You can use encryption (I believe that there is an option when installing SQL Server) although I'm not sure how strong it is. In theory you should be able to use a https connection as well using the http/xml api's but again I've not actually implemented this - only read about it. I'll try to look up the articles concerned and mail the URL's. Ben -----Original Message----- From: Steven Sporen [mailto:sporens@xxxxxxxxxxx] Sent: Wednesday, July 03, 2002 9:05 AM To: [ISAserver.org Discussion List] Subject: [isalist] RE: General Security Question http://www.ISAserver.org Data sent to the SQL server hosted on the net is unencrypted. Including your username and password. I would suggest configuring a VPN connection or a secure tunnel. There was also talk about a SQL worm which exploited the administrator account with "sa" no password. And there's a couple of buffer overflow problems related to in this case to SQL 2000. http://online.securityfocus.com/archive/1/277670 Hope this helps Regards Steven -----Original Message----- From: Jon Booth [mailto:jon@xxxxxxxxxxxxxx] Sent: 03 July 2002 08:41 To: [ISAserver.org Discussion List] Subject: [isalist] General Security Question http://www.ISAserver.org If I allow an outbound SQL Server connection to a specific trusted external address what possible security risks does this pose? Could someone please outline some no matter how paranoid. Being a security novice I often wonder about this (SQL being just an example) and would like some clarification. Thanks Jon ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: sporens@xxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: ben_snell@xxxxxx To unsubscribe send a blank email to $subst('Email.Unsub')