{"description": "Private web servers, which host sites that serve controlled access data,\nmust be protected from outside threats in addition to insider threats.\n\nIsolate the private web server from the public DMZ and separate it from the\ninternal general population LAN.", "rationale": "Insider threat may be accidental or intentional but, in either case, can\ncause a disruption in service of the web server. To protect the private\nweb server from these threats, it must be located on a separate controlled\naccess subnet and must not be part of the public DMZ that houses the public\nweb servers. it also cannot be located inside the enclave as part of the\nlocal general population LAN.", "severity": "medium", "references": {}, "control_references": {}, "components": [], "identifiers": {}, "ocil_clause": "the private web server is not on a separate controlled access subnet", "ocil": "Verify the site's network diagram and visually check the web server, to\nensure that the private web server is located on a separate controlled\naccess subnet and is not part of the public DMZ that houses the public\nweb servers.\n\nIn addition, the private web server needs to be isolated via a controlled\naccess mechanism from the local general population lan.", "oval_external_content": null, "fixtext": "", "checktext": "", "vuldiscussion": "", "srg_requirement": "", "warnings": [], "conflicts": [], "requires": [], "policy_specific_content": {}, "platform": null, "platforms": [], "sce_metadata": {}, "inherited_platforms": [], "cpe_platform_names": [], "inherited_cpe_platform_names": [], "bash_conditional": null, "fixes": {}, "title": "A private web server must be located on a separate controlled access subnet", "definition_location": "/aptdata/openscap/scap-security-guide/linux_os/guide/services/http/securing_httpd/httpd_private_server_on_separate_subnet/rule.yml", "template": null}