Sam Gentile posted an excellent article on the lack of real .Net distributed application development and examples. Others have commented on this article as well.
Sam and I have talked about this a great deal in our own work, and we have bounced ideas back and forth regarding how to create good distributed architectures. One reason I favor multiple boxes, beyond some scalability benefits, is SECURITY.
What happens when the web server is compromised, and your database credentials are sitting there open for anyone to look at? What happens when the web server is compromised, and someone looks in the registry at the DSN settings to see where that database is located, and how to access it?
My problem with many n-tier examples is that while they are getting better at separating the logical tiers, there is nothing about how to separate the tiers physically. It can't be done easily, because everything is coupled with the web.config file.
Speaking of security, how many examples show you how to create a Partial Trust ASP.NET page in order to isolate the web application from Full-Trust resources? I only count one or two. How many examples have I counted that defaulted “sa“ as the database user, without explaining how bad this really is? Unfortunately, many. Remember those basic security principles: security in depth, low-privileged user, etc.
There are more reasons than scalability to physically separate your tiers for development. As Sam said, distributed computing is your friend.
