troubleshooting Question

My VB.NET app's MS SQL database server is moving from LAN out onto Internet! Secure?

Avatar of WestSoft
WestSoftFlag for United States of America asked on
.NET ProgrammingMicrosoft DevelopmentMicrosoft SQL Server 2008
2 Comments1 Solution694 ViewsLast Modified:
Environment Background:

*VB.NET Windows Forms (Visual Studio 2008) application which utilizes MS SQL Server 2008 as the database.

*The VB app executes Stored Procedures to get/update data on the SQL server.

*The VB app connects to the SQL server using System.Data.SqlClient's:

-SqlCommand.CommandType = CommandType.StoredProcedure and appropriate parameters passed

I use the SqlDataAdapter to fill a dataset with the returned database records.

I've written specific stored procedures for (a) getting all records, (b) getting individual specific records, and (c) updating records in the SQL database.  I've got data classes in the VB app that align with specific stored procedures and tables on the SQL server.

This is all working very easily for me.  Maintenance is a breeze and all of the database interaction is buried in classes so I don't have to get bogged down with it as I create various forms that are interating with DB records.  I just use the classes.

To date, all of the interaction between the VB app and the SQL server has happened within a secure, trusted LAN.  This has worked with the app deployed to numerous clients.  No issues.

Encryted Database:

All data stored in the database is encrypted by the VB app before it sends it to the SQL server.  The SQL server doesn't handle encryption/decryption.  So all records flowing over the network are encrypted from within the VB app.  If one of our clients wanders into the tables on the SQL server, it is all rubbish to them.  They can't read it.  Neither could anyone looking at the data as it passes over the network.  This has been "good enough" for us until now.

Upcoming Change:

We're about to deploy this app in an environment where the SQL server will be accessed from the VB app over Internet rather than residing on the same LAN as the VB app.  There will not be a VPN in place so my SqlConnection will happen to an Internet based public IP addressed SQL Server.

I can easily change the "Data Source=" portion of my database connection string from a local server name to a remote IP address and I presume that all of my logic will continue to function.

My Question:

Is this secure?

I don't need to fight elite hackers but I would like to deploy some modest security if the SqlConnection class isn't considered secure for "in the open" communications over Internet.  

I guess my biggest concern is at the point where we are logging into the SQL Server with the SqlConnection object.  I assume it passes the UID/Password to the SQL Server unencrypted.  My data is only unencrypted while it is within the VB app so I'm not concerned about the data itself... but the SQL login credentials worry me.

I welcome any feedback that would help me upgrade my code or help me feel okay to deploy over Internet as is.

Our community of experts have been thoroughly vetted for their expertise and industry experience.

Join our community to see this answer!
Unlock 1 Answer and 2 Comments.
Start Free Trial
Learn from the best

Network and collaborate with thousands of CTOs, CISOs, and IT Pros rooting for you and your success.

Andrew Hancock - VMware vExpert
See if this solution works for you by signing up for a 7 day free trial.
Unlock 1 Answer and 2 Comments.
Try for 7 days

”The time we save is the biggest benefit of E-E to our team. What could take multiple guys 2 hours or more each to find is accessed in around 15 minutes on Experts Exchange.

-Mike Kapnisakis, Warner Bros