The Sun Ray Session Server (SRSS) is not located in a DMZ or screened subnet.

From Sun Ray 4 STIG

Part of Sun Ray Server not in DMZ

Associated with IA controls: ECSC-1

SV-18511r1_rule The Sun Ray Session Server (SRSS) is not located in a DMZ or screened subnet.

Vulnerability discussion

If the SSRS is configured to service external clients from the internal enclave, there is a potential that an external adversary can obtain information about internal hosts that could assist the adversary in an attack. Firewalls, ACLs, and DMZs are used to enforce these types of restrictions and are components in the defense-in-depth architecture. The SRSS must be located in a protected DMZ if the server is servicing clients outside the local enclave. If the SRSS is only servicing clients inside the local enclave, then it must be behind the enclave and not part of the DMZ that houses public servers.Note: A DMZ is a physical or logical subnetwork that usually contains an organization's external services to a larger, untrusted network, typically the Internet. The purpose of a DMZ is to add an additional layer of security to an organization's local area network (LAN). DoD Instruction 8500.2 requires a DMZ for confidentiality levels of High and Medium identified as classified and sensitive domains respectively. A DMZ provides boundary protection for architectures that interconnect enclaves.

Check content

1. Validate the scope of clients that the Sun Ray Session Server (SRSS) is servicing. If the SRSS is servicing clients outside the local enclave, proceed to step 2. If the SRSS is servicing clients inside the local enclave, proceed to step 3. 2. The requirement is that the SRSS must be in a protected DMZ. Review the network topology diagram and obtain the SRSS IP address and subnet mask to validate that it is in the documented subnet for the DMZ. If no network topology diagram exists, work with the network reviewer/system administrator to determine if the SRSS is located in a DMZ. If it is not in a DMZ, this is a finding. 3. If the SRSS server is only serving clients inside the local enclave, the requirement is to be behind the enclave not part of the DMZ that houses the public servers. Review the network topology diagram and obtain the SRSS IP address and subnet mask to validate that it is in an enclave subnet for servers. If no network topology exists, work with the network reviewer/system administrator to determine where the SRSS server is located. If it is in the DMZ, this is a finding.

Fix text

Place the SRSS behind a screened subnet or DMZ.

Pro Tips

Lavender hyperlinks in small type off to the right (of CSS class id, if you view the page source) point to globally unique URIs for each document and item. Copy the link location and paste anywhere you need to talk unambiguously about these things.

You can obtain data about documents and items in other formats. Simply provide an HTTP header Accept: text/turtle or Accept: application/rdf+xml.

Powered by sagemincer