I understand the importance and necessity of a DMZ and the benefits it provides, e.g. separating publicly accessible systems and protecting internal systems from public traffic by creating trusted vs untrusted segments and controlling traffic access b/t them.
What I don't understand in relation to our environment is this:
We have www systems in the DMZ. They run a custom ASP.NET/AJAX app that interacts heavily with a SQL 2005 DB which is sitting in the trusted segment behind the firewall, where only traffic allowed to it is from the DMZ segment.
Now if we already have necessary ports open for communication, e.g. 80, 1433, then even with the DMZ, what is to keep an intruder off the private segment if (s)he haXorz the www systems.. since the ports are already open, wouldn't it be fairly easy to just gain access to the DB systems then? A coworker was saying that once you were on the www system you could just drop some custom ASP code that would get you onto the DB system anyways.
I know industry practice is to separate this traffic, especially in environments where critical data integrity is imperative, banks/healthcare, govt, but I am just trying to ascertain here aside from the high level security benefits, what is the DMZ really buying us.