UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

The firewall implementation must protect server VLAN(s) by controlling the flow of information originating from one server farm segment destined for another server farm segment.


Overview

Finding ID Version Rule ID IA Controls Severity
SRG-NET-000018-FW-000207 SRG-NET-000018-FW-000207 SRG-NET-000018-FW-000207_rule Medium
Description
The intent of this requirement is to protect servers on a VLAN from a server that has been compromised by an intruder. If the server farm segments are not protected, a compromised server can be used as an attack source within the enclave. Protecting a client’s data from other clients is necessary and can be accomplished using VLAN provisioning, layer 3 filtering and content filtering at the server farm entry point. Restricting protocol, source, and destination traffic via filters is an option; however, additional security practices, such as content filtering, are required.
STIG Date
Firewall Security Requirements Guide 2014-07-07

Details

Check Text ( C-SRG-NET-000018-FW-000207_chk )
Review the firewall protecting the server farm. VLAN configurations should have a filter that secures the servers located on the VLAN segment. Identify the source IP addresses that have access to the servers and verify the privilege intended with the System Administrator. The filter should be in a deny-by-default posture.

If the filter is not defined on the firewall and the architecture contains a layer 3 switch between the firewall and the server, then review the VLAN definition on the L3 switch. If there is not an ACL that restricts traffic between VLANs, this is a finding.
Fix Text (F-SRG-NET-000018-FW-000207_fix)
Configure the firewall/ACL to restrict traffic between VLANs to only permit authorized traffic.