Details

Protecting data sitting in a server VLAN is necessary and can be accomplished using access control lists on VLANs provisioned for servers. Without proper access control of traffic entering or leaving the server VLAN, potential threats such as a denial of service, data corruption, or theft could occur, resulting in the inability to complete mission requirements by authorized users.

NOTE: This check requires a manual review. Determine if the detected VLAN interface on your device is being utilized to segment and protect servers. If so, ensure that an ACL has been applied and designed to only allow authorized traffic and to deny everything else by default.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

Configure an ACL to protect the server VLAN interface. The ACL must be in a deny-by-default security posture.

Supportive Information

The following resource is also helpful.

• https://iasecontent.disa.mil/stigs/zip/U_Network_Firewall_V8R25_STIG.ziphttps://iasecontent.disa.mil/stigs/zip/U_Network_Firewall_V8R25_STIG.zip

This control applies to the following type of system Cisco.

References

• CAT|II
• Rule-ID|SV-20061r2_rule
• STIG-ID|NET-SRVFRM-003
• Vuln-ID|V-18522

Source

• Tenable.com/audits