| Rich Freeman on 17 Feb 2012 07:18:54 -0800 |
[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]
| Re: [PLUG] network choice from the application level |
On Fri, Feb 17, 2012 at 9:50 AM, Eric at Lucii.org <eric@lucii.org> wrote: > They want it because they are Paranoid with a capital "P". > > The real answer is separate database server processes and different port numbers. > I've worked in regulated environments (although not with internet-exposed apps) and the typical approach I've seen is to just have separate database credentials per app/etc. That is much more secure than trusting clients to connect from the correct IPs (which can be spoofed/etc). If I were ultra-paranoid than I'd definitely be using separate database server processes, with those processes having some kind of isolation (one or more of separate uids, separate containers, hardened chroot jails, separate vms, separate physical hardware, etc). All of those are going to end up with the databases being on at least separate ports, if not separate IPs. Rich ___________________________________________________________________________ Philadelphia Linux Users Group -- http://www.phillylinux.org Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce General Discussion -- http://lists.phillylinux.org/mailman/listinfo/plug