Check: SUN0400
Sun Ray 4 STIG:
SUN0400
(in version v1 r2)
Title
The Sun Ray Session Server (SRSS) is not located in a DMZ or screened subnet. (Cat II impact)
Discussion
If the SSRS is configured to service external clients from the internal enclave, there is a potential that an external adversary can obtain information about internal hosts that could assist the adversary in an attack. Firewalls, ACLs, and DMZs are used to enforce these types of restrictions and are components in the defense-in-depth architecture. The SRSS must be located in a protected DMZ if the server is servicing clients outside the local enclave. If the SRSS is only servicing clients inside the local enclave, then it must be behind the enclave and not part of the DMZ that houses public servers. Note: A DMZ is a physical or logical subnetwork that usually contains an organization's external services to a larger, untrusted network, typically the Internet. The purpose of a DMZ is to add an additional layer of security to an organization's local area network (LAN). DoD Instruction 8500.2 requires a DMZ for confidentiality levels of High and Medium identified as classified and sensitive domains respectively. A DMZ provides boundary protection for architectures that interconnect enclaves.
Check Content
1. Validate the scope of clients that the Sun Ray Session Server (SRSS) is servicing. If the SRSS is servicing clients outside the local enclave, proceed to step 2. If the SRSS is servicing clients inside the local enclave, proceed to step 3. 2. The requirement is that the SRSS must be in a protected DMZ. Review the network topology diagram and obtain the SRSS IP address and subnet mask to validate that it is in the documented subnet for the DMZ. If no network topology diagram exists, work with the network reviewer/system administrator to determine if the SRSS is located in a DMZ. If it is not in a DMZ, this is a finding. 3. If the SRSS server is only serving clients inside the local enclave, the requirement is to be behind the enclave not part of the DMZ that houses the public servers. Review the network topology diagram and obtain the SRSS IP address and subnet mask to validate that it is in an enclave subnet for servers. If no network topology exists, work with the network reviewer/system administrator to determine where the SRSS server is located. If it is in the DMZ, this is a finding.
Fix Text
Place the SRSS behind a screened subnet or DMZ.
Additional Identifiers
Rule ID:
Vulnerability ID: V-17455
Group Title:
Expert Comments
CCIs
Number | Definition |
---|---|
No CCIs are assigned to this check |
Controls
Number | Title |
---|---|
No controls are assigned to this check |