Link to home
Start Free TrialLog in
Avatar of WestSoft
WestSoftFlag for United States of America

asked on

My VB.NET app's MS SQL database server is moving from LAN out onto Internet! Secure?

Environment Background:

*VB.NET Windows Forms (Visual Studio 2008) application which utilizes MS SQL Server 2008 as the database.

*The VB app executes Stored Procedures to get/update data on the SQL server.

*The VB app connects to the SQL server using System.Data.SqlClient's:

-SqlCommand.CommandType = CommandType.StoredProcedure and appropriate parameters passed

I use the SqlDataAdapter to fill a dataset with the returned database records.

I've written specific stored procedures for (a) getting all records, (b) getting individual specific records, and (c) updating records in the SQL database.  I've got data classes in the VB app that align with specific stored procedures and tables on the SQL server.

This is all working very easily for me.  Maintenance is a breeze and all of the database interaction is buried in classes so I don't have to get bogged down with it as I create various forms that are interating with DB records.  I just use the classes.

To date, all of the interaction between the VB app and the SQL server has happened within a secure, trusted LAN.  This has worked with the app deployed to numerous clients.  No issues.

Encryted Database:

All data stored in the database is encrypted by the VB app before it sends it to the SQL server.  The SQL server doesn't handle encryption/decryption.  So all records flowing over the network are encrypted from within the VB app.  If one of our clients wanders into the tables on the SQL server, it is all rubbish to them.  They can't read it.  Neither could anyone looking at the data as it passes over the network.  This has been "good enough" for us until now.

Upcoming Change:

We're about to deploy this app in an environment where the SQL server will be accessed from the VB app over Internet rather than residing on the same LAN as the VB app.  There will not be a VPN in place so my SqlConnection will happen to an Internet based public IP addressed SQL Server.

I can easily change the "Data Source=" portion of my database connection string from a local server name to a remote IP address and I presume that all of my logic will continue to function.

My Question:

Is this secure?

I don't need to fight elite hackers but I would like to deploy some modest security if the SqlConnection class isn't considered secure for "in the open" communications over Internet.  

I guess my biggest concern is at the point where we are logging into the SQL Server with the SqlConnection object.  I assume it passes the UID/Password to the SQL Server unencrypted.  My data is only unencrypted while it is within the VB app so I'm not concerned about the data itself... but the SQL login credentials worry me.

I welcome any feedback that would help me upgrade my code or help me feel okay to deploy over Internet as is.
Avatar of WestSoft
Flag of United States of America image


More from the guy that wrote the question:

I'm looking at MSDN and I see that the SqlConenction.ConnectString has a parameter called "Encrypt" which forces the connection to use SSL.

When true, SQL Server uses SSL encryption for all data sent between the client and server if the server has a certificate installed. Recognized values are true, false, yes, and no.
If those reading this question have experience with this parameter and know that this would help with my security concerns, I'd like to hear about your experiences implementing this.  Thanks!
Avatar of jamesrh
Flag of United States of America image

Link to home
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial