Authentication to server with SSL through firewall

From: Eliyahu Goldin (removemeegoldin_at_monarchmed.com)
Date: 12/04/03 

Date: Thu, 4 Dec 2003 16:15:53 +0200

I am building a configuration with an ASP.NET application running on a Web
server and accessing remote SQL servers 2000 via Internet. Every SQL server
is located behind its firewall. Every SQL Server will have SSL certificate
installed. SSL encryption can't be forced on the server side since there are
local intranet applications accessing the same database.

As far as I understand, there are following authentication options:

1. Windows authentication. For this to work through a firewall, the firewall
must open port 445 which is not good for the SQL server security.

2. SQL authentication with encryption requested in connection string. User
name and password are sent in connection string as plain text which is not
good.

3. SQL authentication with forced encryption on the client side. This should
be very good from security point of view since the user name and password
should be sent already encrypted, but the drawback is that no connection can
be made to a SQL server with no SSL. If I anticipate all connection to be
only encrypted, this option should be the one to follow.

Does this logic make any sense?

TIA,

Eliyahu

Relevant Pages

  • Re: SQL or Access DB
    ... As far as encryption goes though... ... with Sql Server you can use SQL DMO and encrypt your stored procedures ... installation - Security was absolutely critical and in most instances, ... > then we create a nice gui around this database and sell it to automotive ...
    (microsoft.public.dotnet.languages.vb)
  • Re: Help Encrypting Connection String
    ... I have simply 'overridden' the LocalSqlServer connection string to point to my SQL Server DB. ... to encrypt the section and places it into web.config - the config file then refers to the reg key. ... I don't like to hardcode anything, in general, but I'd rather do that with an encryption key than the underlying data itself. ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: Connection to SQL Server CE Windows Service via C# - Error 250
    ... Encryption is not specified in the connection string. ... connect to it via the windows service under the Local Service account. ... I'm using SQL Server Compact Edition as a private data store. ...
    (microsoft.public.sqlserver.ce)
  • Re: Encryption of Connection String
    ... I don't think ANY encryption is applied to the string by default. ... > Do you know what level of encryption IS applied to the connection string? ... >> to the SQL Server via SQL authentication the password is only ...
    (microsoft.public.sqlserver.security)
  • Re: Encrypt connection channel
    ... I assume that you are talking only about encryption during transmission, ... this question is not about how to store sensitive data in a database. ... > DMZ and SQL Server in secured zone? ... > 1 Encrypt the connection string that is used to make a connection, ...
    (microsoft.public.sqlserver.security)