Security Question

Hi,
I am just confused about the security of 2 tier architecture systems.

1) eEpractize Labs notes say, "Difficult because client has too much control on presentation, business and data"
2) Mark Cades second edition says, security is an advantage as most of these systems are behind the corporate
firewall.

Can anyone please help & make me understand it from the SCEA part 1 perspective?
-------------------------------------------------------------------------------------
Question about Performance in 2 T systesm.

1) eEpractise says: Poor as each client requires a connection, no connection pooling. Raw data paased to the client causes high network traffic.
2) Mark Cade: Performance
is usually pretty good unless the company uses extremely old laptops
that have minimal memory.

For the security one, I strongly disagree with Cade. Being behind the corporate firewall does not make you secure on its own.

For performance, it's a mixed bag. Connection pooling does help performance. But offloading the work to another computer does so even more. In this case, I lean towards Cade because there is less work to be done on the server.

This illustrates that some questions are subjective and you have to make your best guess. Even if you get some "wrong", it is ok because the passing score is so low.

Security has to be applied in most of the levels in the tier

In case of 3 tier application, security validations are to be done
1) at java script level for validation
2) again at Web tier level to avoid (like SQL injection)
3) at enterprise level if ejbs are used.

apart from using HTTPS, Firewalls so in case of 2 tier architecture the above 3 points are not required but only at one validation would be enough.

So in 2 tier security is easier than to manage in 3/n tier. In n tier has levels get increased security has to be increased.

Thanks Jeanne & Kumar.