in reply to Re^3: LAMP svrs - 1 or 2 is best ?
in thread LAMP svrs - 1 or 2 is best ?

While I agree that having db and webserver on a different machine can provide an additional layer of protection (for instance against an attack where the root-account on your webserver is compromised), I want to warn against a 'put a firewall inbetween and your safe'-view. I think this is too simplistic. Firewalls are often seen as a magic box that makes your network safe. To increase your network security stuff like good intrusion detection (both on network and on a local machine), good backup/recovery procedures and common sense are as important, if not more important.

There are tons of exploits in web/database apps, and commonerrors programmers make (not using placeholders while using DBI for instance) that use the webserver-to-database channel to get to the database, no firewall will help you here, as you state yourself.

I highly recommend reading Bruce Schneiers 'Secrets and Lies' for a good holistic view of security. Especially the part on attack trees (building a tree of the most likely way a hacker will attack you) is very interesting.

mmm, we're deviating a lot from the OP question, I'll stop muttering.

Replies are listed 'Best First'.
Re^5: LAMP svrs - 1 or 2 is best ?
by dragonchild (Archbishop) on May 11, 2005 at 12:43 UTC
    I will wholeheartedly agree that a firewall isn't a magic box that will make you secure. It's a necessary, but not sufficient, requirement for being secure. And, it needs to be done with everything else in mind.

    My entire point is that you separate your servers for security-based reasons, not performance ones. The performance reasons are usually non-existent.

    • In general, if you think something isn't in Perl, try it out, because it usually is. :-)
    • "What is the sound of Perl? Is it not the sound of a wall that people have stopped banging their heads against?"
[reply]

In Section Seekers of Perl Wisdom