At 12:56 PM 2/4/03, you wrote:
I am sure they were behind firewalls but just with port 1433, 1434 open so the webservers can access them. Which is completely dumb but very common. What they probably haven't done is used a VPN or separate network to talk to the database server so that only webserver can talk to MS-SQL database or they are running MS-SQL right on the webserver. Man even if their DMZ firewall blocked the MS-SQL ports (1433 & 1434) like you suggested, this wouldn't have happened.> Ah but... > > If the banks are accessible to both the Internet and Interac then the > banks can be used to access Interac from the Internet....... Thus a > connection from the internet to interac exists even if it isn't a > direct connection. > > For Example > > When I buy something on Interac, it updates my account balance in > real-time. When I do online banking, it updates my account balance in > real-time. So both systems have access to my account balance at the bank > in real-time. Therefore, there must be a connection to the database > server from both the Internet and Interac Networks. If the database > server is compromised from the internet, it can be used as a gateway to > access the interac network.Well the webserver you access to update your account info at least has a connection to the database server, and there isn't anything wrong with that. However, if this database server is sitting on the wrong side of the firewall (ie on the internet, or in a dmz) then that is a problem. Like Aaron was saying, no one should be able to interface with the database server directly. The network should be setup something like this: <customer> ----> <internet> ----> <webserver in the dmz> ----> <firewall> -----> <database server> In this setup, the banks clients access the webpage that allows them to interact with their accounts. This machine is in the banks DMZ and the firewall is setup to allow that webserver to access the database server that is inside the banks network or LAN. This connection should also be encrypted. It seems though that if the banks SQL servers are getting compromised then it could mean that they don't have the database server behind the firewall, they have it in the dmz with the webserver. That is a big no no, and a great number of admins do it this way. If they didn't then slammer wouldn't have been able to run so wild for so long.
I would hope the Air Traffic Control System is much better protected...
--
Mark Lane
Hard Data Ltd.
mailto:[EMAIL PROTECTED]
Telephone: 01-780-456-9771
FAX: 01-780-456-9772
11060 - 166 Avenue
Edmonton, AB, Canada
T5X 1Y3
http://www.harddata.com/
--> Ask me about our Affordable Alpha Systems! <--
BEGIN:VCARD VERSION:2.1 N:Lane;Mark FN:Mark Lane ORG:Hard Data Ltd. TITLE:Sales TEL;WORK;BUSINESS:780-456-9771 TEL;WORK;VOICE:780-456-9771 TEL;WORK;FAX:780-456-9772 ADR;WORK:;;11060 - 166 Avenue;Edmonton;AB;T5X1Y3;Canada LABEL;WORK;ENCODING=QUOTED-PRINTABLE:11060-166 Avenue=0D=0AEdmonton, AB T5X1Y3=0D=0ACanada URL;WORK:http://www.harddata.com EMAIL;PREF;INTERNET:[EMAIL PROTECTED] REV:20010222T231737Z END:VCARD
