A public web server, if hosted on the NIPRNet, must be isolated in an accredited DoD DMZ extension

Description

To minimize exposure of private assets to unnecesarry risk by attackers, public web servers must be isolated from internal systems. Logically relocate public web servers to be isolated from internal systems. In addition, ensure the public web server does not have trusted connections with assets outside the confines of the demilitarizez done (DMZ) other than application and/or database servers that are a part of the same system as the web server.

Rationale

Public web servers are by nature more vulnerabile to attack from publically based sources, such as the public Internet. Once compromised, a public server might be used as a base for further attack on private resources, unless additional layers of protection are implemented. Public web servers must be located in a DoD DMZ Extension, if hosted on the NIPRNet, with carefully controlled access. Failure to isolate resources in this way increase risk that private assets are exposed to attacks from public sources. An improperly located public web server is a potential threat to the entire network.