Vlad,
see comments...
regards,
the elephantwalker
www.elephantwalker.com
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]On Behalf Of Vlad
Vinogradsky
Sent: Friday, September 21, 2001 7:08 AM
To: Orion-Interest
Subject: RE: Questions about Orion
Thanks for your response. Few follow-up questions.
>By the way, Orion by itself can out do IIS by six to one!...
In what scenario?
<elephantwalker>
Orion serving up jsp pages compared to asp pages from IIS.
</elephantwalker>
>... make sure you test the jdbc drivers with all necessary uses of sql
including
>things like LIMIT, CLOB, BLOB as well as 100's of open connections.
These are the key >database needs for a appserver servicing the web.
What about resource/connection pooling?
<elephantwalker>
Orion uses connection pooling for its ejbs, and you can specify connection
pooling for your jdbc connections in orion with a DataSource configuration.
</elephantwalker>
>Like anything, if you run it on Windows, it will be compromised.
I was asking more about known Orion vulnerabilities?
<elephantwalker>
AFAIK, there are none if you take the following steps:
1. Run orion as a non administor user.
2. Do not use any of the script based servlets, such as php.
3. User jdbc drivers that support encrypted network traffic. Oracle does
this...I don't know about m$ sql server.
However, Windows is known to have many security issues, and if your
operating system security is compromised, the hackers will have access to
the orion, and any other resources you have.
I would recommend staying away from any windows system for any internet
application because the windows record on security is so BAD. You should see
my internet logs the last few days ;(...filled with requests for silly
things on the c drive, something the frequently patched IIS is vulnerable
to, but which orion justs sends back a 404.
In the past two years, I have seen no similar failure of Orion, nor any
complaints on the list.
</elephantwalker>
Thanks,
Vlad
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]] On Behalf Of The
elephantwalker
Sent: Friday, September 21, 2001 1:08 AM
To: Orion-Interest
Subject: RE: Questions about Orion
Vlad,
Here are the answers as I know them:
1. SQL Server 2000 database --> That's a tough one. I don't know any IT
managers recommending this beast. But if you got to live with it ...
make sure you test the jdbc drivers with all necessary uses of sql
including things like LIMIT, CLOB, BLOB as well as 100's of open
connections. These are the key database needs for a appserver servicing
the web.
2. Orion uses the Java 1.3 jvm from Sun, IBM or others. As they say, if
it runs on one, it runs on all.
3. We use IBM's jvm with absolutely no problems.
4. Scalability is determined by your clustering needs. Orion clusters
httpsessions in islands of two to four servers. Statefull Session Beans
are not clustered, but entity beans and slsb's are easily set up in a
clustered environment. Orion is easily the fastest jsp/servlet engine on
the planet, and along with some very good performance numbers on the ejb
side, you can out do other app servers by a factor of 3 to 1. By the
way, Orion by itself can out do IIS by six to one! Oracle thought so
much of the Orion performance, they licensed the software as the core of
their j2ee application server.
5. j2ee security is used on Orion, you can implement your own user
security, or link up with ldap, or use the builtin usermanagers for
databases. SSL is also a feature of Orion, but I would recommend locking
down your web server with SSL, or use a hardward accelerator, and
proxying Orion outside the dmz. This is how most firms implement
appservers.
6. Like anything, if you run it on Windows, it will be compromised. We
have not had any security troubles with Linux RedHat 7.1 and orion.
7. Ironflare doesn't really provide the technical support that some
need. With Ironflare's encouragement, companies like Flowsheet
Technologies and others provide subscription based customer support for
Orion. Join our site, www.elephantwalker.com, its free, and sign up for
a subscription when you need some help. We also provide a course for
Orion in the San Francisco Bay Area.
regards,
the elephantwalker
www.elephantwalker.com
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]On Behalf Of Vlad
Vinogradsky
Sent: Thursday, September 20, 2001 8:22 PM
To: Orion-Interest
Subject: Questions about Orion
I am evaluating the Orion server for use in a production web site which
would be hosted by a hosting services provider. It would run on a
Windows 2000 box alongside other web sites serviced by IIS and will
manage data in SQL Server 2000 database. I have a few questions I wasn't
able to find answers to and I wonder if you can help me with them.
1. I wonder if anybody had any negative experience using Orion server on
Windows 2000 or with SQL Server 2000? I-Net jdbc products are going to
be used.
2. Any comments on performance, scalability and availability of the
Orion server on Windows 2000?
3. What VM is best to use to run Orion server?
4. Does it have auto start and restart features? Do you have to have an
interactive logon session to start it?
5. What security context does it run in?
6. What is Orion server security track record? Has it ever been
compromised or taken out by DOS attacks?
7. Any comments on IronFlare's technical support? It looks like there is
no live tech support - just email.
All input is welcome.
Thanks,
Vlad
