locked
Going Multi-Tier RRS feed

  • Question

  • I have a bunch of webservers which connect to databases directly (2tier).  I need to go multi tier to remove the security issues associated with direct db links to systems from outside the firewall...
    What's the best way of accomplishing this, given that I don't have dedicated app servers, i guess i am looking at creating a logical tier on my web server which then carries the connection to a db?  Or is it more recommended to create that connection of another box (inside the firewall) ...how is this done?
    My sites are (oh get ready for this) mostly html and asp.net.. this is some legacy stuff....
    Thursday, November 19, 2009 4:05 PM

All replies

  • Create App server with business logic. You can isolate this on same machine or different machine based on resources you have.
    If you think Web server with presentation logic and App. server with business components, logic, services are best with independent servers,
    Go that way.  

    If there is not much seperation interms of business logic and presentation logic, you can isolate them on the same machine instead of having dedicated machines.
    hope this helps
    Regards
    Suds
    Thursday, November 19, 2009 5:01 PM
  • Try to put both webservers and database servers inside firewall with reverse proxy in the DMZ zone.
    If you foresee any heavy business logic or business rules in your business layer,it do makes sense to move it to different app server due to probable future scalability issues.
    otherwise install both presentation and business layer on same tier.
    Extending BL to different app server will only hamper performance if you don't see any scalability issues.

    Hope this helps

    Cheers
    Bhaskar
    -------------------------------------
    Please mark this as answer if this helps you
    Thursday, November 19, 2009 5:25 PM
  • Hi,

    One of the advantges of going with multi tier apps is

    Improved Security: Security is improved since it can be implemented at multiple levels (not just the database). Security can be granted on a service-by-service basis. Since the client does not have direct access to the database, it is more difficult for a client to obtain unauthorized data. Business logic is generally more secure since it is placed on a more secure central server


    Have the services layer which has the authenticaion authority and will grant permissions.  This will be logical service layer which can be on the UI tier.

    http://msdn.microsoft.com/en-us/magazine/ee335715.aspx

    Refer the above link as well

    Hope this helps

    Mark as answer if this helps

    Regards
    Azhar

    Thanks and Regards Azhar Amir
    Friday, November 20, 2009 4:07 AM


  • I'm assuming that your web server is in a data centre of some sort?  If so, can't you purchase a database server that sits inside the same network, and avoid the firewall entirely?  I'm just thinking that it would be better to cause a re-write when you have additional functionality to add to the application, and until that time, work around your currently issues in some other way?

    The question isn't so much about tiers, but more about design - will your current design allow you to split components across multiple machines?

    The only issue here, if it is a firewall issue is with the communication protocol - HTTP traffic will go through on Port 80.  If you then connect each component / layer that you want to spread across tiers using an HTTP protocol there shouldn't be an issue.

    If you want to split into multiple tier, you need to make sure that your design has good separation of concerns, and is loosely coupled, then it should be pretty straight forward to do.  If your implementation currently is not, then you might be able to make it work using proxies, which then communicate using the HTTP protocol.

    I'm wondering why you're doing this.  Creating a logical tier on the same machine achieves nothing?  Splitting component logic into new machines would be more for performance reasons.  To avoid the direct database connections, you would need to connect to something inside the firewall that communicates using HTTP.  That will then connect to the database.

    The 'multi-tiereness' then of the application, is that you could then put that 'data layer' on a different machine from the database server (which you're likely to want to do for performance and security reasons) You would still probably want that data layer to be inside the firewall.  I would go so far to say that other than your presentation layer, all your app should sit inside your firewall.  Then your ASP.NET app just connects to the business layer, via services or whatever, and the rest of the application works inside your firewall.

    Martin.
    MCSD, MCTS, MCPD. Please mark my post as helpful if you find the information good! http://www.consultantvault.com
    Friday, November 27, 2009 3:27 AM