Weaving Your Way Through the Web Server Scene

Weaving Your Way Through the Web Server Scene


March 12, 2003

Web servers don't compete in the same sense as most other software offerings do. For one thing, the most widely used server, Apache, is open source and essentially free. It has no advertising budget or any other promotion aside than downloads, user experience, and word of mouth. Even the second most widely used server, Microsoft Internet Information Server (IIS) doesn't compete in the open market as it's typically picked up in conjunction with a Windows operating system (i.e., it's bundled).

Yet this is a fiercely competitive category of software, partly because it's one of the most important pieces of all software (Web servers are often described as the heartbeat of the Internet), and the total number of servers in use is approaching an astronomical 12 million. There are many commercial Web servers (a large selection of which are reviewed on ServerWatch); many ways to supplement and enhance Web servers that can make money; and besides, there's always bragging rights.

Later in this ServerWatch tutorial, we'll detail what the "Big Four" Web servers (Apache, IIS, SunONE, and Zeus) are up to, but it's important to bear in mind that there are literally dozens of Web servers. Many are embedded within other products (such as application servers), and you might be using them without even knowing about it. Other Web servers are developed for specific purposes, such as e-commerce or streaming media.

Security

If there is one across-the-board issue in Web servers in 2003, it remains the same one it has been for (at least) two years -- security. A lot of negative publicity has been generated by Web server security holes and their exploitation. During 2000 and 2001 Microsoft IIS seemed to take the brunt of attack, but during 2002 Apache and other servers also came under fire. Statistically speaking, we may be talking about an almost infinitesimal number of breaches relative to the total number of Web server connections and transactions, but like airline disasters, only the memory of bad news seems to endure. The impression of flawed software now clings to many Web server products.

To counteract this impression, most Web server developers have shifted their attention to not only fixing security problems, but also re-focusing the software around security issues. In some cases this has resulted in heavily redesigned products; in other cases, features designed to implement and monitor server security have been added.

Update and Maintenance

Closely related to the need for vigilance in security is the need to pay attention to updates. This is much more than deciding whether or not to implement new versions of the server software. It includes the onerous task of frequently patching installed software to update security fixes. It also includes more sophisticated monitoring of server activity, not only to manage loads, but also to deal with attacks and illegitimate use of the server. The problems are particularly acute for organizations running hundreds (or thousands) of servers, but the same problems -- especially because they often go unattended -- exist in much smaller installations.

Consequently, another major trend in Web servers has become the addition of tools and features that make updating easier and timelier.

The Big Four

As mentioned, there are scores of Web servers available today. Some are free. Some are commercial. Some are heavy-duty; some are light-duty (even personal). Some are highly visible products; others are nearly invisibly embedded within another product. The most heavily used products, as indicated in the graph below, are Apache Web Server, Microsoft IIS, Sun ONE Web Server, and the largest of the "other" group, Zeus Web Server (which in actuality has more active servers than SunONE).

Market Share for Top Servers Across All Domains August 1995 to February 2003

Source: Netcraft (February 2003)

Apache Web Server
Apache Web servers in combination with the Linux operating system are arguably the most successful of all open-source software. Apache, according to Netcraft, now runs approximately 63 percent of the world's active Web servers, and its share continues to grow. During 2002 Apache/2.0 made its debut as a major upgrade. Reverberations (tweaks, fixes, and variants) from the upgrade are still being registered. Apache/2.0's support for threading greatly improved its performance on the Windows platform. This has led to 2.0 being adopted more quickly on Windows than other platforms and has helped Apache chew away at Microsoft's dominance in the Windows Web server market.

The Apache Software Foundation, the umbrella organization that guides and polices the development of the far-flung Apache code, has numerous development projects continually in progress. The HTTP Server Project (Apache Web Server) has been particularly busy addressing security issues that cropped up during 2002.

Internet Information Server
Microsoft doesn't like being number two in anything, much less something as potentially high profile as Web server software, but it's digging itself out of a hole over issues of security and reliability. With the coming of a new version, IIS 6.0, included in the release of Windows 2003 Server, the company is betting on the demonstration of much-improved security and reliability. IIS has been redesigned (with "significant architectural improvements") to incorporate XML and Web services specific features as well as improve security. For example, IIS 6.0 will be installed in a "locked-down state," meaning that maximum security is the default and administrators will need to choose which security measures to relax or remove. IIS 6.0 will also leverage its connections to other Microsoft products that use its services. This will particularly be true of the many Web services features of the Microsoft .NET platform.

Sun ONE Web Server
Now in version 6.0, the Sun ONE Web Server has gone through many name changes (including iPlanet-Enterprise, Netscape-Enterprise, Netscape-FastTrack, Netscape-Commerce, Netscape-Communications, Netsite-Commerce & Netsite-Communications), which may be indicative of some of its decline in popularity. As might be expected, Sun ONE Web Server has most of its strengths in the close relationship with Java and its support for Java Server Pages and Java Servelets. Sun ONE Web Server is surrounded by a bevy of supporting products (Proxy Server, Directory Server, Portal Server, and Accelerator Board), as well as intimate connections with the Sun ONE Application Server. During 2003, we expect to see an increased amount of direct competition with Microsoft (IIS) and IBM (Apache) in the burgeoning Web services market.

Zeus Web Server
As the third most used server, the Zeus Web Server is the leading example of commercial Web servers geared for the enterprise. Designed for server-farm-style installations, Zeus surrounds its server with an armada of support products that enable it to function in extremely high-performance environments, such as large corporate data centers, ISPs, and Web hosts. Zeus is not alone in catering to these needs, but as a company Zeus Technology is structured to work at this level, and its expertise is probably its biggest asset. The payoff is a Web server that can scale to enormous size and has earned the reputation for relatively easy management and maintenance.

The Web Server Market

Although the struggles for Web server market share are in some ways titanic (or at least from the perspective of Microsoft, Sun, and the open source people), the changes in products are usually incremental and not particularly swift in coming. Apache had a major revision in 2002 and Microsoft will in 2003, but after that, no major changes are planned from either of them for some time -- measurable in years.

Consequently, those who follow the products, especially server administrators responsible for making update and patching decisions, must pay attention to the fine details of interim revisions and the various announcements about fixes and patches.

Also, we find that many of the more interesting aspects of the Web server market are not the primary servers, but support and peripheral products such as accelerator boards, cache systems, monitoring software, and various plug-ins that improve performance and make life easier for administrators. Integration with server blades (i.e., densely packed rack-mounted servers) will be a major focus for Web servers in 2003 as enterprises try to consolidate and improve efficiency in the current economic climate.