Details

The IAO will ensure the Server Farm VLANs are protected by severely restricting the actions the hosts can perform on the servers by firewall content filtering.

Most current applications are deployed as a multi-tier architecture. The multi-tier model uses separate server machines to provide the different functions of presentation, business logic, and database.

Multi-tier server farms provide added security because a compromised web server does not provide direct access to the application itself or to the database.

The multi-tier separation is accomplished in several architectures, by a layer 2 switch, by a layer3 switch/router or by a firewall located at the server farm. Using the firewall implementation is the most secure method and is the only approved DoD architecture.

Firewalls get packets from VLAN-supporting switches complete with 802.1Q tags in their headers. What the VLAN-aware firewall can do is extract the tags and use the information within the tags to make policy-based security decisions.

NOTE: Nessus did not detect any configured VLAN interfaces. Therefore, this check is not required.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

Configure the firewall to inspect traffic content to and from the server farm.

Supportive Information

The following resource is also helpful.

• https://iasecontent.disa.mil/stigs/zip/U_Network_Firewall_V8R25_STIG.ziphttps://iasecontent.disa.mil/stigs/zip/U_Network_Firewall_V8R25_STIG.zip

This control applies to the following type of system Cisco.

References

• CAT|II
• Rule-ID|SV-20064r1_rule
• STIG-ID|NET-SRVFRM-005
• Vuln-ID|V-18525

Source

• Tenable.com/audits