The firewall implementation must protect server VLAN(s) by controlling the flow of information originating from one server farm segment destined for another server farm segment.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| SRG-NET-000018-FW-000207 | SRG-NET-000018-FW-000207 | SRG-NET-000018-FW-000207_rule | Medium |
| Description |
|---|
| The intent of this requirement is to protect servers on a VLAN from a server that has been compromised by an intruder. If the server farm segments are not protected, a compromised server can be used as an attack source within the enclave. Protecting a client’s data from other clients is necessary and can be accomplished using VLAN provisioning, layer 3 filtering and content filtering at the server farm entry point. Restricting protocol, source, and destination traffic via filters is an option; however, additional security practices, such as content filtering, are required. |
| STIG | Date |
|---|---|
| Firewall Security Requirements Guide | 2014-07-07 |
Details
| Check Text ( C-SRG-NET-000018-FW-000207_chk ) |
|---|
| Review the firewall protecting the server farm. VLAN configurations should have a filter that secures the servers located on the VLAN segment. Identify the source IP addresses that have access to the servers and verify the privilege intended with the System Administrator. The filter should be in a deny-by-default posture. If the filter is not defined on the firewall and the architecture contains a layer 3 switch between the firewall and the server, then review the VLAN definition on the L3 switch. If there is not an ACL that restricts traffic between VLANs, this is a finding. |
| Fix Text (F-SRG-NET-000018-FW-000207_fix) |
|---|
| Configure the firewall/ACL to restrict traffic between VLANs to only permit authorized traffic. |