If what they want is to separate ColdFusion from the web server, then sure, it is called "distributed mode". While I am not sure I buy into the assumption that this is more secure, it will do exactly what they want. So, yes, CF can do, and has done it for years.
--- Ben -----Original Message----- From: Christopher Jordan [mailto:[EMAIL PROTECTED] Sent: Monday, September 24, 2007 1:57 PM To: CF-Talk Subject: Security Questions Hi folks, I need some advice. One of our bigger clients has a handful of Java developers working for them who don't particularly like ColdFusion. While their initial complaints were that it wasn't open source and that you're tied to one particular company (thoughts which I quickly squashed), now they're whispering in the ear of the decision makers that Cold Fusion won't do "Three Tiered Security". I just now think I remember asking the group about this once before, but it's probably worth talking about again. Their idea of the three tiered security model is that there's a web server, an application server, and a database server. The web server contains no code, no passwords, and can only communicate to the application server by virtue of the web server's IP address, and because the web server is the only machine that knows where the application server is. Sounds a bit like "security through obscurity" to me, but what do I know? Anyway, these Java developers are telling the decision makers at this client that ColdFusion just isn't secure because it can't do this three tiered security stuff, but Java can. So they're saying, "why don't you just let us rewrite everything in Java for you?" Well, while my little company has never run CF as anything but a windows service, using CF Standard. We figure that it's written in Java so we ought to be able to make CF run in this sort of three tiered environment too. So my questions are: * Are these developer's right? Is CF not capable of running this Three Tiered model, and are we less safe for it? * If in fact, CF *can* run in this Three Tiered model, will we need to upgrade to CF Enterprise to do it? * Lots of our code is proceedural, though we've been switching to using CFCs slowly (not really OO, but rather storing related queries, and functions in CFCs) * What arguments can we make to our client on this subject? * Can anyone point me to any articles or other materials online concerning this topic specific to CF? Thanks for any help guys and gals. I'm going to cross-this to CF-Talk, so I apologize in advance for any duplication I may cause. Chris -- http://cjordan.us ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Download the latest ColdFusion 8 utilities including Report Builder, plug-ins for Eclipse and Dreamweaver updates. http;//www.adobe.com/cfusion/entitlement/index.cfm?e=labs%5adobecf8%5Fbeta Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:289345 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4