Storage Area Network STIG


This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: [email protected]


Version / Release: V2R4

Published: 2019-06-28

Updated At: 2019-08-08 19:58:28

Compare/View Releases

Select any two versions of this STIG to compare the individual requirements

Select any old version/release of this STIG to view the previous requirements




Severity Open Not Reviewed Not Applicable Not a Finding
Overall 0 0 0 0
Low 0 0 0 0
Medium 0 0 0 0
High 0 0 0 0
Drop CKL or SCAP (XCCDF) results here.

    Vuln Rule Version CCI Severity Title Description Status Finding Details Comments
    SV-6724r1_rule SAN03.003.00 MEDIUM The default zone visibility setting is not set to “none”. If the default zone visibility setting is set to "none", new clients brought into the SAN will not be allowed access to any SAN zone they are not explicitly placed into. The IAO/NSO will ensure that the default zone visibility setting, if available, is se
    SV-6727r1_rule SAN03.002.00 HIGH Hard zoning is not used to protect the SAN. Risk: In a SAN environment, we potentially have data with differing levels or need-to-know stored on the same "system". A high level of assurance that a valid entity (user/system/process) of one set of data is not inadvertently given access to data that
    SV-6730r1_rule SAN04.002.00 MEDIUM The SANs are not compliant with overall network security architecture, appropriate enclave, and data center security requirements in the Network Infrastructure STIG and the Enclave STIG Inconsistencies with the Network Infrastructure STIG, the Enclave STIG, and the SAN implementation can lead to the creation of vulnerabilities in the network or the enclave.System AdministratorNetwork Security Officer
    SV-6733r1_rule SAN04.003.00 MEDIUM All security related patches are not installed. Failure to install security related patches leaves the SAN open to attack by exploiting known vulnerabilities. The IAO/NSO will ensure that all security-related patches are installed.Untested patches can lead to the SAN degradation or failure.Information
    SV-6739r1_rule SAN04.004.00 MEDIUM Prior to installing SAN components (servers, switches, and management stations) onto the DOD network infrastructure, components are not configured to meet the applicable STIG requirements. Many SAN components (servers, switches, management stations) have security requirements from other STIGs. It will be verified that all requirement are complied with. The IAO/NSO will ensure that prior to installing SAN components (servers, switches, and
    SV-6742r1_rule SAN04.005.00 MEDIUM Servers and other hosts are not compliant with applicable Operating System (OS) STIG requirements. SAN servers and other hosts are hardware software combinations that actually run under the control of a native OS found on the component. This OS may be UNIX, LNIX, Windows, etc. The underlying OS must be configured to be compliant with the applicable S
    SV-6743r1_rule SAN04.006.00 HIGH Vendor supported, DOD approved, anti-virus software is not installed and configured on all SAN servers in accordance with the applicable operating system STIG on SAN servers and management devices and kept up-to-date with the most recent virus definition tables. The SAN servers and other hosts are subject to virus and worm attacks as are any systems running an OS. If the anti-virus software is not installed or the virus definitions are not maintained on these systems, this could expose the entire enclave network
    SV-6748r1_rule SAN04.007.00 MEDIUM A current drawing of the site’s SAN topology that includes all external and internal links, zones, and all interconnected equipment is not being maintained. A drawing of the SAN topology gives the IAO and other interested individuals a pictorial representation of the SAN. This can be helpful in diagnosing potential security problems. The IAO/NSO will maintain a current drawing of the site’s SAN topology th
    SV-6751r1_rule SAN04.008.00 MEDIUM All the network level devices interconnected to the SAN are not located in a secure room with limited access. If the network level devices are not located in a secure area they can be tampered with which could lead to a denial of service if the device is powered off or sensitive data can be compromised by a tap connected to the device. The IAO/NSO will ensure tha
    SV-6752r1_rule SAN04.009.00 MEDIUM Individual user accounts with passwords are not set up and maintained for the SAN fabric switch. Without identification and authentication unauthorized users could reconfigure the SAN or disrupt its operation by logging in to the fabric switch and executing unauthorized commands. The IAO/NSO will ensure individual user accounts with passwords are set
    SV-6753r2_rule SAN04.010.00 MEDIUM The SAN must be configured to use bidirectional authentication. Switch-to-switch management traffic does not have to be encrypted. Bidirectional authentication ensures that a rogue switch cannot be inserted and be auto configured to join the fabric.Failure to configure all components to use encryption could cause the
    SV-6768r2_rule SAN04.011.00 LOW The fabric switches must use DoD-approved PKI rather than proprietary or self-signed device certificates. DOD PKI supplies better protection from malicious attacks than userid/password authentication and should be used anytime it is feasible.Failure to develop a plan for the coordinated correction of these vulnerabilities across the SAN could lead to a denial
    SV-6769r1_rule SAN04.012.00 MEDIUM Network management ports on the SAN fabric switches except those needed to support the operational commitments of the sites are not disabled. Enabled network management ports that are not required expose the SAN fabric switch and the entire network to unnecessary vulnerabilities. By disabling these unneeded ports the exposure profile of the device and network is diminished. The IAO/NSO will di
    SV-6773r1_rule SAN04.013.00 MEDIUM SAN management is not accomplished using the out-of-band or direct connection method. Removing the management traffic from the production network diminishes the security profile of the SAN servers by allowing all the management ports to be closed on the production network. The IAO/NSO will ensure that SAN management is accomplished using t
    SV-6778r1_rule SAN04.014.00 LOW Communications from the management console to the SAN fabric are not protected strong two-factor authentication. Using two-factor authentication between the SAN management console and the fabric enhances the security of the communications carrying privileged functions. It is harder for an unauthorized management console to take control of the SAN. The preferred so
    SV-6780r1_rule SAN04.015.00 LOW The manufacturer’s default PKI keys have not been changed prior to attaching the switch to the SAN Fabric. If the manufacturer's default PKI keys are allowed to remain active on the device, it can be accessed by a malicious individual with access to the default key. The IAO/NSO will ensure that the manufacturer’s default PKI keys are changed prior to attachi
    SV-6783r1_rule SAN04.016.00 LOW The SAN is not configured to use FIPS 140-1/2 validated encryption algorithm to protect management-to-fabric communications. The communication between the SAN management consol and the SAN fabric carries sensitive privileged configuration data. This data's confidentiality will be protected with FIPS 140-1/2 validate algorithm for encryption. Configuration data could be used t
    SV-6791r1_rule SAN04.017.00 HIGH All SAN management consoles and ports are not password protected. Without password protection malicious users can create a denial of service by disrupting the SAN or allow the compromise of sensitive date by reconfiguring the SAN topography. The IAO/NSO will ensure that all SAN management consoles and ports are password
    SV-6792r1_rule SAN04.018.00 HIGH The manufacturer’s default passwords have not been changed for all SAN management software. The changing of passwords from the default value blocks malicious users with knowledge of the default passwords for the manufacturer's SAN Management software from creating a denial of service by disrupting the SAN or reconfigure the SAN topology leading
    SV-6793r1_rule SAN04.019.00 HIGH The SAN fabric zoning lists are not based on a policy of Deny-by-Default with blocks on all services and protocols not required on the given port or by the site. By using the Deny-by-Default based policy, any service or protocol not required by a port and overlooked in the zoning list will be denied access. If Deny-by-Default based policy was not used any overlooked service or protocol not required by a port coul
    SV-6794r1_rule SAN04.020.00 LOW Attempts to access ports, protocols, or services that are denied are not logged.. Logging or auditing of failed access attempts is a necessary component for the forensic investigation of security incidents. Without logging there is no way to demonstrate that the access attempt was made or when it was made. Additionally a pattern of a
    SV-6798r1_rule SAN04.021.00 MEDIUM Simple Network Management Protocol (SNMP) is used and it is not configured in accordance with the guidance contained in the Network Infrastructure STIG. There are vulnerabilities in some implementations and some configurations of SNMP. Therefore if SNMP is used the guidelines found in the Network Infrastructure STIG in selecting a version of SNMP to use and how to configure it will be followed. If Simpl
    SV-6802r1_rule SAN04.022.00 HIGH Unauthorized IP addresses are allowed Simple Network Management Protocol (SNMP) access to the SAN devices. SNMP, by virtue of what it is designed to do, can be a large security risk. Because SNMP can obtain device information and set device parameters, unauthorized users can cause damage. Restricting IP address that can access SNMP on the SAN devices will fur
    SV-6803r1_rule SAN04.023.00 MEDIUM The IP addresses of the hosts permitted SNMP access to the SAN management devices do not belong to the internal network. SNMP, by virtue of what it is designed to do, can be a large security risk. Because SNMP can obtain device information and set device parameters, unauthorized users can cause damage. Therefore access to a SAN device from an IP address outside of the inte
    SV-6807r1_rule SAN04.024.00 LOW End-user platforms are directly attached to the Fibre Channel network or access storage devices directly. End-user platforms should only be connected to servers that run applications that access the data found on the SAN devices. SANs do not supply a robust user identification and authentication platform. They depend on the servers and applications to authe
    SV-6809r1_rule SAN05.001.00 MEDIUM Fabric switch configurations and management station configuration are not archived and/or copies of the operating system and other critical software for all SAN components are not stored in a fire rated container or are not collocated with the operational software. .Backup and recovery procedures are critical to the security and availability of the SAN system. If a system is compromised, shut down, or otherwise not available for service, this could hinder the availability of resources to the warfighter. The IAO/NSO
    SV-7465r1_rule SAN04.025.00 MEDIUM SAN components are not configured with fixed IP addresses. Without fixed IP address filtering or restricting of access based on IP addressing will not function correctly allowing unauthorized access to SAN components or creating a denial of service by blocking legitimate traffic from authorized components. The s