UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

The IAO will ensure web servers are on logically separate network segments from the application and database servers if it is a tiered application.


Overview

Finding ID Version Rule ID IA Controls Severity
V-19687 APP6280 SV-21828r1_rule DCPA-1 High
Description
Web servers should be on logically separated network segments from the application and database servers in order to provide different levels and types of defenses for each type of server. Failure to comply would result in an immediate loss of confidentiality. This requirement to this STIG was added at the request of the DoD DMZ PM. The goal is to ensure this requirement is addressed as the application is being developed. This requirement and severity was previously approved by the DSAWG in the Internet-NIPRNet DoD DMZ Inrecrement 1, Phase 1 STIG. Any vulnerability associated with a DoD Information system or system enclave, the exploitation of which, by a risk factor, will directly and immediately result in loss of Confidentiality, Availability or Integrity of the system associated data.
STIG Date
Application Security and Development STIG 2014-04-03

Details

Check Text ( C-24084r1_chk )
Ask the application representative for a network diagram. Review the network diagram for web servers/web services, web application servers, and database servers. If the application is a tiered web application located in the DoD DMZ and is available to the Internet, verify web servers are on logically separate network segments from the application and database servers.

If the application is a tiered web application containing different data types, the application must have physically separate network connections, operating systems and application instances for each data type in the web tier when the application is available to the Internet.

This check does not apply to SIPRNet DMZs or applications that are not available to the Internet.

1) In a tiered DMZ web application with similar data types, if the web server is not on a logically separate network segment from the application and database servers and the application is available to the Internet it is a finding.

*Note: Physically separate networks require distinct physical network devices for connections. (e.g. two separate switches or two separate routers)
Fix Text (F-23101r1_fix)
Seperate web server and place it on logically seperate network segment apart from the application and database servers.