Best Practices for external sensors

[<jonasb () alum rpi edu>]

I currently have a Snort infrastructure set up on my internal network
with several sensors managed via SnortCenter, logging to a centralized
MySQL DB. I am looking to deploy a sensor on our outside network (off of
a mirrored port on a switch). There are several firewalls with outside
interfaces on this switch. 

I'm trying to get an idea of the best/most secure way to funnel
alerts/logs back into the network to our centralized logging server. I
thought of some type of VPN tunnel inbound, but my concern is that if
the sensor were to be compromised, there would be a direct path into the
network. I obviously don't want to multi-home the sensor inside/outside.
Is my best bet just to open up SQL connectivity from this external
sensor to the inside DB on the firewall and stream the alerts that way?
If so, does anybody know of a way of any type of wrapper that would
encrypt these alerts?

Thanks
Brad