A recent article on the SANS site recommends that user IDs and passwords for Web applications to authenticate to
database servers should NOT be stored in scripts. What is a secure method of providing Web application authentication to SQL databases? My environment: Web servers on separate firewalled DMZ allowing HTTP/S from Internet; SQL database servers on internal network behind same firewall, allowing port 1433 from Web server IPs to SQL server IPs. SQL user ID and password are stored in file on Web servers.
I recommend using Secure Shell (SSH) to help securely authenticate and encrypt the connection from a Web server to a database server. As long as the connection uses TCP, you can implement SSH with port redirection for any type of service. All data can use the public-key authentication mechanisms of the SSH channel and will be encrypted as it passes between the systems. You need to put an SSH client on the Web server and an SSH server on the database server. You can get free, open source implementations of SSH at www.openssh.com or commercial versions (including Windows versions) at www.ssh.com. When using SSH, please make sure to use SSH Protocol Version 2, as the earlier incarnation of the protocol has security flaws.
For more information on this topic, visit these other SearchSecurity.com resources:
Ask the Expert: Implementing SSH
Definition: Secure Shell
Best Web Links: Database security
Dig deeper on Database Security Management
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.