Christopher Jordan wrote: > they're whispering in the ear of the decision makers that Cold Fusion won't > do "Three Tiered Security".
> Their idea of the three tiered > security model is that there's a web server, an application server, and a > database server. The web server contains no code, no passwords, and can only > communicate to the application server by virtue of the web server's IP > address, and because the web server is the only machine that knows where the > application server is. Sounds a bit like "security through obscurity" to me, > but what do I know? The value of running a 'Three Tiered model' is not in the obscurity of where the server for the application tier is: as soon as the webserver is compromised the attacker will know that. The value lies in layering, minimization of privileges and especially a separation between writable and executable content. > * Are these developer's right? No. > Is CF not capable of running this Three Tiered model, and are we less safe > for it? CF can run in this 'Three Tiered model' and if you have the hardware for it it is a good idea to use it. > * If in fact, CF *can* run in this Three Tiered model, will we need to > upgrade to CF Enterprise to do it? Not necessarily. In its simplest form you put webserver in front of the CF server and proxy the requests for .cfm to the next server. The officially supported form is called 'distributed mode' and is available with Enterprise Edition. I suspect you can rig standard edition to support distributed mode as well, but I never tried and I am not sure what the EULA has to say about that. > * What arguments can we make to our client on this subject? Get the client to express his concern. Then turn the argument around: tell the client it is a valid concern (remember: the client is always right), but that he has been misinformed as to why it is a valid concern. Then explain that it isn't about obfuscating IP addresses, but about well understood principles of layering, write-or-execute permissions and minimal privileges. Give the client the appropriate links to wikipedia explaining the principles and seal the argument by saying that of course you can deliver the same and you don't need to rewrite the entire system, you just need some sysadmin time and hardware. > * Can anyone point me to any articles or other materials online > concerning this topic specific to CF? Are you going to the MAX? There is a session on CF security (I think by by Steve Drucker, or else by Dave Watts) that I expect to cover this issue. Else find me :) Jochem ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Get the answers you are looking for on the ColdFusion Labs Forum direct from active programmers and developers. http://www.adobe.com/cfusion/webforums/forum/categories.cfm?forumid-72&catid=648 Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:289348 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
