Ensure the remote access server (RAS) is located in a dual homed screened subnet.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-19833 | SRC-RAP-040 | SV-21996r1_rule | Medium |
| Description |
|---|
| Without a screened subnet architecture traffic that would be normally destined for the DMZ would have to be redirected to the site's internal network. This would allow for a greater opportunity for hackers to exploit. NOTE: This check does not apply to the remote access VPN gateway. If an integrated RAS/VPN gateway is used where dial-up services are provided, then this check also applies. The DMZ architecture and placement will comply with the requirements of the applicable Network Infrastructure STIG. |
| STIG | Date |
|---|---|
| Remote Access Policy STIG | 2016-03-28 |
Details
| Check Text ( C-25056r1_chk ) |
|---|
| Review network architecture with the network administrator. Verify compliance by inspecting the site network topology diagrams and the firewall interface configurations. Since many network diagrams are not kept up-to-date, walk through the connections with the network administrator to verify the diagrams are current. If the network device does not use an approved network isolation method (e.g., DMZ), this is a finding. |
| Fix Text (F-20516r1_fix) |
|---|
| Use the network diagram in the Network Infrastructure STIG for guidance for placement of RAS server in the appropriated DMZ subnets. |