Configure the devices and servers in the network access control solution (e.g., NAC, assessment server, policy decision point) so they do not communicate with other network devices in the DMZ or subnet except as needed to perform a remote access client assessment or to identify itself.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-18835 | SRC-NAC-060 | SV-20588r1_rule | Medium |
| Description |
|---|
| Since the network access control devices and servers should have no legitimate reason for communicating with other devices outside of the assessment solution, any direct communication with unrelated hosts would be suspect traffic. |
| STIG | Date |
|---|---|
| Remote Access Policy STIG | 2016-03-28 |
Details
| Check Text ( C-22570r1_chk ) |
|---|
| Verify that the policy assessment device is not allowed to communicate with other hosts in the DMZ that do not perform security policy assement or remediation services. |
| Fix Text (F-19507r1_fix) |
|---|
| Ensure that the policy assessment appliance or service is not allowed to communicate with unrelated host in the DMZ. |