Re: Is encryption of SQL Server necessary or even recommended
From: Mike Epprecht [SQL Server MVP] (mike_at_NOSPAMepprecht.net)
Date: 10/30/03
- Next message: Mal Ball: "Connecting to SQL between two XP Clients"
- Previous message: hrhoe: "Create table & deny delete table"
- In reply to: Adam Machanic: "Re: Is encryption of SQL Server necessary or even recommended"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 30 Oct 2003 21:40:33 +0200
I would look at IPSec at the network level.
Enforce it on the whole network so that all data is securer.
Regards
--------------------------------
Mike Epprecht, Microsoft SQL Server MVP
Epprecht Consulting (PTY) LTD
Johannesburg, South Africa
Mobile: +27-82-552-0268
IM: mike@NOSPAMepprecht.net
Specialist SQL Server Solutions and Consulting
"Adam Machanic" <amachanic@air-worldwide.nospamallowed.com> wrote in message
news:uqpBkFvnDHA.2456@TK2MSFTNGP09.phx.gbl...
> It really depends on your network architecture. If the SQL Server is in
its
> own subnet accessible only by whatever servers use the database,
encrypting
> the traffic from the database to the servers would, in my opinion, be a
> total waste of time. In such a setting, if the middle-tier servers are
> compromised the encryption is not going to help protect the data anyway.
> Likewise, in such a setting packet sniffing would not be an issue, so the
> encryption would only serve to waste processing resources (and/or money).
>
> On the other hand, if your server is set up such that many servers
> throughout your organization and/or direct connections from users' desktop
> machines are occurring, encryption might be necessary.
>
>
> "Bob Clark" <anonymous@discussions.microsoft.com> wrote in message
> news:053101c39e97$94948ec0$a601280a@phx.gbl...
> > I saw a couple threads on here covering how to encrypt
> > traffic between the client and the server. My question is
> > a little different:
> >
> > We were recently gigged on a Vulnerability Assessment
> > because none of our network traffic is encrypted. I'm
> > looking at knocking out the low hanging fruit quickly so I
> > though at encrypting SQL Server traffic. I know it can be
> > done, I'd just like to know if it is necessary.
> >
> > Most of our DBs contain sensitive data which could cost us
> > a lot of money if it were compromised. However, one of
> > our application vendors told us we didn't need to encrypt
> > the SQL Server communication because we were using it in
> > an Intranet environment.
> >
> > My first thought is that an Intranet environment can
> > quickly become compromised with the inadvertant
> > installation of a trojan on the network.
> >
> > What does everyone else think?
>
>
- Next message: Mal Ball: "Connecting to SQL between two XP Clients"
- Previous message: hrhoe: "Create table & deny delete table"
- In reply to: Adam Machanic: "Re: Is encryption of SQL Server necessary or even recommended"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
