Details

The IAO will ensure the Server Farm infrastructure is secured by ACLs on VLAN interfaces that restrict data originating from one server farm segment destined to another server farm segment.

ACLs on VLAN interfaces do not protect against compromised servers. The Server farm vlans need to protect the servers located on one subnet from servers located on another subnet. Protecting a client’s data from other clients is necessary and can be accomplished using VLAN provisioning, layer 3 filtering and content filtering at the Server Farm entry point. Restricting protocol, source and destination traffic via filters is an option; however additional security practices such as content filtering are required.

The Server farm private vlans need to protect the servers located on one subnet from servers located on another subnet.

Solution

Review the filter and ensure access from other server segments is denied unless necessary for application operation. The intent of the policy should be to protect servers from a server that has been compromised by an intruder.

NOTE: Nessus did not detect any configured VLAN interfaces. Therefore, this check is not required.

Supportive Information

The following resource is also helpful.

• https://iasecontent.disa.mil/stigs/zip/U_Network_Firewall_V8R25_STIG.ziphttps://iasecontent.disa.mil/stigs/zip/U_Network_Firewall_V8R25_STIG.zip

This control applies to the following type of system Cisco.

References

• CAT|II
• Rule-ID|SV-20062r1_rule
• STIG-ID|NET-SRVFRM-004
• Vuln-ID|V-18523

Source

• Tenable.com/audits