Red Hat Stronghold: Secure, Apache-based Web server
Stronghold Web Server is a collection of open source parts that have been configured and packed to work together. Sure, you could do it yourself, but the man hours needed to get everything operational may cost as much as the license for Stronghold.
The open-source Apache Web server is the most widely used Web server worldwide, accounting for nearly 70 percent market share as of August 2004. So, as the Zen koan might say, what is the sound of one Apache serving? It’s a trick question — there is no one single Apache.
Like any software package, numerous versions of Apache are in production. For one thing, the well-established and still-vital 1.x family line coexists with the newer 2.x lineage. To further complicate things, Apache is also the engine on which various Web server solutions are built. Take Stronghold, for example, Red Hat’s secure Web server based on Apache.
Administrators experienced with installing and compiling complex packages appreciate the swift ease with which Stronghold installs. In a matter of minutes, the Web server is ready to go.
Stronghold 4 is a collection of open-source components grouped together to create a world-class secure Web server. With version 4, Red Hat has updated the Apache engine to version 1.3.22 and bundled Perl 5.6, PHP 4.1.0, and Tomcat 4.0.1 (JSP 1.2 and Java Servlet 2.3), as well as the newly introduced AxKit XML application server and WebDAV Web-based authoring protocol.
Stronghold 4 is available for most Linux and Unix-like operating systems. Users of Red Hat’s own Linux Advanced Server can take advantage of the Red Hat Content Accelerator (formerly known as TUX), which adds a caching layer to Stronghold for added performance in high-traffic environments. Otherwise, Stronghold 4 is basically the same across Linux and Unix platforms. The install package weighs in at about 24 MB, and the basic installation occupies a similar footprint. Red Hat includes a text-based installation script that walks you through the basic steps. Administrators experienced with installing and compiling complex, modular-rich packages, such as Apache, will appreciate the swift ease with which Stronghold installs. In a matter of minutes, the Web server is ready to go.
But ready to go is not the same as secure. Red Hat has set secure defaults for many of the included modules: For example, Apache user directories are turned off by (a common problem with Web server installations), and PHP is set to secure mode. But there is no avoiding the fact that running a truly secure Web server requires a good understanding of the cryptography systems available. Stronghold includes command-line tools for generating key pairs and supports a wide variety of cipher strengths, from weak 40-bit keys to strong 168-bit keys. The initial install script steps through the creation of an initial key pair of a chosen strength level.
Both host and client certificates are supported through known or private trusted Certificate Authority sources. Stronghold presumes the admin understands how keys and certificates work, what he needs, and that he knows where to put them. Most of these operations involve creating certain files and placing them in certain folders. While all of this is laid out in the included handbook, there is no “wizard” or step-by-step guide to walk you through the process.
Red Hat does not include any graphical or Web-based administration tools for Stronghold, with the exception of a Web-based status monitoring tool. Like many open source products, solutions are available (such as Webmin for Web-based administration of Apache) that can be acquired and will work with the server. They are not, however, bundled specifically with the Stronghold release.
For the nearly 70 percent of Web servers currently running some kind of Apache-based Web server, Stronghold is a reasonable solution for secure communications.
Like any Apache-based server product, Stronghold is a toolkit, a collection of pieces configured and packed to work together. Stronghold can leverage the power of any of its component parts, from Apache’s sophisticated configuration language to the rapid deployment of dynamic Web pages via PHP and complex Web applications through Tomcat’s J2EE. At its heart, Stronghold is a combination of Apache 1.3.22 and OpenSSL bridged together with mod_ssl. Because they are all open-source projects, they can be downloaded, compiled, and installed at no charge. Anyone can combine the components to build a Web server very much like Stronghold.
So why pay for it? For one thing, Red Hat has done most of the work for you — and that’s no small thing. Getting all of these parts to work together can, in some cases, cost as much time in man hours as the license cost for Stronghold.
In addition, the Stronghold license fee also buys what some will consider peace of mind — the knowledge that the pieces have indeed been put together correctly to ensure secure operation as well as the availability of certain kinds of support and tested updates, as required.
It may be stretch to think that organizations with a software infrastructure built around, say, IIS, will jump ship to Stronghold. But for the nearly 70 percent of Web servers currently running some kind of Apache-based Web server, Stronghold is a reasonable solution for secure communications.
Pros: Apache engine; Proven and reliable OpenSSL security; No-hassle installation of pre-compiled modules.
Cons: For command-line junkies; Not available for Windows.
Reviewed by: Aaron Weiss
Original Review Date: 9/15/2004
Original Review Version: 4