Re: DMZ on Pix

jangeja · ‎01-03-2002

I want to put a Citrix terminal server on my dmz that from there will have access to a MSSQL database on the inside network. My question is why is this neccessary? Is not this the same as putting the Citrix on the inside network and just setting up 1 static and 1 ACL for the relative ports. I realize the DMZ is more secure than the internal network but when I open the ports and set up a static from the dmz to the inside it seems that I am just essesntially adding one more step and more statics to manage. Can someone please elaborate alittle more on this.

Thanks Joe

sampathsr · ‎01-04-2002

1. DMZ is less secure than the inside network. That is the concept of DMZ.

2. The reason why you want to put your Citrix server on the DMZ and the MSSQL server on the inside network is that, if somebody breaks into the citrix server and hence the DMZ, your SQL database is still safe.

3. Throguh the firewall, you only open ports so that ONLY the citrix machine can access the SQL server. host to host and only required ports.

Hope this helps.

thompson · ‎01-06-2002

The reason is that traffic will be required to pass through 2 firewall rulesets (called the layer seperatred model). One to access the Citrix box and one for the citrix box to connect to the SQL server. Direct access to your local LAN means that if the Citrix box is owned, a potential attacker has access to your entire internal network. It is not essential to do this but is a good security practice