views:

38

answers:

2

Think about the situation like this.... I have an application server, and a database server. An application will ask for database server information. The database server, of course, need a password. Also, having a SSL connection. Is it necessary to make the connection via a VPN network ? Also, I am using RoR to develop, is there any way to protect database.yml ?? thank you.

+4  A: 

"Standard" practice is to make sure the database server is not open to the internet at large. Ideally, the database should only permit connections from the app server - a connection on the local network, locked to a specific port and IP address. You don't really need SSL in this case as the environment is trusted.

Regardless of your framework or language, there is no real way to protect the database configuration on the app server outside of your normal access policies. Lock the server down, lock the database permissions as much as you can (restrict to SELECT UPDATE DELETE etc on specific tables as your use-cases permit.

Toby Hede
The environment should never be trusted, thats how you get hacked.
Rook
Trust is perhaps the wrong word here. Key points is that the database server should ideally not be open to the internet at all, but only to the local network. If you have this kind of topography you shouldn't need to use an SSL connection between the servers.
Toby Hede
A: 

Yes, what you are doing is absolutely correct. A VPN and an SSL connection are both creating a secure transport layer connection, and thus using both would be redundant. If your database is remote, even if its in the same data center, I would make sure to use an SSL connection. However, if the database is being hosted locally, then you don't need SSL.

In any case I would firewall off your database (tcp 3306 for mysql). You shouldn't have open ports like that to the world.

Rook