Header image

Avoiding Monoculture

In biology, it's well known that a population that's too similar is at extreme risk for an epidemic. If an infectious agent comes along that attacks a weakness common to all (or most) of the individuals in a population, it can spread very quickly and very widely. This is part of the reason that sexual reproduction evolved.

Similar principles apply to computer worms and viruses. If all of your machines are identically set up with the same hardware and software, then they will also all have the same security flaws, at the same time. This is a situation ripe for exploitation by a worm or a cracker.

If all of your services are already on different machines, why not make them very different? This can even enhance performance in some circumstances. What if you have a machine that serves static data like images running thttpd on OpenBSD while your main server runs Apache on Linux? Not only can you reduce the work on the machine serving the dynamic content, but it makes it more difficult for the overall site to be cracked, even if the attacker gets in to one of the machines.

(What if you have each machine storing the logs for the other one?)

[Prev]   [Up]   [Next]