Virtual, Dedicated & Cloud Hosting Security Compared
This isn’t a post aimed at sysadmins, as they will know this already. However, it’s a post intended for a business owner or decision maker who places the contract for web hosting, and is intended to highlight at a high level some of the security risks that exist to their websites just by being on the Internet.
Last week I bought a small app for my iPhone called Net Status (app store link). The premise is simple – you enter one or more websites that you want to check are running and it scans them and reports back. (Aside: It’s great as a quick check on the road when a client calls and says “my website is down” and gives you a quick way to prove or disprove this. Even when you have other tools that monitor and report uptime, plus a client can use the tool to check themselves).
The interesting thing that the tool does is scan the common ports for the website you enter and then provides a list of ports you want to monitor. You can deselect some, but it showed some very interesting differences between websites hosted on virtual servers, dedicated servers and cloud hosting. Here’s a quick table (based on a LAMP – Linux, Apache, MySQL, PHP – setup), but please read the notes following it!
| Port | Cloud | Virtual | Dedicated |
|---|---|---|---|
| Ping |  |
|
|
| http | |
|
|
| https | |
|
|
| ftp | - | |
|
| mysql | - | |
|
| dns | - | |
|
| telnet | - | - | - |
| ssh | - | |
|
| smtp | - | |
|
| smtps | - | - | |
| pop | - | |
|
| pops | - | - | |
| imap | - | |
|
| imaps | - | - | |
| afp | - | - | - |
| smb | - | - | - |
| vnc | - | - | - |
| rdp | - | - | - |
| lpr | - | - | - |
| ipp | - | - | - |
| postressql | - | - | - |
The in the table show the ports that can be scanned from the Internet, and so represent easiest routes for a hacker to attempt to exploit the server and your website. Out of the box, a dedicated server has many more possible attack vectors which a sysadmin needs to lock down or manage the security for.
The reason that there are so few attack vectors in the cloud is that the website, the database, email, and often FTP are all separated through different channels (IP routes). This is the nature of the Cloud and one which brings a greater default level of security obfuscation “out of the box”.
However, to provide a balanced view, ports and IP addresses for things such as the database server, the email server, etc, are actually shared between many different sites in the Public Cloud and you may inadvertently be exposed in other ways. For more information on this latter discussion see “When the Clouds break; Risks in the Public Cloud“
Related Reading from this Blog
Subscription Options:
