The designer and the IAO will ensure physical operating system separation and physical application separation is employed between servers of different data types in the web tier of Increment 1/Phase 1 deployment of the DoD DMZ for Internet-facing applications.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-19688 | APP6290 | SV-21829r1_rule | DCPA-1 | High |
| Description |
|---|
| Restricted and unrestricted data residing on the same server may allow unauthorized access which would result in a loss of integrity and possibly the availability of the data. This requirement to this STIG was added at the request of the DoD DMZ PM. The goal is to ensure this requirement is addressed as the application is being developed. This requirement and severity was previously approved by the DSAWG in the Internet-NIPRNet DoD DMZ Increment 1, Phase 1 STIG. *This requirement does not apply to SIPRNet DMZs. |
| STIG | Date |
|---|---|
| Application Security and Development Checklist | 2014-12-22 |
Details
| Check Text ( C-24085r1_chk ) |
|---|
| Ask the application representative for a network diagram. Review the network diagram for web servers/web services or any server in the web tier of the DoD DMZ. Verify restricted and unrestricted servers are installed on separate VLANS. 1) If restricted and unrestricted servers in the Web Tier of the DoD DMZ are not installed on separate VLANS, it is a finding. *Note: This check does not apply to SIPRNet DMZs. |
| Fix Text (F-23071r1_fix) |
|---|
| Move restricted and unrestricted data to different servers. |