All Internet-facing applications must be hosted in a DoD Demilitarized Zone (DMZ) Extension.

From Network Infrastructure Policy Security Technical Implementation Guide

Part of Internet facing applications must be in a DoD DMZ Extension.

Associated with: CCI-000366

SV-15265r4_rule All Internet-facing applications must be hosted in a DoD Demilitarized Zone (DMZ) Extension.

Vulnerability discussion

Without the protection of a DMZ, production networks will be prone to outside attacks as they are allowing externally accessible services to be accessed on the internal LAN. This can cause many undesired consequences such as access to the entire network, Denial of Service attacks, or theft of sensitive information.

Check content

Review the network topology diagram and interview the ISSO to verify that all Internet-facing applications are hosted in a DoD DMZ Extension. If there are any Internet-facing applications hosted in the enclave’s DMZ or private network, this is a finding.

Fix text

Implement and move internet facing applications logically to a DoD DMZ Extension.

Pro Tips

Lavender hyperlinks in small type off to the right (of CSS class id, if you view the page source) point to globally unique URIs for each document and item. Copy the link location and paste anywhere you need to talk unambiguously about these things.

You can obtain data about documents and items in other formats. Simply provide an HTTP header Accept: text/turtle or Accept: application/rdf+xml.