STIGQter STIGQter: STIG Summary: Infrastructure L3 Switch Security Technical Implementation Guide Version: 8 Release: 29 Benchmark Date: 25 Jan 2019: The IAO will ensure the Server Farm infrastructure is secured by ACLs on VLAN interfaces that restrict data originating from one server farm segment destined to another server farm segment.

DISA Rule

SV-20062r1_rule

Vulnerability Number

V-18523

Group Title

ACLs do not protect against compromised servers

Rule Version

NET-SRVFRM-004

Severity

CAT II

CCI(s)

Weight

10

Fix Recommendation

Review the filter and ensure access from other server segments is denied unless necessary for application operation. The intent of the policy should be to protect servers from a server that has been compromised by an intruder.

Check Contents

Review the firewall protecting the server farm. Vlan configurations should have a filter that secures the servers located on the vlan segment. Identify the source ip addresses that have access to the servers and verify the privilege intended with the SA. The filter should be in a deny by default posture.

If the filter is not defined on the firewall and the architecture contains a layer 3 switch between the firewall and the server, than review the VLAN definition on the L3 switch.

Vulnerability Number

V-18523

Documentable

False

Rule Version

NET-SRVFRM-004

Severity Override Guidance

Review the firewall protecting the server farm. Vlan configurations should have a filter that secures the servers located on the vlan segment. Identify the source ip addresses that have access to the servers and verify the privilege intended with the SA. The filter should be in a deny by default posture.

If the filter is not defined on the firewall and the architecture contains a layer 3 switch between the firewall and the server, than review the VLAN definition on the L3 switch.

Check Content Reference

M

Responsibility

Information Assurance Officer

Target Key

513

Comments