| This check verifies that the private web server is located on a separate controlled access subnet and is not a part of the public DMZ that houses the public web servers. In addition, the private web server needs to be isolated via a controlled access mechanism from the local general population LAN. |
What devices (i.e., router, switch, or firewall) lie between the web server and Internet connectivity?
Is the private web server on a separate subnet?
Is the private web server on a LAN with servers and workstations dedicated to functions not intended for public access?
If the web server is not located inside the premise router, switch, or firewall and is not isolated via a controlled access mechanism from the general population LAN, this is a finding.