The IAO will ensure the Server Farm VLANs are protected by severely restricting the actions the hosts can perform on the servers by firewall content filtering.

From Firewall Security Technical Implementation Guide

Part of Server Farm without firewall content inspection

SV-20064r1_rule The IAO will ensure the Server Farm VLANs are protected by severely restricting the actions the hosts can perform on the servers by firewall content filtering.

Vulnerability discussion

Most current applications are deployed as a multi-tier architecture. The multi-tier model uses separate server machines to provide the different functions of presentation, business logic, and database.Multi-tier server farms provide added security because a compromised web server does not provide direct access to the application itself or to the database.The multi-tier separation is accomplished in several architectures, by a layer 2 switch, by a layer3 switch/router or by a firewall located at the server farm. Using the firewall implementation is the most secure method and is the only approved DoD architecture.Firewalls get packets from VLAN-supporting switches complete with 802.1Q tags in their headers. What the VLAN-aware firewall can do is extract the tags and use the information within the tags to make policy-based security decisions.

Check content

Identify the VLAN IP subnet and determine if the subnet passes content inspect by a firewall capable on content inspection.

Fix text

Configure the firewall to inspect traffic content to and from the server farm.

Pro Tips

Lavender hyperlinks in small type off to the right (of CSS class id, if you view the page source) point to globally unique URIs for each document and item. Copy the link location and paste anywhere you need to talk unambiguously about these things.

You can obtain data about documents and items in other formats. Simply provide an HTTP header Accept: text/turtle or Accept: application/rdf+xml.