Verify the application web servers are separated from the application and database servers if the application is a tiered design as per DoD DMZ STIG requirements.
If the application is not hosted in the DoD DMZ, this requirement is not applicable. Review the network diagram and identify web servers/web services, web application servers, and database servers. Review the application data protection requirements and identify if all data types hosted on server are identical. Security controls are firewall rules or ACLs that provide access restrictions on network traffic and limit communications between systems to only application and application/system support traffic.įor complete explanation of DoD DMZ requirements, reference DoD DMZ requirements.Īpplication Security and Development Security Technical Implementation Guide Logically separate systems are implemented with virtual machines or other system emulation. Logically separate networks are usually implemented via a VLAN. Physically separate machines utilize a non-virtual OS.
Physically separate networks require distinct physical network devices for connections (e.g., two separate switches or two separate routers). Separation can be performed either physically or logically based upon data protection and application protection design requirements. Security controls include firewalls or other forms of access controls that restrict the ability to traverse the network from one system to the other. Reference the DoD DMZ STIG for details on data types and separation requirements. Security controls must be in place in order to provide different levels and types of defenses for each type of server based upon data protection requirements identified by policy or data owner.ĭoD DMZ policy specifies that logical separation is allowed but when hosting different data types on the same server, physical separation is required.ġ) Unrestricted web servers and Restricted web servers must be on separate virtual or physical servers from Private web servers, application servers, or database servers.Ģ) Unrestricted web servers and Restricted web servers can either be on separate physical servers from each other, or they can be on separate virtual servers.ģ) If application and database servers have been separated by service type into Unrestricted, Restricted, and Private servers (permitted but not required in Increment 1 Phase 1), they must be on separate virtual or physical servers from each other by server type (Application or Database) and by service type (Unrestricted, Restricted, or Private). Using one system for hosting all 3 tiers introduces risk that if one tier is compromised, there are no additional protection layers available to defend the other tiers. A tiered application usually consists of 3 tiers, the web layer (presentation tier), the application layer (application logic tier), and the database layer (data storage tier).