Security concern between application server and database server

Think about the situation like this.... I have an application server, and a database server. An application will ask for database server information. The database server, of course, need a password. Also, having a SSL connection. Is it necessary to make the connection via a VPN networ开发者_如何学Gok ? Also, I am using RoR to develop, is there any way to protect database.yml ?? thank you.

"Standard" practice is to make sure the database server is not open to the internet at large. Ideally, the database should only permit connections from the app server - a connection on the local network, locked to a specific port and IP address. You don't really need SSL in this case as the environment is trusted.

Regardless of your framework or language, there is no real way to protect the database configuration on the app server outside of your normal access policies. Lock the server down, lock the database permissions as much as you can (restrict to SELECT UPDATE DELETE etc on specific tables as your use-cases permit.

Yes, what you are doing is absolutely correct. A VPN and an SSL connection are both creating a secure transport layer connection, and thus using both would be redundant. If your database is remote, even if its in the same data center, I would make sure to use an SSL connection. However, if the database is being hosted locally, then you don't need SSL.

In any case I would firewall off your database (tcp 3306 for mysql). You shouldn't have open ports like that to the world.