The IAO will ensure the Server Farm VLANs are protected by severely restricting the actions the hosts can perform on the servers by firewall content filtering.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-18525 | NET-SRVFRM-005 | SV-20064r1_rule | Medium |
| Description |
|---|
| Most current applications are deployed as a multi-tier architecture. The multi-tier model uses separate server machines to provide the different functions of presentation, business logic, and database. Multi-tier server farms provide added security because a compromised web server does not provide direct access to the application itself or to the database. The multi-tier separation is accomplished in several architectures, by a layer 2 switch, by a layer3 switch/router or by a firewall located at the server farm. Using the firewall implementation is the most secure method and is the only approved DoD architecture. Firewalls get packets from VLAN-supporting switches complete with 802.1Q tags in their headers. What the VLAN-aware firewall can do is extract the tags and use the information within the tags to make policy-based security decisions. |
| STIG | Date |
|---|---|
| Firewall Security Technical Implementation Guide - Cisco | 2017-12-07 |
Details
| Check Text ( C-21300r1_chk ) |
|---|
| Identify the VLAN IP subnet and determine if the subnet passes content inspect by a firewall capable on content inspection. |
| Fix Text (F-19128r1_fix) |
|---|
| Configure the firewall to inspect traffic content to and from the server farm. |