Apache and IIP web server (1 Viewer)

[Ryan_M_M]

Can anyone explain the difference between Apache and IIP web server, giving examples maybe in articles on the net? I am totally stuck on finding any information which compares both products.

 

[Clark F]

I can provide some information. I work in IT, but NOT with web servers.
IIS runs on the windows operating system, Apache runs on the Linux Operating System.
IIS has the typical Windows graphical interface for configuration and administration, Apache has a text file for all the configuration information.
Both have had their vulnerabilities to hackers, which get closed by patches.

I have not run benchmarks or read any benchmarking results, but I would expect the Apache/Linux combination to requires less hardware resources than IIS/Windows to do the same work.

I searched in Yahoo for "Apache versus IIS" and found a number of hits, like this one.

Apache versus IIS

I hope this helps...

 

[Kevin P]

Apache can run in Windows too. IIS offers Active Server Pages (.ASP), Apache can run PHP, Cold Fusion, and other active page solutions. Beyond that I don't know much about Apache.

KJP

 

[John_Berger]

Apache is available for just about every operating system that's out there - Windows, Solaris, Linux, and so forth.

IIS is strictly Microsoft. That alone is enough reason to be concerned.

Be aware also that there have been numerous bugs, worms, and security concerns with IIS. Apache has a few, but fortunately simply running Apache usually does not create a security concern. Because of Microsoft ridiculous tendency to integrate their products with VB and so forth, IIS can cause a lot of security problems, particularly with the amount of worms and virii that are written specifically to exploit weaknesses in IIS.

Apache also has numerous plug-in options. You can have Apache integrate with Perl, PHP, server side includes, SSL encryption (HTTPS), Cold Fusion, and numerous other objects. And of course all of this functionality is free.

It's no secret that I'm anti-Microsoft; however, unless you plan on keeping up to date with all IIS patches that come out and you plan on having the web server in a completely isolated condition, go with Apache.

And contrary to Microsoft FUD, Apache is very easy to configure.

 

[Patrick Larkin]

Apache is open source thus FREE. It runs on any Unix, including MacOS X (in fact it is bundled with EVERY Mac).

Apache runs more web servers on the planet than any other competitor.

 

[Shayne Lebrun]

Be aware also that there have been numerous bugs, worms, and security concerns with IIS. Apache has a few, but fortunately simply running Apache usually does not create a security concern. Because of Microsoft ridiculous tendency to integrate their products with VB and so forth, IIS can cause a lot of security problems, particularly with the amount of worms and virii that are written specifically to exploit weaknesses in IIS.

Apache also has numerous plug-in options. You can have Apache integrate with Perl, PHP, server side includes, SSL encryption (HTTPS), Cold Fusion, and numerous other objects. And of course all of this functionality is free.

Apache is a web server. IIS is an application server. Once you start plugging mod_moreorlessanything into Apache, you start opening up holes.

When you get right down to it, though, your installation is only going to be as secure as you make it; IIS is no more or less difficult to secure or harden than Apache is; most people just don't bother, then blame Microsoft when they get cracked.

Case in point; the vaunted Code Red/Nimda was NOT an IIS exploit; it was an Index Server exploit. People who had read the default security checklist and turned off the Index Server bits, or who had installed the patch which was available for MONTHS before virus went around, were fine.

 

[Patrick Larkin]

IIS will never be as secure as Apache. Windows will never be as secure as Unix.

 

[Shayne Lebrun]

IIS will never be as secure as Apache. Windows will never be as secure as Unix.

Hmmm. And I seem to remember the days when you could get root on, say, sendmail, just by asking for it.

UNIX isn't a secure OS; hell, it was designed to be a LESS SECURE version of MULTICS. It has, however, the virture of thirty some-odd years of being beaten upon going for it.

Go find the big fat Practical UNIX And Internet Security book. Or some of the stats on exactly how long, say, a Red Hat 6.x install can be on the Internet before it's owned. Here's a hint; 31 hours.

UNIX is no more inherently secure than Windows NT is; hell, in a lot of ways, it's less secure. No ACLs, for example. Of course, saying UNIX is a bit of a misnomer, but the basic truth remains; ANY installation is only as secure as you make it. The fact that Microsoft is learning some rather harsh lessons in NO way obviates the fact that the major UNIX vendors learned those EXACT same lessons fifteen years ago.

 

[Patrick Larkin]

Using Red Hat as an example of a secure *nix is a bit of a stretch. Its not called "Root Hat" for nothing. (and Red Hat's problems were that their distribution's install defaulted to a lot of unsecured serviced turned ON. bad mistake for the hobbyist trying to learn Linux.)

The facts are that unix and apache were NEVER as easy to crack as IIS/Windows. There are nowhere near the number of exploits on a unix box as a windows box. and the exploits just keep on coming.

UNIX is no more inherently secure than Windows NT

Yes, it is.

 

[Shayne Lebrun]

I'm sorry, but how can you in the same breath refer to a UNIX as 'root hat,' then claim that it's inherently more secure than Windows?

I remember the time when typing 'wizard' or 'debug' would get your root via sendmail; Windows doesn't make it quite that easy.

 

[Ryan_M_M]

Is IIP webserver and IIS the exact same thing?

 

[Shayne Lebrun]

I think the IIP is a typo for IIS.

 

[Greg Rowe]

One note... Apache can serve up ASP pages as well using mod_asp. I am sure there are limitations but you can do it.

Having administered both IIS and Apache I can give you some advice. IIS is easier to initially get setup and running, however, as soon as you want to do something the designers didn't plan for it becomes nearly impossible. With Apache there is a slightly higher learning curve but the nebefits you recieve are worth it by far.

It is also MUCH easier to find documenation regarding configuring apache that it is IIS. It has been my experience the "Windows users" tend not to share information as readily as "UNIX users". That's just my opinion.

Greg

 

[Patrick Larkin]

I'm sorry, but how can you in the same breath refer to a UNIX as 'root hat,' then claim that it's inherently more secure than Windows?

I did not refer to UNIX as "root hat" ... I referred to a single distribution of LINUX (Red Hat) as root hat. By comparison, BSD or MacOS X install with services OFF by default, not the opposite.

 

[Shayne Lebrun]

Note the phrase 'a UNIX,' not 'All of UNIX world.'

When you get right down to it, pick the tool for the job. If you're going to be serving up ASP, using COM objects, blah blah blah, go with IIS. If you're doing perl, php or some such, go with Apache/mod_whatever. Note, though, that pretty much the moment you throw in a mod_whatever, especially if the mod_whatever is a language interpreter, you open apache pretty wide. If you're going to be doing lots of ldap related stuff, go with netscape enterprise server/iPlanet/whatever the hell they call it now. And so on.

No OS is inherently better or worse than another; they are, however, suited for different things.

 

[Patrick Larkin]

Something as simple as virus vulnerability and the inter-relationships of services on Windows makes it a scary proposition for critical tasks. Viruses, worms, all these nasty things made explicitly to exploit Windows...no thanks.

There may be a hole found in apache or sendmail or bind but its fixed within a day. Microsoft, on the other hand, may not even acknowledge a security problem for a month...

Also, Apache modules do not "open apache pretty wide."

By the way, ASP has to be the slowest middleware product on earth. Why anyone would use that is beyond me. Maybe so you can use it with SQL Server (when its not being hammered by mysterious worms.)

 

[Shayne Lebrun]

http://www.securityfocus.com/columnists/150

 

[Kelley_B]

You don't have to restart Apache all the time like you do IIS....we have done test here at work and Apache wins hands down, too bad the "brains" of the operations here has MS shoved up his ass and won't change from IIS to Apache.