Oracle FAQ Your Portal to the Oracle Knowledge Grid
HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US
 

Home -> Community -> Mailing Lists -> Oracle-L -> RE: 9ias Vs IIS

RE: 9ias Vs IIS

From: Boivin, Patrice J <BoivinP_at_mar.dfo-mpo.gc.ca>
Date: Thu, 29 Nov 2001 11:00:28 -0800
Message-ID: <F001.003D0E05.20011129104105@fatcity.com>

Try sans
Also do a search in google for isn news or for IIS hacking or IIS security, I'm sure you will come up with something. Yahoo, C|Net, Wired, Register also have articles on IIS, I am convinced.

You can also go to www.microsoft.com/security <http://www.microsoft.com/security> and do a graph showing how many patches they released in the last three years for IIS 4 and IIS 5, and what it takes to secure an NT server (there is a security checklist for NT servers, the same thing probably exists for Windows2000 servers). Once you secure your web server, what happens when service packs have to be applied, admin time to keep everything up-to-date, etc.

That is the clincher, the time it takes to administer NT in a secure environment, they must take that into account when they do cost analyses.

Extract from this morning's SANS newsletter:

19 & 20 November 2001 Microsoft Apologizes, Admits it Knew of

                Vulnerability
*       19 & 20 November 2001  Microsoft Apologizes, Admits it Knew of
                Vulnerability

Microsoft apologized for "inaccurate" statements regarding an Internet Explorer (IE) vulnerability disclosed by Online Solutions. Initially, Microsoft blasted Online Solutions for making the vulnerability public on November 8, but then admitted that the security company had notified them of the problem a week before.
http://news.cnet.com/news/0-1003-200-7920273.html?tag=prntfr
<http://news.cnet.com/news/0-1003-200-7920273.html?tag=prntfr> 
http://www.theregister.co.uk/content/55/22935.html
<http://www.theregister.co.uk/content/55/22935.html> 


I used to subscribe to ISN News e-zine, I liked it a lot - after parsing through the e-mails from that listserv you will be convinced it's not a fun world out there.
Maybe after Sept 11th and additonal powers for CIA, FBI, NSA and other agencies, hacking will go way down. (?). You might want to search the ISN News archives, there must be stuff in there.

Regards,
Patrice Boivin
Systems Analyst (Oracle Certified DBA)

        -----Original Message-----
        From:   Sunny Verghese [SMTP:vsgeorge70_at_hotmail.com]
        Sent:   Thursday, November 29, 2001 12:04 AM
        To:     Multiple recipients of list ORACLE-L
        Subject:        RE: 9ias Vs IIS

        Thanks for you inputs.
        I'd like some concrete data on Security issues with IIS. Do you know
of any 
        sites for this ??? You know how it is, I can't just go to management
and 
        tell them that it's not very secure, I need to prove it with data
(To make 
        this all the more interesting I'm contracting with a state agency
right 
        now... you can imagine the managers there....... No offense to any
State 
        "managers" in this group :-) !!!)


>From: schmoldt_at_fyiowa.com
>Reply-To: ORACLE-L_at_fatcity.com
>To: Multiple recipients of list ORACLE-L <ORACLE-L_at_fatcity.com>
>Subject: RE: 9ias Vs IIS
>Date: Wed, 28 Nov 2001 15:00:26 -0800
>
>I'm not a web expert either ... we're just starting to look at
web-enabling
>our forms.
>
>But one big potential drawback to using IIS would be security
issues. It's
>the most-targeted and most-hacked server out there. Someone will
need to
>be
>applying patches constantly and hoping for the best.
>
>Ask the new guys when was the last time they had to deal with a
>security/hacker problem with your current 9iAS/Apache setup. :-)
Not that
>it can't be hacked ... but the hackers tend to focus on the easiest
target.
>
> > -----Original Message-----
> > From: Sunny Verghese [mailto:vsgeorge70_at_hotmail.com]
> > Sent: Wednesday, November 28, 2001 2:14 PM
> > To: Multiple recipients of list ORACLE-L
> > Subject: 9ias Vs IIS
> >
> >
> > Briefly, our current setup includes Web enabled forms (PL/SQL
> > Cartridges)
> > accessing an 8i database via 9ias (currently OAS 4.2 but will
> > be moving to
> > 9ias in a month). Btw, we also use ORACLE APPS (11i) using
> > the same Web
> > Server (apps and ias handled by another dba... thankfully :-)
......)
> >
> > For a new system (requirement : ability for customers to
> > upload files (xml,
> > fixed format text file or spreadsheet, or enter data via a
> > form. Need only
> > specific people to be able to upload these files. Files need to
be
> > transmitted and saved securely...... Digital signature ?.
> > These files could
> > be required later (Law suit)) that we are looking at, a
> > couple of new guys
> > (who believe that the Sun rises and sets because of Microsoft
> > !!!!) are
> > proposing using IIS --> ASP --> OEMDB --> ORACLE database
> > (existint DB).
> > They also have a problem with IIS --> JSP --> JDBC --> ORACLE
> > DB (they claim
> > JSP would be an overhead on IIS and would slow it down)
> >
> > I don't know the web stuff well enough (Obviously :-) !!!) to
> > see the holes
> > (if any) in this approach. Their complaint is that 9ias is
> > slow (or in their
> > words, ORACLE should stay with databases and not get into the
> > Web server
> > world !!!)
> >
> > Opinions / Info that would help ?????
> >
> > Thanks,
> > Sunny
> >
> >
_________________________________________________________________
> > Get your FREE download of MSN Explorer at
>http://explorer.msn.com/intl.asp
>
>--
>Please see the official ORACLE-L FAQ: http://www.orafaq.com
>--
>Author: Sunny Verghese
> INET: vsgeorge70_at_hotmail.com
>
>Fat City Network Services -- (858) 538-5051 FAX: (858) 538-5051
>San Diego, California -- Public Internet access / Mailing
Lists >--------------------------------------------------------------------
>To REMOVE yourself from this mailing list, send an E-Mail message
>to: ListGuru_at_fatcity.com (note EXACT spelling of 'ListGuru') and in
>the message BODY, include a line containing: UNSUB ORACLE-L
>(or the name of mailing list you want to be removed from). You may
>also send the HELP command for other information (like
subscribing).
>--
>Please see the official ORACLE-L FAQ: http://www.orafaq.com
>--
>Author:
> INET: schmoldt_at_fyiowa.com
>
>Fat City Network Services -- (858) 538-5051 FAX: (858) 538-5051
>San Diego, California -- Public Internet access / Mailing
Lists >--------------------------------------------------------------------
>To REMOVE yourself from this mailing list, send an E-Mail message
>to: ListGuru_at_fatcity.com (note EXACT spelling of 'ListGuru') and in
>the message BODY, include a line containing: UNSUB ORACLE-L
>(or the name of mailing list you want to be removed from). You may
>also send the HELP command for other information (like
subscribing).

        Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp
        -- 
        Please see the official ORACLE-L FAQ: http://www.orafaq.com
        -- 
        Author: Sunny Verghese
          INET: vsgeorge70_at_hotmail.com

        Fat City Network Services    -- (858) 538-5051  FAX: (858) 538-5051
        San Diego, California        -- Public Internet access / Mailing
Lists
        --------------------------------------------------------------------
        To REMOVE yourself from this mailing list, send an E-Mail message
        to: ListGuru_at_fatcity.com (note EXACT spelling of 'ListGuru') and in
        the message BODY, include a line containing: UNSUB ORACLE-L
        (or the name of mailing list you want to be removed from).  You may
        also send the HELP command for other information (like subscribing).
-- 
Please see the official ORACLE-L FAQ: http://www.orafaq.com
-- 
Author: Boivin, Patrice J
  INET: BoivinP_at_mar.dfo-mpo.gc.ca

Fat City Network Services    -- (858) 538-5051  FAX: (858) 538-5051
San Diego, California        -- Public Internet access / Mailing Lists
--------------------------------------------------------------------
To REMOVE yourself from this mailing list, send an E-Mail message
to: ListGuru_at_fatcity.com (note EXACT spelling of 'ListGuru') and in
the message BODY, include a line containing: UNSUB ORACLE-L
(or the name of mailing list you want to be removed from).  You may
also send the HELP command for other information (like subscribing).
Received on Thu Nov 29 2001 - 13:00:28 CST

Original text of this message

HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US