Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-19833 | SRC-RAP-040 | SV-21996r1_rule | ECSC-1 | Medium |
Description |
---|
Without a screened subnet architecture traffic that would be normally destined for the DMZ would have to be redirected to the site's internal network. This would allow for a greater opportunity for hackers to exploit. NOTE: This check does not apply to the remote access VPN gateway. If an integrated RAS/VPN gateway is used where dial-up services are provided, then this check also applies. The DMZ architecture and placement will comply with the requirements of the applicable Network Infrastructure STIG. |
STIG | Date |
---|---|
Remote Access Policy STIG | 2015-09-16 |
Check Text ( C-25056r1_chk ) |
---|
Review network architecture with the network administrator. Verify compliance by inspecting the site network topology diagrams and the firewall interface configurations. Since many network diagrams are not kept up-to-date, walk through the connections with the network administrator to verify the diagrams are current. If the network device does not use an approved network isolation method (e.g., DMZ), this is a finding. |
Fix Text (F-20516r1_fix) |
---|
Use the network diagram in the Network Infrastructure STIG for guidance for placement of RAS server in the appropriated DMZ subnets. |