domain such as an intranet.
-
Encryption – Support for standard Secure Sockets Layer (SSL) encryption in both standard (40-bit) and strong (128-bit) encryption strengths.
-
Access Control – The ability to control which files users can access.
-
IP Security – The ability to grant/deny access based on the IP address and/or domain of the end user.
Solaris 7 Implementation Details
The specifics of the Solaris 7 Internet security infrastructure are as follows:
-
Authentication – Support for standard authentication features is fair. Both Basic Authentication and encrypted authentication are supported. Basic X.509 certificate-based authentication is also supported. Operating system integration for user account authentication is available through the /etc/password and /etc/shadow files, but direct integration in this manner is not recommended by Sun and may open the system to attacks or other serious security problems.
-
Encryption – Support for Secure Sockets Layer (SSL) encryption is provided, for both 40-bit and 128–bit Strong SSL encryption.
-
Access Control – Access can be restricted on a per user basis either using the integrated account database or user accounts from an LDAP-compliant directory, such as Novell NDS or Microsoft Active Directory.
-
IP Security – Sun WebServer 2.1 provides a comprehensive security implementation to restrict access to content. Access to content can be restricted on a per user, TCP/IP address, or DNS domain basis.
Windows NT Server 4.0 Implementation Details
The specifics of the Windows NT Server 4.0 Internet security infrastructure are as follows:
-
Authentication – A comprehensive array of authentication options is provided with the Web services present in Windows NT Server 4.0. Support for both basic (non-encrypted) and NTLM (encrypted) password authentication is provided when authenticating against the Windows NT Server directory. Authentication is based on Windows NT Server 4.0 domain and local user account databases. This provides for complete, native integration with the Windows NT Server 4.0 security model and eliminates the need for account synchronization or separate user account databases. Additionally, X.509 client certificates can be mapped to Windows NT user accounts for security authentication using digital certificates.
-
Encryption – Secure Sockets Layer (SSL) data encryption is fully integrated into IIS 4.0. Support for both 40-bit and 128-bit strong encryption provides complete encryption support for virtually any scenario. Server Gated Cryptography is also supported, for the strongest (128-bit) encryption possible for completely secure online transactions for customers such as international banks.
-
Access Control – Since IIS is an integrated service, it leverages the security infrastructure built into Windows NT Server. Therefore access to files from Web browsers is controlled by adding a user to the Access Control List (ACL) for a file or group of files. This is the same procedure an administrator would follow to provide access to a file on a file server; thus eliminating the need for an administrator to learn a new security model.
-
IP Security – Content can be restricted based on user accounts, TCP/IP addresses, DNS domain names, or any combination thereof.
Windows 2000 Server Implementation Details
The Windows 2000 Server security infrastructure adds a number of features to make it easier for administrators to secure their Web servers. These include:
-
Certificate Wizard provides a tool to automate and ease the often-difficult task of setting up SSL-encrypted Internet services. The Certificate Wizard allows administrators to quickly and easily deploy encryption technologies without the difficult setup process in prior versions and products from the competition.
-
Permission Wizard provides a tool to automate the tasks of configuring security permissions and authenticated access on IIS 5.0 sites. The Permission Wizard makes it easier to set up and manage Web sites that require authenticated access to content, lowering administrative overhead and total cost of ownership.
Finally, to keep in line with Internet standards, Windows 2000 Server provides full support for Digest Authentication. Digest Authentication offers the same features as Basic (unencrypted) password authentication, but involves a different way of transmitting the authentication credentials. Basic authentication sends passwords over the Internet as clear text; digest resolves this issue by obfuscating the password on the wire. This provides a considerable benefit to users with browsers supporting Digest Authentication, as it allows them to authenticate to an IIS 5.0 server without compromising their login credentials.
Internet Security Summary
Windows 2000 Server provides a complete standards-based Internet security infrastructure. It integrates with the Windows 2000 security environment to provide administrators with a single directory of users to manage. Additionally, once users are authenticated to a Windows 2000 domain, they don’t need to log on to the Web server separately. It is the only solution to offer such key features as digest authentication. With its Permissions and Certificate Wizards, it is the easiest solution to administer.
Windows NT Server 4.0 provides full integration with the operating system security environment while also providing support for Internet standard security protocols such as basic and X.509 digital certificate authentication and SSL encryption.
Solaris 7 and Sun WebServer 2.1 supports standard authentication techniques but doesn’t offer much beyond the basics. Furthermore, while access controls are available, these controls aren’t integrated with the operating system.
|
