SQL 2000 "Over the wire encryption"
-
I need a reliable and quick way to implement data encryption "over the wire" between a sql server and our local clients. According to
http://ask.support.microsoft.com/?kbid=841695
I can use either the multiprotocol protocol or certificates on both the server and the client. Which approach is most practical, easiest to implement, pr secure? (Having to tweak 400 clients, in either case, is less than appealing but who said I was going to enjoy the experience ? !)
TIA,
Bill
-
Let me just start off by saying that I haven't done this myself, so I can't offer any hard real-life advices, just some thoughts on the subject...
I believe that's it a bit more involved than just choosing between multiprotocol or certificates when deciding how to implement encryption.
It's a major design undertaking, and would probably serve you the best to do thorough research and planning vs immediate requirements and possible future requirements as well, if possible.
Also, do not consider only implementation, but also after it's put in place, will it still be 'practical, easy and secure' to administer and maintain? etc etc
I know that if I was to do something similar, there would be lots and lots of questions needed to be answered (probably most specific to my own environment and requirements) before I would be able to decide on any certain implementation. I'm certain each method has it's pro's and con's, and that none is more 'right' than the other. In short.. it depends
ah well.. 'nuff rambling.. Perhaps someone else will chime in with some more experience
/Kenneth
-
I have done this on remote SQL Servers that we administered over the internet.
We used tcp only and installed a certificate on the SQL Server, then used the "Server Network Utility" to force encryption. Clients will sort themselves out and need no changes. Server side encryption is manadatory whereas client side is optional.
SQL Server will not start if it cannot load the certificate OK which uses the FQDN of the server.
So if you have a box called "SQLBox" in domain "domain.tld", the cert is for "SQLBox.domain.tld".
This was on top of hard passwords and firewall port lockdowns to certain IP addresses etc
As for using multiprotocal, I don't know, never used it.
As for setting up and administering, never had any problems except for not matching FQDN first time we set it up, nor did it ever fail.
We used ît as another layer of security, but it can be done between any SQL server and it's clients if needed, there is an overhead of doing it though.
Cheers, Shawn
Viewing 3 posts - 1 through 2 (of 2 total)
You must be logged in to reply to this topic. Login to reply