A business application works with a SQL Server database. A SQL Server 2008 is installed on one of the computers of the local network. Technically this app works OK if the server computer with the SQL Server 2008 database collocated in the datacenter of the hosting provider and the database is reached over the Internet by an IP address of the server.
What are pros and cons of such an approach? What security considerations one should bear in mind when moving database to the Internet?
Exposing a security sensitive server on the internet is never a good idea. It does not really have any advantages but only disadvantages.
Since it has a public IP, everyone can scan your machine for old software. Exploit 0day vulnerabilities, (d)dos it, etc etc.
The best way to go here is to create a VPN or a VLAN such that all services are only accesible from within the VPN/VLAN. All your business apps can than access the database as long as their part of the VPN/VLAN.
Of course the downside is that you have to implement a vpn/vlan which I assume you dont have given the question. But from a security point of view it is the way to go.
The place I'm working at had a database on a public IP address. However there was a firewall in place that only permitted access from a very limited set of other IP addresses. As far as anyone else can tell, there's nothing at the other end of the address.
Technically it could be possible to spoof the IP addresses of a request, but it is hard to get responses in such a scenario (as they'd tend to go to the IP you are pretending to be). It MIGHT be enough for certain exploits for the DB. But it would require some inside knowledge of what IP addresses could talk to the server, and what the end software is.
It was secure enough and ran for several years without any issue, and they moved because of a shift to virtualisation rather than any security issue in the model.
As an aside, if you deploy stuff to Amazon AWS you have to cope with a similar model where security is by firewall settings rather than physical network.
