Re: postgres "on in the internet" - Mailing list pgsql-general
| From | Paul Tillotson |
|---|---|
| Subject | Re: postgres "on in the internet" |
| Date | |
| Msg-id | 4138CC2C.6080803@shentel.net Whole thread Raw |
| In response to | Re: postgres "on in the internet" (Lincoln Yeoh <lyeoh@pop.jaring.my>) |
| Responses |
Re: postgres "on in the internet"
Re: postgres "on in the internet" |
| List | pgsql-general |
How difficult is it to set up VPN? I know that in the past my company has used VPN tunnels, but this was difficult for our remote users to get set up. I am actually willing to trade *some* security for ease of installation and simplicity. This will have to be deployed on 30 to 40 client computers, several of them in very (i.e., plane travel) distant locations for non-technical users who will work remotely. Whatever the solution is, the setup needs to be scriptable or else very easy to walk someone through by telephone. > > You could use the following configuration: > > client (with IPSEC VPN) [diagram truncated] > If you don't want to or can't use IPSEC VPNs, you could try SSL and > drop connections from clients with unrecognized certs. You may wish to > put the SSL endpoint on another server (openssl's security track > record hasn't been that good, neither has openssh for that matter). For this reason, it occurred to me that an enemy that can't sniff your traffic, postgres untunnelled is probably more secure than postgres tunnelled through openssl or openssh. > > Another factor to consider: you may wish to test out Postgresql's > network performance over higher latency connections first... > Already tested--this app will replace one already deployed that does the same thing--the existing app is "3 tier" app, but it's a maintenance nightmare because it is single-threaded (!) and written in a language with no native RPC or serialization capability. We realized that alot of simplicity was to be gained by connecting directly to the database and putting most of the middle-tier (there isn't that much business logic anyway) inside postgres itself in the form of used defined fuctions and triggers. Regards, Paul Tillotson > At 07:35 PM 9/2/2004 -0400, Paul Tillotson wrote: > >> At my company we are looking at deploying clients for our >> client/server app outside our firewall, which will then require our >> postgres box to be internet-accessible. >> Does anyone out there have experience with this or recommended best >> practices? We have been looking at either (a) tunnelling everything >> over ssh, or (b) just making sure that users have "strong" passwords >> and requiring "md5" authentication in pg_hba.conf. >> >> Our client app is in C# using the postgresql .net data provider. >> >> Regards, >> Paul Tillotson >> >> >> ---------------------------(end of broadcast)--------------------------- >> TIP 6: Have you searched our list archives? >> >> http://archives.postgresql.org >> >
pgsql-general by date: