March 11, 2003 at 8:49 am
I'm currently building a server infrastructure with a SQLServer cluster backend, however, one of the requirements is that data containing customer information is encrypted at the network level.
Easy - use IPSec. Wrong. If I use IPSec, when the cluster fails over it could take up to 10 minutes for the IPSec session to refresh it's key - this would not be acceptable.
Has anyone successfully implemented network level data encryption for a SQLServer cluster with adequate failover times (sub 30sec)? If so, I'd be interested to know how this was implemented.
Thanks.
March 11, 2003 at 4:13 pm
doesn't cisco offer a real time encrypter that will refresh much faster than 10 min? I am almost positive I have seen a product from them that uses tripple des with near real time failover for things like clusters or web farms.
Wes
March 12, 2003 at 1:55 am
quote:
doesn't cisco offer a real time encrypter that will refresh much faster than 10 min? I am almost positive I have seen a product from them that uses tripple des with near real time failover for things like clusters or web farms.Wes
Nice idea, but we're pushing the budget on this project - We are considering NIC level encryption (cheap, but untested, possibly untrusted - our security team will need to investigate this and sign it off, more delays etc.).
The alternative to clustering would be to purchase a resilient hardware solution, e.g. Tandem or Stratus, but again, this comes very expensive.
The original idea was to install a pair of Compaq/HP DL580's with shared disk storage (pretty standard), but then Security decided they wanted traffic encryption, which makes it difficult.
OK, so we could write our own 'data proxy' which encrypts/decrypts the data prior to sending it to the DB, but this is out of scope for the project.
I just wondered if anyone else has looked at this problem and had a potential solution.
Thanks.
March 12, 2003 at 6:07 am
If they are requiring a level of encription but not willing to provide the hardware I dont' know how reliable you could make it. Maybe look at SSH between boxes dunno. If you are looking at tandem's I would also look at the ES7000 from Unisys that is a killer box.
Wes
Viewing 4 posts - 1 through 4 (of 4 total)
You must be logged in to reply to this topic. Login to reply