We placed a jump server in CDE to restrict the direct access to PCI in-scope devices (although I believe it should be outside CDE, please confirm)
Now, we have opened SQL ports 1433 and application ports from the jump server to the prod host in the CDE. If we allow them to run queries from the jump server itself instead of requiring them to log in to database server and run the query. What's the point of having a jump server?
In my opinion, we should access the jump server and then RDP / SSH into the protected server instead of opening the app in database ports because by opening the ports we have extended the original server to the jump server. Virtually leaving no difference between the jump and protected server.
What are the best practices around this?
I understand there is no one size fits all, but if there are some good do's and don'ts please suggest if opening 1433 for jump server for a critical asset is a good idea.