The IAO will ensure the Server Farm infrastructure is secured by ACLs on VLAN interfaces that restrict data originating from one server farm segment destined to another server farm segment.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-18523	NET-SRVFRM-004	SV-20062r1_rule		Medium

Description
ACLs on VLAN interfaces do not protect against compromised servers. The Server farm vlans need to protect the servers located on one subnet from servers located on another subnet. Protecting a client’s data from other clients is necessary and can be accomplished using VLAN provisioning, layer 3 filtering and content filtering at the Server Farm entry point. Restricting protocol, source and destination traffic via filters is an option; however additional security practices such as content filtering are required. The Server farm private vlans need to protect the servers located on one subnet from servers located on another subnet.

Description

ACLs on VLAN interfaces do not protect against compromised servers. The Server farm vlans need to protect the servers located on one subnet from servers located on another subnet. Protecting a client’s data from other clients is necessary and can be accomplished using VLAN provisioning, layer 3 filtering and content filtering at the Server Farm entry point. Restricting protocol, source and destination traffic via filters is an option; however additional security practices such as content filtering are required. The Server farm private vlans need to protect the servers located on one subnet from servers located on another subnet.

STIG	Date
Firewall Security Technical Implementation Guide - Cisco	2017-12-07

Details

Check Text ( C-21298r1_chk )
Review the firewall protecting the server farm. Vlan configurations should have a filter that secures the servers located on the vlan segment. Identify the source ip addresses that have access to the servers and verify the privilege intended with the SA. The filter should be in a deny by default posture. If the filter is not defined on the firewall and the architecture contains a layer 3 switch between the firewall and the server, than review the VLAN definition on the L3 switch.

Check Text ( C-21298r1_chk )

Review the firewall protecting the server farm. Vlan configurations should have a filter that secures the servers located on the vlan segment. Identify the source ip addresses that have access to the servers and verify the privilege intended with the SA. The filter should be in a deny by default posture.

If the filter is not defined on the firewall and the architecture contains a layer 3 switch between the firewall and the server, than review the VLAN definition on the L3 switch.

Fix Text (F-19126r1_fix)
Review the filter and ensure access from other server segments is denied unless necessary for application operation. The intent of the policy should be to protect servers from a server that has been compromised by an intruder.