A public web server must be isolated in the enclave.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-2242	WA060 A22	SV-32932r1_rule	EBPW-1 ECIC-1	Medium

Description
To minimize exposure of private assets to unnecessary risk by attackers, public web servers must be isolated from internal systems. Public web servers are by nature more vulnerable to attack from publically based sources, such as the public Internet. Once compromised, a public web server might be used as a base for further attack on private resources, unless additional layers of protection are implemented. Public web servers must be located in a DMZ environment with carefully controlled access. Failure to isolate resources in this way increase risk that private assets are exposed to attacks from public sources.

Description

To minimize exposure of private assets to unnecessary risk by attackers, public web servers must be isolated from internal systems. Public web servers are by nature more vulnerable to attack from publically based sources, such as the public Internet. Once compromised, a public web server might be used as a base for further attack on private resources, unless additional layers of protection are implemented. Public web servers must be located in a DMZ environment with carefully controlled access. Failure to isolate resources in this way increase risk that private assets are exposed to attacks from public sources.

STIG	Date
APACHE SERVER 2.2 for Unix	2014-04-03

Details

Check Text ( C-33625r1_chk )
Interview the SA, or web administrator to see where the public web server is logically located on the site’s LAN. Review the site’s network diagram to see how the web server is connected to the LAN. Visually check the web server hardware connections to see if it conforms to the site’s network diagram. A public web server must be located in a DMZ as a subnet isolated from internal LANs. An improperly located public web server is a potential threat to the entire network. If the web server is not isolated in accordance with the DoD Enclave and Internet-NIPRNet DMZ STIGs, this is a finding.

Check Text ( C-33625r1_chk )

Interview the SA, or web administrator to see where the public web server is logically located on the site’s LAN. Review the site’s network diagram to see how the web server is connected to the LAN. Visually check the web server hardware connections to see if it conforms to the site’s network diagram. A public web server must be located in a DMZ as a subnet isolated from internal LANs. An improperly located public web server is a potential threat to the entire network. If the web server is not isolated in accordance with the DoD Enclave and Internet-NIPRNet DMZ STIGs, this is a finding.

Fix Text (F-29264r1_fix)
Relocate the public web servers to be isolated from internal systems. In addition, ensure the public web servers do not have trusted connections with assets outside the confines of the demilitarized zone (DMZ) or isolated separate public enclave (subnet).