Hi, Citing Paul Tillotson <[EMAIL PROTECTED]>: > At my company we are looking at deploying clients for our client/server > app outside our firewall, which will then require our postgres box to be > internet-accessible. > > Does anyone out there have experience with this or recommended best > practices? > We have been looking at either > (a) tunnelling everything over ssh, or This, implementation of a VPN or using the builtin ssl-support in postgresql is the way to go, because *everything* that goes through the channel will be encrypted. With SSL you have the additional value of being able to guarantee the identity of the server. The information in the source code distribution in src/backend/libpq/README.SSL might prove useful to make your decision. > (b) just making sure that users have "strong" passwords and > requiring "md5" authentication in pg_hba.conf. Too weak, IMHO. md5 is there to protect the password data stored in the database, not the password transmission (someone already mentioned tcp replay attacks). Regards, Daniel
---------------------------(end of broadcast)--------------------------- TIP 1: subscribe and unsubscribe commands go to [EMAIL PROTECTED]
