>If I understand the technology correctly,
> the data being sent through this connection
> will be completely "readable" by anyone
> with a packet sniffer.
Yep.

>I think that a VPN would be one answer,
> any others?
Depending on the protocol that you tell SQL Server to use, you can use some encryption that comes built-in in SQL Server.

Take a look at the client-side protocols that come with SQL Server. As far as I remember, there is one called "Multi-Protocol" that provides encryption. I have never used this protocol, but I did read about it long time ago when I was working on a remote application.

I am not completely sure about this, I believe you specify the protocol to use in the connection string. Depending on the connection string, SQL Server ODBC driver will use one or another DLL (DBNMPNTW.DLL, DBMSSOCN.DLL, DBMSRPC.DLL, among others.)