Click here to monitor SSC
SQLServerCentral is supported by Red Gate Software Ltd.
 
Log in  ::  Register  ::  Not logged in
 
 
 
        
Home       Members    Calendar    Who's On


Add to briefcase

SSL encryption Expand / Collapse
Author
Message
Posted Tuesday, May 28, 2013 5:18 AM
SSC Veteran

SSC VeteranSSC VeteranSSC VeteranSSC VeteranSSC VeteranSSC VeteranSSC VeteranSSC Veteran

Group: General Forum Members
Last Login: Wednesday, July 2, 2014 6:30 AM
Points: 253, Visits: 616
Hi Guys,

I am not too familiar with SSL encryption in SQL server. Can anyone please give me the pros and cons about enabling this feature.

I have already done a bit of reading on the topic but would like to hear a couple of opinions about it. Can this feature be enabled for one database on an instance only?

Please advise.

Regards
IC
Post #1457265
Posted Wednesday, May 29, 2013 11:43 AM
SSC Eights!

SSC Eights!SSC Eights!SSC Eights!SSC Eights!SSC Eights!SSC Eights!SSC Eights!SSC Eights!

Group: General Forum Members
Last Login: Yesterday @ 7:48 AM
Points: 861, Visits: 2,359
If by "SSL Encryption", you mean encryption of TCP connection to the SQL Server instance, then you'll need to generate a certificate using the Fully Qualified Domain Name (FQDN) (I use OpenSSL to generate these, and sign them with a CA that's loaded on the domain controller), load them on the SQL Server's host OS "Computer" store, and then use SQL Server Configuration Manager to select them (and, optionally, Force Encryption to on).

Personally, I like forcing encryption to be on; I feel much better when traffic's encrypted.

Pros:
You may have a fighting chance at some security recommendations or requirements for your industry.
You can give one more "good" answer on audits.
It's more difficult for attackers on your network to obtain possible sensitive information.

Cons:
To use packet sniffers to see SQL, you'll also need to load the certificate into the packet sniffer.
In some cases, users should use the FQDN to avoid certificate warnings, "server.domain.top" instead of "server"

For first pass validation:
SELECT encrypt_option, auth_scheme, count(*)
FROM sys.dm_exec_connections
GROUP BY encrypt_option, auth_scheme
ORDER BY encrypt_option, auth_scheme

Better validation involves packet sniffers; at this time I'm not sure how to extract precisely which cipher suite is being used.
Post #1457889
« Prev Topic | Next Topic »

Add to briefcase

Permissions Expand / Collapse