Re: One way DB replication through firewall

[Bennett Todd <bet () mordor net>]

You almost certainly don't want to use vendor-provided database replication
for this application, for two reasons. First, vendor-provided database
replication doesn't actually work; it's a checklist item required to make
some contract bids, so they claim it, but they've never made it work. And
second, commercial relational database vendors are selling software that
hasn't made any significant advances in better than 20 years; among other
defects, this means that they regard security as something that happens to
other people.

The best way to do your updates is to have the inside master database
periodically take a dump, sending out some portable format of the extract you
need to maintain on the outside, then copy that out with something secure like
e.g. ssh, and have a job on the outside do a cold reload of the
internet-visible database.

If that's not possible --- e.g. because the publicly visible database is too
large --- then have the inside database emit a transaction log, and
periodically copy that transaction log out (with something secure like e.g.
ssh) and play that against the external database. Recording and playing back
transaction logs is another thing that relational database vendors aren't
famous for getting right, so plan on using your own application code to manage
this.

-Bennett