On Wed, Jan 26, 2005 at 01:29:53PM -0500, Alex Turner wrote:
> Generaly network security suggests that your database server should
> not allow connections from external addresses (including for services
> like ssh as well as pgsql). iptables can help acheive this if your
> servers are all on public IPs (also not a very good idea), otherwise
> the best place to configure this is at your firewall/router.
Some people like to have constraints in the database in addition
to whatever host- or network-based security is in place. The
thinking is that the closer the constraints are to the data, the
less likely they are to be circumvented, either intentionally or
accidentally. Firewalls keep out unauthorized users, application
checks provide a layer of defense against bogus data from authorized
users, and constraints in the database itself prevent bad data from
being entered by misbehaving applications or by users who are
bypassing the application (e.g., somebody tweaking the data from a
psql session). Constraints in table definitions also serve as
self-documentation.
--
Michael Fuhr
http://www.fuhr.org/~mfuhr/