Hi all;
Comments inline.
Lincoln Yeoh wrote:
I doubt it's a good idea to make your postgres server internet accessible. You'll be using postgresql in what I'd consider to be a less tested scenario. Most people don't expose their database servers to the Internet.I have to agree with this architecture. However, I would also suggest that you think about public key management so that in the event that the client key becomes corrupt while traveling, they can call in and have the situation resolved quickly. I.e. "Run this tool. It will generate your keys and email your public key to me."
You could use the following configuration:
client (with IPSEC VPN) | Internet | Firewall #1 (VPN endpoint) | Staging network (for VPN clients) | Firewall #2 | Database server
The clients with VPN access get access to whatever the staging network has access to - which may be the postgresql db port and other services, but nothing else not explicitly permitted by Firewall #2, or Firewall #1.
Also, although this is likely to be the hardest environment to set up, it will probably be the most mainenance-free in the long-run. I.e. PPTP is more vulnerable to a wide variety of attacks including DoS, etc. than IPSec is, and having a good set of security barriers is critical when you are looking at business data. The SSL issue could be used as well, but I don't really know what sorts of options are available on Windows for SSL-based VPN's.
Best Wishes, Chris Travers Metatron Technology Consulting
begin:vcard fn:Chris Travers n:Travers;Chris email;internet:[EMAIL PROTECTED] x-mozilla-html:FALSE version:2.1 end:vcard
---------------------------(end of broadcast)--------------------------- TIP 8: explain analyze is your friend
