For a database application that communicates over its standard port, directly applying security refers to securing the communication channel used by the database itself. Since MySQL databases commonly use port 3306 for communication, adding SSL/TLS encryption to the database connection is the most direct and appropriate method of securing its traffic. SSL/TLS on the database server layer would ensure that the data is encrypted when sent over the network while still using port 3306. SSH tunneling is a secure method to transmit data, but it is better suited for situations where direct support for encryption is not available in the database software. Changing to a non-standard port does not provide encryption and is more of a security by obscurity practice. Using an IPSec VPN would encrypt all traffic between two points (such as between two sites), not specifically the database traffic unless it's the only service used.