> Does anyone out there have experience with this or recommended best
> practices? We have been looking at either (a) tunnelling everything
> over ssh, or (b) just making sure that users have "strong" passwords and
> requiring "md5" authentication in pg_hba.conf.
Have you considered using VPN routers to punch a hole through your firewall?
Can you do a a combination of A and B? (Does that make much sense?)
You should also consider blocking all IP addresses other than the client
nodes at the firewall. That won't help much if the client node gets
compromised.
--
Mike Nolan