> Ah but... > > If the banks are accessible to both the Internet and Interac then the > banks can be used to access Interac from the Internet....... Thus a > connection from the internet to interac exists even if it isn't a > direct connection. > > For Example > > When I buy something on Interac, it updates my account balance in > real-time. When I do online banking, it updates my account balance in > real-time. So both systems have access to my account balance at the bank > in real-time. Therefore, there must be a connection to the database > server from both the Internet and Interac Networks. If the database > server is compromised from the internet, it can be used as a gateway to > access the interac network.
Well the webserver you access to update your account info at least has a connection to the database server, and there isn't anything wrong with that. However, if this database server is sitting on the wrong side of the firewall (ie on the internet, or in a dmz) then that is a problem. Like Aaron was saying, no one should be able to interface with the database server directly. The network should be setup something like this: <customer> ----> <internet> ----> <webserver in the dmz> ----> <firewall> -----> <database server> In this setup, the banks clients access the webpage that allows them to interact with their accounts. This machine is in the banks DMZ and the firewall is setup to allow that webserver to access the database server that is inside the banks network or LAN. This connection should also be encrypted. It seems though that if the banks SQL servers are getting compromised then it could mean that they don't have the database server behind the firewall, they have it in the dmz with the webserver. That is a big no no, and a great number of admins do it this way. If they didn't then slammer wouldn't have been able to run so wild for so long. > > -- > Mark Lane > Hard Data Ltd. > mailto:[EMAIL PROTECTED] > > Telephone: 01-780-456-9771 > FAX: 01-780-456-9772 > > 11060 - 166 Avenue > Edmonton, AB, Canada > T5X 1Y3 > > http://www.harddata.com/ > --> Ask me about our Affordable Alpha Systems! <--
