Avatar of WestSoft
WestSoft
Flag for United States of America asked on

My VB.NET app's MS SQL database server is moving from LAN out onto Internet! Secure?

====================================
Environment Background:
====================================

*VB.NET Windows Forms (Visual Studio 2008) application which utilizes MS SQL Server 2008 as the database.

*The VB app executes Stored Procedures to get/update data on the SQL server.

*The VB app connects to the SQL server using System.Data.SqlClient's:

-SqlConnection
-SqlDataAdapter
-SqlCommand.CommandType = CommandType.StoredProcedure and appropriate parameters passed

I use the SqlDataAdapter to fill a dataset with the returned database records.

I've written specific stored procedures for (a) getting all records, (b) getting individual specific records, and (c) updating records in the SQL database.  I've got data classes in the VB app that align with specific stored procedures and tables on the SQL server.

This is all working very easily for me.  Maintenance is a breeze and all of the database interaction is buried in classes so I don't have to get bogged down with it as I create various forms that are interating with DB records.  I just use the classes.

To date, all of the interaction between the VB app and the SQL server has happened within a secure, trusted LAN.  This has worked with the app deployed to numerous clients.  No issues.

====================================
Encryted Database:
====================================

All data stored in the database is encrypted by the VB app before it sends it to the SQL server.  The SQL server doesn't handle encryption/decryption.  So all records flowing over the network are encrypted from within the VB app.  If one of our clients wanders into the tables on the SQL server, it is all rubbish to them.  They can't read it.  Neither could anyone looking at the data as it passes over the network.  This has been "good enough" for us until now.

====================================
Upcoming Change:
====================================

We're about to deploy this app in an environment where the SQL server will be accessed from the VB app over Internet rather than residing on the same LAN as the VB app.  There will not be a VPN in place so my SqlConnection will happen to an Internet based public IP addressed SQL Server.

I can easily change the "Data Source=" portion of my database connection string from a local server name to a remote IP address and I presume that all of my logic will continue to function.

====================================
My Question:
====================================

Is this secure?

I don't need to fight elite hackers but I would like to deploy some modest security if the SqlConnection class isn't considered secure for "in the open" communications over Internet.  

I guess my biggest concern is at the point where we are logging into the SQL Server with the SqlConnection object.  I assume it passes the UID/Password to the SQL Server unencrypted.  My data is only unencrypted while it is within the VB app so I'm not concerned about the data itself... but the SQL login credentials worry me.

I welcome any feedback that would help me upgrade my code or help me feel okay to deploy over Internet as is.
Microsoft SQL Server 2008Microsoft Development.NET Programming

Avatar of undefined
Last Comment
jamesrh

8/22/2022 - Mon
WestSoft

ASKER
More from the guy that wrote the question:

I'm looking at MSDN and I see that the SqlConenction.ConnectString has a parameter called "Encrypt" which forces the connection to use SSL.

When true, SQL Server uses SSL encryption for all data sent between the client and server if the server has a certificate installed. Recognized values are true, false, yes, and no.
If those reading this question have experience with this parameter and know that this would help with my security concerns, I'd like to hear about your experiences implementing this.  Thanks!
ASKER CERTIFIED SOLUTION
jamesrh

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question
Experts Exchange has (a) saved my job multiple times, (b) saved me hours, days, and even weeks of work, and often (c) makes me look like a superhero! This place is MAGIC!
Walt Forbes