Rich Freeman on 17 Feb 2012 07:18:54 -0800

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] network choice from the application level

On Fri, Feb 17, 2012 at 9:50 AM, Eric at <> wrote:
> They want it because they are Paranoid with a capital "P".
> The real answer is separate database server processes and different port numbers.

I've worked in regulated environments (although not with
internet-exposed apps) and the typical approach I've seen is to just
have separate database credentials per app/etc.  That is much more
secure than trusting clients to connect from the correct IPs (which
can be spoofed/etc).

If I were ultra-paranoid than I'd definitely be using separate
database server processes, with those processes having some kind of
isolation (one or more of separate uids, separate containers, hardened
chroot jails, separate vms, separate physical hardware, etc).  All of
those are going to end up with the databases being on at least
separate ports, if not separate IPs.

Philadelphia Linux Users Group         --
Announcements -
General Discussion  --