How to secure database server and others

["Leung, Annie LDB:EX" <annie.leung () bcliquorstores com>]

Here is a scenario. Any input to threats and security are welcome.

The web/application is running by an ISP (outsider). The database supporting
the web application is in a database server (not a SQL server) running
in-house. The traffic between the web/application server and database server
is bypassing the firewall. There may be ACL rules in the router allowing
traffic between the web server and database server. There are other
databases in this database server. Internally, there is another client
program accesses another database (in another server) that has a database
link to this web application database.

What could a hacker do if the web/application server was intruded and/or
hijacked? Would it be typically that the hacker will probe the next system
in the network (i.e. the database server)? If not much valuable information
(such as connection passwords to legacy systems are encrypted), would the
hacker simply launch a DOS attach to the database server? What else would
the hacker do? Or, what else can the hacker do?

Would it be better off to have a database server just for the web
application with no other databases on it?

I know that this is a poor scenario. But I believe this would be a common
pattern for some small firms who start their web applications without too
much thought about Internet threats.

Thanks in advance,
 
Annie