Friday, August 29, 2003

MRTG/SNMP on IIS

I'm a firm believer of using the proper tool for the job. Unfortunately, the marketing department at a huge software vendor likes to talk about its products as being the end-all-be-all for every job.

What am I talking about? IIS.

In most cases, using IIS is like using a 747 to drive to the corner store. In most cases, a comfortable pair of sneakers will suffice.

The newer versions of IIS come with so many features that, contrary to claims, that virus writers and hackers will have plenty to do for the coming decade. (Remember, the more complex a program is, the more bugs/vulnerabilities it contains.)

If you have to use IIS, there are additional measures you should take to protect the system:

  • restrict outside access to just the web port
  • if possible, stick a caching proxy in front of it
  • if possible, that reverse proxy should reside on a non-MS operating system
  • locate the proxy/IIS systems outside of your internal network (in a DMZ)
  • if possible, stick an IDS sensor in there
  • and, wherever possible, gather metrics.

I want to stress the point about metrics. For any publicly exposed system, you've got to have a good idea of what normal traffic looks like so that you can recognize what abnormal traffic looks like.

A good tool for this is MRTG. Allow it to gather data from your router and you'll get a good day-to-day view of traffic. With IIS v6.0, you can even gather metrics from your web server. Here's an article at SecurityFocus which discuss how to do just that.