this might be one to bounce of to BMC Support. BMC recommends that there are no network devices between the AR Server and the DB, therefore you "should" not need to encrypt the data. They focus on the communications between the Client and the AR Servers with their available encryption packages as this is where the attacks usually occur, not from within:
That recommendation has to do with performance, right?
If you have a single network cable between your physical AR Server and its DB, there is no opportunity for sniffing data, and you need no encryption.
Best regards - Misi, RRR AB, http://rrr.se
indeed, but is still relevant in any setup although we all know in practise that hardly ever occurs. The more performance degrading network devices between the Server and DB, the greater the delay.
The recommendation is to have them as close as possible with no or little performance degrading network devices in-between i.e. Firewalls, routers, etc.
That said, I have seen AR Servers and DB in geographically different countries causing massive performance issues.
Doug has a great quote:
11-Jun-2008 06:32 in response to: pseagers
NEVER, NEVER, NEVER, NEVER (subtle enough) EVER put anything between the AR System and the database.
There is no problem with putting the AR System and the database on different machines -- and in fact in server group environments and when there are heavy loads on the database it is often beneficial to put the database on a separate machine than the AR System server.
However, it is critical that there is no firewall or ANY other block of any kind between the AR System server and the database.
Yes, the type of degradation you describe is definitely seen when there is a firewall. Remove that and you will find that the performance gets significantly better.
The highest volume of traffic anywhere in the system is between the AR System and the database. You need as fat a wire (as high volume) as possible with nothing to delay or interfere with traffic in any way.
ODBC is installed on the AR Server in order to talk to MS SQL, correct?
To encrypt all data transmitted between an application computer and a computer running an instance of SQL Server, SQL Server can use the Secure Sockets Layer (SSL). Before enabling SSL encryption, you must install a server certificate from a certification authority on the database computer, and the client must trust the same root certificate signing authority. For more information about SSL encryption, see Encrypting Connections to SQL Server.
The Shared Memory protocol can only be used to communicate with processes running on the same computer as SQL Server. It is enabled by default. Windows manages the security of shared memory. Of the Microsoft client network protocols, this is the most secure.
In the Web Application Assessment and Vulnerability Mitigation Tests docuement, there is this section about the data layer.
The Data layer consists of one or more databases, which perform data storage and retrieval functions. The AR System server connects to the Data layer using database client API libraries. The server can work with the database encryption libraries used to protect data that is transmitted between the server and database.
ARS uses the native SQL client to talk to SQL server, it does NOT use ODBC.
There is an encryption feature in the client that you can enable - see the link in the message above for details on how to configure this.
However, please note that there's a bug in the MS SQL code that means you have to be using SQL Server Windows 2008 R2 (for the AR Server) for this to work with Remedy.