Thursday, February 12, 2004 10:04 AM RHurlbut

Real distributed application development

Sam Gentile posted an excellent article on the lack of real .Net distributed application development and examples.  Others have commented on this article as well.

Sam and I have talked about this a great deal in our own work, and we have bounced ideas back and forth regarding how to create good distributed architectures.  One reason I favor multiple boxes, beyond some scalability benefits, is SECURITY.

What happens when the web server is compromised, and your database credentials are sitting there open for anyone to look at?  What happens when the web server is compromised, and someone looks in the registry at the DSN settings to see where that database is located, and how to access it?

My problem with many n-tier examples is that while they are getting better at separating the logical tiers, there is nothing about how to separate the tiers physically.  It can't be done easily, because everything is coupled with the web.config file. 

Speaking of security, how many examples show you how to create a Partial Trust ASP.NET page in order to isolate the web application from Full-Trust resources?  I only count one or two.  How many examples have I counted that defaulted “sa“ as the database user, without explaining how bad this really is?  Unfortunately, many.  Remember those basic security principles:  security in depth, low-privileged user, etc.

There are more reasons than scalability to physically separate your tiers for development.  As Sam said, distributed computing is your friend.

Filed under: , , , , , , , ,

Comments

# re: Real distributed application development

Thursday, February 12, 2004 10:30 AM by Julien CHEYSSIAL

Thanks for your comment on my blog.

I'm still a student so I don't have much experience on which I can rely... The project on which I'm currently working on is a web application which will manage pretty big data volumes and will certainly have a lot of success (heavy load).

So would you recommend any books on creating .NET distributed applications and applications such as mine ?

# re: Real distributed application development

Thursday, February 12, 2004 11:26 AM by Joseph E Shook

Exactly Robert! Good addition to Sam’s post. It is all one big recipe. If you leave out one of the ingredients the amount of work to scale and secure in the future becomes a burden weighted by past complacencies.

Remember the whole web service is surface area and available to attach 24 hours a day. It is available to administrators to make mistakes 24 hours a day. Eventually a hole will appear for at least some time. I surely don't want that hole to be a yellow brick road to the data today or tomorrow...

# re: Real distributed application development

Thursday, February 12, 2004 11:53 AM by Robert Hurlbut

Thanks Joseph.

Julien, for starters, if you are doing any kind of web application development, I would look at these two excellent books on secure web application development:

Building Secure Microsoft ASP.NET Applications (http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnnetsec/html/secnetlpMSDN.asp)

and

Improving Web Application Security: Threats and Countermeasures (http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnnetsec/html/ThreatCounter.asp).

# Robert Hurlbut adds more value to Sam's Distributed Computing post

Thursday, February 12, 2004 11:58 AM by TrackBack

Robert Hurlbut adds more value to Sam's Distributed Computing post

# re: Real distributed application development

Thursday, February 12, 2004 3:12 PM by Julien CHEYSSIAL

Oh, I also wanted to ask... What about passing XmlDocuments between layers and services ? Since XML is pretty verbose, it might consumes more memory and bandwidth but what do you think about using XmlDocument ?

Thanks for your recommandations... I think I'm going to buy the printed versions of those PAG.

# re: Real distributed application development

Thursday, February 12, 2004 3:32 PM by Robert Hurlbut

While on the same box, it makes sense to do regular calls (direct method/interface). You should do this with an ES/COM+ or Remoting server call to another box as these are considered "near" (within the same network). If you are making calls on a "far" box (outside of your network, i.e. across the internet), then Xml through the use of WebServices makes the most sense.

I bought those books through Amazon as well, as they are pretty hefty PDFs to pring (as many as 600+ pages!).

# Enterprise Architecturing

Friday, February 13, 2004 8:19 AM by TrackBack

# Distributed data security

Saturday, February 14, 2004 4:40 PM by TrackBack

# Items of interest pt3

Monday, February 23, 2004 8:07 AM by TrackBack

# Distributed .NET Computing Part 2

Tuesday, February 24, 2004 6:47 PM by TrackBack

# Application Servers and DB Security

Wednesday, February 25, 2004 7:44 AM by TrackBack

# Tiery Eyes: Should the middle tier be logical or physical? A lively discussion

Friday, February 27, 2004 10:51 AM by TrackBack

Tiery Eyes: Should the middle tier be logical or physical? A lively discussion

# re: Real distributed application development

Thursday, April 01, 2004 5:07 AM by N.Jeganathan

Dear sir,

I want notes about distributed applications development


yours faithfully
(N.Jegananthan)