Segregate security restricted servers into their own domain

Status: Live

The organization will ensure that network designs prohibit direct public access between external networks and any system component that stores confidential information. [UCF ID 00533]

Supporting and supported controls

This control directly supports:

This control has the following supporting controls:

    DMZ areas should be designed with proper isolation rules in mind [UCF Control ID 00532]
    Restrict inbound internet traffic to the DMZ area [UCF Control ID 01285]
    Ensure applications and databases holding confidential information are placed in an internal network zone that is segregated from the DMZ. [UCF Control ID 01289]
    Restrict outbound traffic from systems with confidential data [UCF Control ID 01295]

Authority documents complied with:

FFIEC IT Examination Handbook – Information Security, Pg 18, Pg 20, Pg 38, Exam Tier I Obj 2.3; Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, Version 1.2, § 1.3.1; ISF Security Audit of Networks, § 1.3.4; The Standard of Good Practice for Information Security, SM4.1.7(f), CB6.4.2(b), NW1.2.2(c), SD4.6.3(b); The Center for Internet Security Wireless Networking Benchmark version 1.0, v1.0 April 2005, § 2.2 (2.2.160); DISA Secure Remote Computing Security Technical Implementation Guide version 1.2, Version 1, Release 2, § 2.1, § 4.2.3; ISO/IEC 15408-2:2008 Common Criteria for Information Technology Security Evaluation Part 2, 2008, § 15.11, § J.11; ISO 17799:2005 Code of Practice for Information Security Management, § 11.4.5; ISO/IEC 27002-2005 Code of practice for information security management, § 11.4.5; Australian Government ICT Security Manual (ACSI 33), § 3.5.16; Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire D and Attestation of Compliance All other Merchants and all SAQ-Eligible Service Providers, Version 1.2, § 1.3.1; Archer Control Table, ATCS-352

Banking and Finance Guidance

The organization should create security domains to mitigate the risks to each individual domain. [Pg 18, Pg 20, Pg 38, Exam Tier I Obj 2.3, FFIEC IT Examination Handbook – Information Security]

Payment Card Guidance

The organization must install a demilitarized zone (DMZ) in order to prohibit inbound and outbound traffic from direct public access except for necessary protocols.
Verify that a DMZ is installed to ensure no Internet traffic has a direct inbound or outbound route to the cardholder data environment without being filtered and screened. [§ 1.3.1, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, Version 1.2]

The organization must install a demilitarized zone (DMZ) in order to prohibit inbound and outbound traffic from direct public access except for necessary protocols. [§ 1.3.1, Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire D and Attestation of Compliance All other Merchants and all SAQ-Eligible Service Providers, Version 1.2]

Other Configuration Guidance

A DMZ or VLAN should be used to separate the wireless network from the wired network. [§ 2.2 (2.2.160), The Center for Internet Security Wireless Networking Benchmark version 1.0, v1.0 April 2005]

Webmail application servers must be located in a DMZ. Remote access servers and network access servers must be located in dual homed screened subnets. [§ 2.1, § 4.2.3, DISA Secure Remote Computing Security Technical Implementation Guide version 1.2, Version 1, Release 2]

ISO Guidance

The system should maintain a security domain to protect it from interference and tampering by untrusted objects. [§ 15.11, § J.11, ISO/IEC 15408-2:2008 Common Criteria for Information Technology Security Evaluation Part 2, 2008]

Networks should be segregated by using a firewall, IP switching, virtual private networks, or another method. The criteria for segregation into domains should be based on the access control policy, the value and classification of the information, and the levels of trust. [§ 11.4.5, ISO 17799:2005 Code of Practice for Information Security Management]

Networks should be segregated by using a firewall, IP switching, virtual private networks, or another method. The criteria for segregation into domains should be based on the access control policy, the value and classification of the information, and the levels of trust. [§ 11.4.5, ISO/IEC 27002-2005 Code of practice for information security management]

General Guidance

[§ 1.3.4, ISF Security Audit of Networks]

Systems should be segregated based on the security requirements, such as trusted and untrusted domains. Dedicated computers should be used as web servers when they support applications. [SM4.1.7(f), CB6.4.2(b), NW1.2.2(c), SD4.6.3(b), The Standard of Good Practice for Information Security]

Asia and Pacific Rim Guidance

When high-risk servers connect to public domain networks, the organization should minimize the communications between the servers at the network and file levels, maintain separation between the servers, and limit access from users and programs to the minimum amount required to perform their duties/operations. [§ 3.5.16, Australian Government ICT Security Manual (ACSI 33)]


Copyright 2005-2009 Unified Compliance Framework™. All rights reserved.


Site and content © Copyright 2003-2009 Network Frontiers, LLC. All rights reserved.