"If the concern is that there is a database call traversing a public, un-trusted network (Internet) a few things should be done, and even more could be done. First, the database server, especially an MS SQL server, should not be exposed to the Internet without a firewall in front of it. That firewall should have a default deny policy for both inbound and outbound and only authorized IPs should be allowed to communicate with the SQL server itself.
"For transport security, there are a couple options that spring to mind. The risk is that someone will sniff out the credentials and/or data while traversing the un-trusted network. First, an IPSec tunnel could be created between the application and database servers. This would effectively encrypt the communication thus preventing, or seriously hindering, any effort to view the data while in transit. Another option would be to create an SSH tunnel or even an SSL tunnel. This is usually less complicated but also less reliable. "The application is then set up to perform a database call against localhost. When received by localhost, it's automatically transported across the encrypted tunnel. The application doesn't know the difference."
This was first published in December 2004