Re: Is encryption of SQL Server necessary or even recommended

From: Adam Machanic (amachanic_at_air-worldwide.nospamallowed.com)
Date: 10/30/03 

Date: Thu, 30 Oct 2003 09:23:27 -0500

It really depends on your network architecture. If the SQL Server is in its
own subnet accessible only by whatever servers use the database, encrypting
the traffic from the database to the servers would, in my opinion, be a
total waste of time. In such a setting, if the middle-tier servers are
compromised the encryption is not going to help protect the data anyway.
Likewise, in such a setting packet sniffing would not be an issue, so the
encryption would only serve to waste processing resources (and/or money).

On the other hand, if your server is set up such that many servers
throughout your organization and/or direct connections from users' desktop
machines are occurring, encryption might be necessary.

"Bob Clark" <anonymous@discussions.microsoft.com> wrote in message
news:053101c39e97$94948ec0$a601280a@phx.gbl...
> I saw a couple threads on here covering how to encrypt
> traffic between the client and the server. My question is
> a little different:
>
> We were recently gigged on a Vulnerability Assessment
> because none of our network traffic is encrypted. I'm
> looking at knocking out the low hanging fruit quickly so I
> though at encrypting SQL Server traffic. I know it can be
> done, I'd just like to know if it is necessary.
>
> Most of our DBs contain sensitive data which could cost us
> a lot of money if it were compromised. However, one of
> our application vendors told us we didn't need to encrypt
> the SQL Server communication because we were using it in
> an Intranet environment.
>
> My first thought is that an Intranet environment can
> quickly become compromised with the inadvertant
> installation of a trojan on the network.
>
> What does everyone else think?

Relevant Pages

  • [NT] Multiple Vulnerabilities in HP Web JetAdmin (Read, Write, Execute, Path Disclosure, Password De
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... HP Web JetAdmin is an enterprise management system for large amounts of HP ... The web server is a modular service ... HP Web JetAdmin uses it's own encryption. ...
    (Securiteam)
  • Re: how big can disconnected dataset be?
    ... I forgot to mention, yes, reducing network ... > traffice, or rather, get all the data to the local server ... > Server from the datasets. ... huge performance increase on your SQL server, but I'm sure you will see some ...
    (microsoft.public.dotnet.languages.vb)
  • Re: enterprise manager and query analyzer network security
    ... Depending on where you enforce the SSL encryption (you can ... specify it at the Server level using the Server Network utility or at the ... client using the Client Network utility or connection string) it will either ... Jasper Smith (SQL Server MVP) ...
    (microsoft.public.sqlserver.security)
  • Re: DTS and the Internet
    ... It's good to know it is not a login problem, so I can concentrate on the ... network part of the problem. ... >>Server Administrator and has all the permissions. ... > password) for a SQL Server login, ...
    (microsoft.public.sqlserver.dts)
  • Re: Cannot connect to SQL 2000 remotely
    ... Microsoft SQL Server, and then click Server Network Utility. ... similar program, the Client Network Utility. ...
    (microsoft.public.sqlserver.connect)