AspNet X J2EE

[Thiago Campos Pereira]

I need a support of the staff of the Microsoft.

Since the beginning of the year I am working in the CFLCL (Company of the
sector of energy with more than 15000 employees).

I am trying to convince the CFLCL to adopt the DotNet as tool of Web
development, but for this, I have that to obtain the approval of the
security staff.

The problem is that the security staff is fanatic with Linux and want that
the company adopts the J2EE. The great problem is that the faces are same
Hackers, for you to have idea, the Firewall was developed by it (all in
assembler), using the Linux to load the OS and later it all it takes off
Linux of air, assuming control of the operational system.

The argument that they use is that the DotNet delays very in loading the
process, besides using fixed addresses of memory.

With this, hacker can use the moment that the process of the AspNet is
loading and to generate a memory burst, obtaining to have access the
information to provoke great damages the CFLCL.

In accordance with them, the J2EE does not have this problem, therefore he
is fast to load and it does not use fixed addresses in the memory very,
making it difficult in the life of the Hackers.

But, so that the Hacker obtains to use this imperfection of the AspNet it
has that to make an attack in the hardware layer. It until showed to me as
if he makes, generating a failed in IRQ 115 (I find that the number is this)
that seems to be most serious, stopping all the processing of the machine
and allowing the action of the Hacker.

My argument is that to make this attack, hacker it has that to have access
the machine and that if the Firewall of it is good, we do not have with what
being worried, playing the responsibility on them.

But, I am trying to raise more arguments.

As this low-level question is not very my beach, I am looking support of
people can assist me in the subject.

Somebody can help me? Somebody know some publication on the subject that
can help me? He will be that you do not know somebody who can help me to
gain this "competition"?

 

[Karl Seguin]

Thiago:

Seems like you might need more help that what you'll get here.

You might want to try contacting a MS Regional Director in your area. I
found one in Peru:
http://www.icuadrado.com/chrismenegay.htm

and one in Ecuador
http://weblogs.asp.net/esanchez/contact.aspx


You can also try contacting the Microsoft Brazil Office:
http://www.microsoft.com/worldwide/phone/contact.aspx?country=Brazil

(sorry, I got it in my head that you are from Brazil, hope I'm not wrong!)

Cheers,
Karl

 

[Thiago Campos Pereira]

Hi Karl,

I am in Brazil.

I contacted some MVPs here and nobody can help me. I has send I e-mail to
Mauro Santana ( MS Regional Director on Brazil) and I don't receive return,
yet.

The Brazilian MVPs suggests for me contact the Microsoft on USA.

I only want a simple support about this question.

Thank You.

 

[Karl Seguin]

Thiago:
The problem is that your question isn't very easy to answer. You are asking
a very detailed question about the inner-workings of IIS and windows...

I replied to your question because I'm afraid your question will go
unanswered....so i thought the least I could do was try and provide you with
some other venues to ask...

You might try some more security-focused newsgroups, such as:
microsoft.public.inetserver.iis.security
microsoft.public.dotnet.framework.aspnet.security

I'm inquiring further on your behalf, will let you know if I come up with
anything..

Karl
--
MY ASP.Net tutorials
http://www.openmymind.net/ - New and Improved (yes, the popup is
annoying)
http://www.openmymind.net/faq.aspx - unofficial newsgroup FAQ (more to
come!)

 

[Thiago Campos Pereira]

Thanks Karl,
I will try this newsgroup.

Thiago:
The problem is that your question isn't very easy to answer. You are
asking a very detailed question about the inner-workings of IIS and
windows...

I replied to your question because I'm afraid your question will go
unanswered....so i thought the least I could do was try and provide you
with some other venues to ask...

You might try some more security-focused newsgroups, such as:
microsoft.public.inetserver.iis.security
microsoft.public.dotnet.framework.aspnet.security

I'm inquiring further on your behalf, will let you know if I come up with
anything..

Karl
--
MY ASP.Net tutorials
http://www.openmymind.net/ - New and Improved (yes, the popup is
annoying)
http://www.openmymind.net/faq.aspx - unofficial newsgroup FAQ (more to
come!)

 

[John Timney \(ASP.NET MVP\)]

It sounds like your security team seem to have got it in their heads that
j2ee and asp.net use different http protocols - thre is only one http
protocol and a request through any firewall to any web server, be it apache
or iis for example only returns http traffic - the security risk therefore
are pretty much the same. asp, php and jsp are not that different when it
comes down to this level and a decision on whether to use one or another
technology should be based on what exactly the benefits are - not if its
appropriate for your old firewall.

J2ee web traffic is not only delivered through Lunix - just as patching and
security are not about asp.net or j2ee. A good firewall and security
strategy in place, with correctly managed firewalls and protocols makes any
system as secure as it can be. If your security team are more concerned
about running IIS on Windows and can't get their heads around the security
policies for windows servers and especially hardware security then you could
still develop asp.net in visual studio or the SDK and deploy it to Linux
using Mono. Personally I would worry more that they dont actually
understand the concepts of web security if they are worried about potential
local hardware vulnerabilities for servers that should be in secure
computing rooms anyway.

--
Regards

John Timney
ASP.NET MVP
Microsoft Regional Director