firebird-support - Re: [firebird-support] Re: Users and DB access with FB on web server

Subject	Re: [firebird-support] Re: Users and DB access with FB on web server
Author	Martijn Tonies
Post date	2005-01-20T12:58:48Z

> > I'd suggest the ISP *not* to do this. It opens a hole in security since
> > Firebird's protocol goes unencrypted.
> >
> > Could you elaborate on the hole that is opened? for many years I
> > have used direct connection over
> > internet without (*touch wood*) a problem to date.
> >
> > That said I can see the benefit of Zebedee (or similar products)
> > but I should imagine it will be an
> > optional extra from ISP's rather than the norm. I'm not aware of
> > many ISP's who use this type of
> > method for remote access to FB, IB, MySQL or SQL Server.
> >
>
> In theory - all you need is to be sniffing the TCP traffic to see SYSDBA

and

> masterkey in clear text floating past.
> Sniffers are usually set to catch words like USERNAME or UNAME etc as well
> as PWORD PASSWORD etc. So as soon as these trigger, the sniffer can log
> surrounding traffic stream to ensure they have both username, password and
> IP adress, port etc to which the traffic was directed.
> I too have been using IB and FB for years but I very rarely connect to the
> database directly. I think our current safety level has been a matter of
> "who has been interested in Port 3050 traffic?". Hackers would rather 4328
> or whatever SQL runs on.. or the Oracle port maybe? After all - they still
> have a lot of time and effort to expend once they has the uname and
> password.
> At least with zebedee would eliminate the clear text from the comms

stream.

> But times will change and when FB becomes more and more popular, we will
> finally see someone who wishes nothing but ill to those who use it.
> One more point... it is even safer to have the DB Server (and thus DB)

which

> a webserver connects to, behind a firewall where only the webserver can

see

> it.

All valid comments - I would like to add some...

MySQL, for example, can allow connections (per user) only from certain
IP(s). This would make connection from a rogue user to your server much
harder. It also allows SSL connections.

I know Firebird 3 is supposed to solve some (if not all) of the security
problems, but at least this gives an idea on how others handle this.

With regards,

Martijn Tonies
Database Workbench - developer tool for InterBase, Firebird, MySQL & MS SQL
Server
Upscene Productions
http://www.upscene.com