Cyber · Trackr The Free Compliance Library
⌘K
DoD Compliance · STIG

Storage Area Network STIG

V2R3 · · · Released 26 Oct 2018 · 28 rules
Compare

Pick two releases to diff their requirements.

View

Open a previous version of this STIG.

This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.
Digest of Updates vs. V2R2 · 25 Oct 2013 ✎ 22

Comparison against the immediately-prior release (V2R2). Rule matching uses the Group Vuln ID. Content-change detection compares the rule’s description, check, and fix text after stripping inline markup — cosmetic-only edits aren’t flagged.

Content changes 22

  • V-6605 Medium description The default zone visibility setting is not set to “none”.
  • V-6608 High description Hard zoning is not used to protect the SAN.
  • V-6609 Low description SAN devices are not added to the site System Security Authorization Agreement (SSAA).
  • V-6610 Medium description The SANs are not compliant with overall network security architecture, appropriate enclave, and data center security requirements in the Network Infrastructure STIG and the Enclave STIG
  • V-6613 Medium description All security related patches are not installed.
  • V-6619 Medium description Prior to installing SAN components (servers, switches, and management stations) onto the DOD network infrastructure, components are not configured to meet the applicable STIG requirements.
  • V-6623 High description Vendor supported, DOD approved, anti-virus software is not installed and configured on all SAN servers in accordance with the applicable operating system STIG on SAN servers and management devices and kept up-to-date with the most recent virus definition tables.
  • V-6633 Medium descriptioncheckfix The SAN must be configured to use bidirectional authentication.
  • V-6634 Low descriptioncheckfix The fabric switches must use DoD-approved PKI rather than proprietary or self-signed device certificates.
  • V-6636 Medium description SAN management is not accomplished using the out-of-band or direct connection method.
  • V-6637 Low description Communications from the management console to the SAN fabric are not protected strong two-factor authentication.
  • V-6638 Low description The manufacturer’s default PKI keys have not been changed prior to attaching the switch to the SAN Fabric.
  • V-6639 Low description The SAN is not configured to use FIPS 140-1/2 validated encryption algorithm to protect management-to-fabric communications.
  • V-6645 High description All SAN management consoles and ports are not password protected.
  • V-6646 High description The manufacturer’s default passwords have not been changed for all SAN management software.
  • V-6647 High description The SAN fabric zoning lists are not based on a policy of Deny-by-Default with blocks on all services and protocols not required on the given port or by the site.
  • V-6648 Low description Attempts to access ports, protocols, or services that are denied are not logged..
  • V-6652 Medium description Simple Network Management Protocol (SNMP) is used and it is not configured in accordance with the guidance contained in the Network Infrastructure STIG.
  • V-6656 High description Unauthorized IP addresses are allowed Simple Network Management Protocol (SNMP) access to the SAN devices.
  • V-6657 Medium description The IP addresses of the hosts permitted SNMP access to the SAN management devices do not belong to the internal network.
  • V-6660 Low description End-user platforms are directly attached to the Fibre Channel network or access storage devices directly.
  • V-6661 Medium description Fabric switch configurations and management station configuration are not archived and/or copies of the operating system and other critical software for all SAN components are not stored in a fire rated container or are not collocated with the operational software.
Sort by
b
The default zone visibility setting is not set to “none”.
Medium - V-6605 - SV-6724r1_rule
RMF Control
Severity
M
CCI
Version
SAN03.003.00
Vuln IDs
  • V-6605
Rule IDs
  • SV-6724r1_rule
If the default zone visibility setting is set to "none", new clients brought into the SAN will not be allowed access to any SAN zone they are not explicitly placed into. The IAO/NSO will ensure that the default zone visibility setting, if available, is set to “none”.If there are client systems that have not explicitly been placed in a zone they may be denied access to data they need.Information Assurance OfficerNetwork Security Officer
Checks: C-2429r1_chk

Reviewer with the assistance of the IAO/NSO, verify that the default zone visibility setting is set to “none”.. If this setting is not available mark this check as N/A.

Fix: F-6189r1_fix

Locate all clients that have not been explicitly placed into a zone. Create a plan to explicitly place these clients into the correct zone(s) and after doing so the plan will include the modification of the default zone visibility setting to “none”. Obtain CM approval of the plan and then, following the plan, reconfigure the SAN to allow for the default zone visibility setting to be set to “none”.

c
Hard zoning is not used to protect the SAN.
High - V-6608 - SV-6727r1_rule
RMF Control
Severity
H
CCI
Version
SAN03.002.00
Vuln IDs
  • V-6608
Rule IDs
  • SV-6727r1_rule
Risk: In a SAN environment, we potentially have data with differing levels or need-to-know stored on the same "system". A high level of assurance that a valid entity (user/system/process) of one set of data is not inadvertently given access to data that is unauthorized. Depending on the data and implementation, lack of hard zoning could provide access to classifed, administrative configuration, or other privileged information. A zone is considered to be "hard" if it is hardware enforced. In other words, it is considered “hard” in that they are always enforced by the destination ASIC. "Soft" zoning is more flexible but is also more vulnerable. In "soft" or WWN-enforced zoning, however, the HBA on the initiating devices store a copy of the name server entries, which were discovered in the last IO scan/discovery. It is possible for the HBA to include old addresses, which are no longer allowed in the newly established zoning rules. So your goal is to mitigate this risk in some way. If hardware enforced zoning is used this is not an issue as the destination port will not allow any access regardless of what the OS/HBA “thinks” it has access to. Supplementary Note: Registry State Change Notifications ( RSCN ) storms in large SAN deployments are another factor of which the system administrator must be aware. RSCNs are a broadcast function that allows notification to registered devices when a state change occurs within a SAN topology. These changes could be as simple as a cable being unplugged or a new HBA being connected. When such changes take place, all members would have to be notified of the change and conflicts would have to be resolved, before the name servers are updated. In large configurations it could take a long time for the entire system to stabilize, impairing performance. Effective zoning on the switch would help in minimizing RSCN storms, as only devices within a zone would get notified of state changes. It would also be ideal to make note of business critical servers and make changes to zones and fabrics that affect these servers at non business critical times. Tape fabrics could also be separated from disk fabric (although this comes at a cost). Statistics of RSCN's are available from a few switch vendors. Monitoring these consistently and considering these before expansion of SAN's would help you with effective storage deployments. Although soft zoning is not recommended for DoD SAN implementations, this form of zoning does partially mitigate the risk and is preferred to no zoning. If soft zoning is used AND the system is does not process classified information, then this finding may be downgraded to a CAT 2 with a POA&M documenting a migration plan for implementation of hard zoning.If the zoning ACLs are not properly migrated from the soft zoning format to the hard zoning format a denial of service can be created where a client is not allowed to access required data. Also a compromise of sensitive data can occur if a client is allowed access to data not required. This can also happen if you are moving from no zoning to hard zoning and incorrectly configure the ACLs.Information Assurance OfficerNetwork Security Officer
Checks: C-2436r1_chk

The reviewer, with the assistance of the IAO/NSO, will verify that hard zoning is used to protect the SAN. If soft zoning is used, this is a finding. If soft zoning must be used (with DAA approval), this is still a CAT II finding and a migration plan must be in place. However, note that the HBA’s memory is non-persistent, thus when zoning changes are made, a policy must be in place (show via the log that it is enforced) to force a state change update in the affected HBAs immediately after making zoning changes.

Fix: F-6195r1_fix

If zoning has not been implemented, develop a zone topography. From the topography, create a plan to implement hard zoning, obtain CM approval of the plan and then, following the plan, reconfigure the SAN to support hard zoning. If zoning has been implemented, develop a plan to migrate to hard zoning, obtain CM approval of the plan and then, following the plan, reconfigure the SAN to support hard zoning.

a
SAN devices are not added to the site System Security Authorization Agreement (SSAA).
Low - V-6609 - SV-6729r1_rule
RMF Control
Severity
L
CCI
Version
SAN04.001.00
Vuln IDs
  • V-6609
Rule IDs
  • SV-6729r1_rule
All hardware and software will be entered into the SSAA. This gives a central location where it can be shown that all interested parties have reviewed the impact on their security posture and approved the implementation of the SAN. The IAO/NSO will ensure that SAN devices are added to the site System Security Authorization Agreement (SSAA).Information Assurance OfficerNetwork Security Officer
Checks: C-2439r1_chk

The reviewer will interview the IAO/NSO to validate that SAN devices are added to the site System Security Authorization Agreement (SSAA).

Fix: F-6198r1_fix

Update the SSAA following the SSAA review and acceptance procedures to include the SAN.

b
The SANs are not compliant with overall network security architecture, appropriate enclave, and data center security requirements in the Network Infrastructure STIG and the Enclave STIG
Medium - V-6610 - SV-6730r1_rule
RMF Control
Severity
M
CCI
Version
SAN04.002.00
Vuln IDs
  • V-6610
Rule IDs
  • SV-6730r1_rule
Inconsistencies with the Network Infrastructure STIG, the Enclave STIG, and the SAN implementation can lead to the creation of vulnerabilities in the network or the enclave.System AdministratorNetwork Security Officer
Checks: C-2444r1_chk

The reviewer will interview the IAO/NSO to validate that SANs are compliant with overall network security architecture, appropriate enclave, and data center security requirements in the Network Infrastructure STIG and the Enclave STIG. NOTE: The intent of this check is to ensure that the other checklists were applied. If they are applied then, regardless of what the findings are, this is not a finding. The objective of this policy is met if the other checklists were applied and documented.

Fix: F-6199r1_fix

Perform a self assessment with the Network Infrastructure checklist and the Enclave checklist or schedule a formal review with FSO.

b
All security related patches are not installed.
Medium - V-6613 - SV-6733r1_rule
RMF Control
Severity
M
CCI
Version
SAN04.003.00
Vuln IDs
  • V-6613
Rule IDs
  • SV-6733r1_rule
Failure to install security related patches leaves the SAN open to attack by exploiting known vulnerabilities. The IAO/NSO will ensure that all security-related patches are installed.Untested patches can lead to the SAN degradation or failure.Information Assurance OfficerNetwork Security OfficerVIVM-1
Checks: C-2454r1_chk

The reviewer will, with the assistance of the IAO/NSO, verify that all security related patches are installed.

Fix: F-6202r1_fix

After verifying that the patches do not adversely impact the production SAN, create a plan for installing the patches on the SAN, obtain CM approval of the plan, and implement the plan installing the patches.

b
Prior to installing SAN components (servers, switches, and management stations) onto the DOD network infrastructure, components are not configured to meet the applicable STIG requirements.
Medium - V-6619 - SV-6739r1_rule
RMF Control
Severity
M
CCI
Version
SAN04.004.00
Vuln IDs
  • V-6619
Rule IDs
  • SV-6739r1_rule
Many SAN components (servers, switches, management stations) have security requirements from other STIGs. It will be verified that all requirement are complied with. The IAO/NSO will ensure that prior to installing SAN components (servers, switches, and management stations) onto the DOD network infrastructure, components are configured to meet the applicable STIG requirements.Information Assurance OfficerNetwork Security Officer
Checks: C-2463r1_chk

The reviewer will interview the IAO/NSO and view VMS to verify that prior to installing SAN components (servers, switches, and management stations) onto the DOD network infrastructure, components are configured to meet the applicable STIG requirements.

Fix: F-6207r1_fix

Perform a self assessment using the applicable checklists or scripts on any component device that has not been reviewed or request a formal review from FSO.

b
Servers and other hosts are not compliant with applicable Operating System (OS) STIG requirements.
Medium - V-6622 - SV-6742r1_rule
RMF Control
Severity
M
CCI
Version
SAN04.005.00
Vuln IDs
  • V-6622
Rule IDs
  • SV-6742r1_rule
SAN servers and other hosts are hardware software combinations that actually run under the control of a native OS found on the component. This OS may be UNIX, LNIX, Windows, etc. The underlying OS must be configured to be compliant with the applicable STIG to ensure that they do not insert known vulnerabilities into the DOD network infrastructure. The IAO/NSO will ensure that servers and other hosts are compliant with applicable Operating System (OS) STIG requirements.Some SAN software may not function correctly on a STIG compliant server or host. Information Assurance OfficerNetwork Security OfficerDCCS-1, DCCS-2
Checks: C-2469r1_chk

The reviewer will interview the IAO/NSO and view the VMS to verify that servers and other hosts are compliant with applicable Operating System (OS) STIG requirements.

Fix: F-6211r1_fix

Perform a self assessment using the applicable OS checklists or scripts on any server or host in the SAN that has not been reviewer or request a formal review from FSO.

c
Vendor supported, DOD approved, anti-virus software is not installed and configured on all SAN servers in accordance with the applicable operating system STIG on SAN servers and management devices and kept up-to-date with the most recent virus definition tables.
High - V-6623 - SV-6743r1_rule
RMF Control
Severity
H
CCI
Version
SAN04.006.00
Vuln IDs
  • V-6623
Rule IDs
  • SV-6743r1_rule
The SAN servers and other hosts are subject to virus and worm attacks as are any systems running an OS. If the anti-virus software is not installed or the virus definitions are not maintained on these systems, this could expose the entire enclave network to exploits of known vulnerabilities. The IAO/NSO will ensure that vendor supported, DOD approved, anti-virus software is installed and configured on all SAN servers in accordance with the applicable operating system STIG on SAN servers and management devices and kept up-to-date with the most recent virus definition tables.Information Assurance OfficerNetwork Security Officer
Checks: C-2472r1_chk

The reviewer will verify that vendor supported, DOD approved, anti-virus software is installed and configured on all SAN servers in accordance with the applicable operating system STIG on SAN servers and management devices and kept up-to-date with the most recent virus definition tables. If an OS review has reciently been completed verify that the anti-virus check was not a finding. Otherwise perform a manual check as described in the applicable OS checklist.

Fix: F-6212r1_fix

Install and correctly configure a DOD approved anti-virus.

b
A current drawing of the site’s SAN topology that includes all external and internal links, zones, and all interconnected equipment is not being maintained.
Medium - V-6628 - SV-6748r1_rule
RMF Control
Severity
M
CCI
Version
SAN04.007.00
Vuln IDs
  • V-6628
Rule IDs
  • SV-6748r1_rule
A drawing of the SAN topology gives the IAO and other interested individuals a pictorial representation of the SAN. This can be helpful in diagnosing potential security problems. The IAO/NSO will maintain a current drawing of the site’s SAN topology that includes all external and internal links, zones, and all interconnected equipment.Information Assurance OfficerNetwork Security OfficerDCHW-1
Checks: C-2481r1_chk

The reviewer will interview the IAO/NSO and view the drawings supplied to verify that a current drawing of the site’s SAN topology that includes all external and internal links, zones, and all interconnected equipment.

Fix: F-6217r1_fix

Create drawing of the site’s SAN topology that includes all external and internal links, zones, and all interconnected equipment.

b
All the network level devices interconnected to the SAN are not located in a secure room with limited access.
Medium - V-6631 - SV-6751r1_rule
RMF Control
Severity
M
CCI
Version
SAN04.008.00
Vuln IDs
  • V-6631
Rule IDs
  • SV-6751r1_rule
If the network level devices are not located in a secure area they can be tampered with which could lead to a denial of service if the device is powered off or sensitive data can be compromised by a tap connected to the device. The IAO/NSO will ensure that all the network level devices interconnected to the SAN are located in a secure room with limited access.Moving devices can disrupt the SAN environment while the move is taking place.Information Assurance OfficerNetwork Security OfficerPECF-1, PECF-2
Checks: C-2485r1_chk

The reviewer will interview the IAO/NSO and view the network level devices to verify whether they are located in a secure room with limited access.

Fix: F-6219r1_fix

Develop a plan to move the network level devices to a location/room where the can be physically secured in a manner appropriate to the classification level of the data the handle. Obtain CM approval of the plan and then implement the plan moving the devices.

b
Individual user accounts with passwords are not set up and maintained for the SAN fabric switch.
Medium - V-6632 - SV-6752r1_rule
RMF Control
Severity
M
CCI
Version
SAN04.009.00
Vuln IDs
  • V-6632
Rule IDs
  • SV-6752r1_rule
Without identification and authentication unauthorized users could reconfigure the SAN or disrupt its operation by logging in to the fabric switch and executing unauthorized commands. The IAO/NSO will ensure individual user accounts with passwords are set up and maintained for the SAN fabric switch in accordance with the guidance contained in Appendix B, CJCSM and the Network Infrastructure STIG.The IAO/NSO will ensure that individual user accounts with passwords are set up and maintained in accordance with the guidance contained in Appendix B, Chairman Of The Joint Chiefs of Staff Manual CJCSM 6510.1 and the DODI 8500.2.Information Assurance OfficerNetwork Security OfficerIAIA-1, IAIA-2
Checks: C-2486r1_chk

The reviewer, with the assistance of the IAO/NSO, will verify that individual user accounts with passwords are set up and maintained for the SAN fabric switch.

Fix: F-6220r1_fix

Develop a plan to reconfigure the SAN fabric switch to require user accounts and passwords. This plan also needs to include the creation and distribution of user accounts and passwords for each administrator who requires access to the SAN fabric switch. Obtain CM approval of the plan and then implement the plan.

b
The SAN must be configured to use bidirectional authentication.
Medium - V-6633 - SV-6753r2_rule
RMF Control
Severity
M
CCI
Version
SAN04.010.00
Vuln IDs
  • V-6633
Rule IDs
  • SV-6753r2_rule
Switch-to-switch management traffic does not have to be encrypted. Bidirectional authentication ensures that a rogue switch cannot be inserted and be auto configured to join the fabric.Failure to configure all components to use encryption could cause the SAN to degrade or fail.Switch AdministratorInformation Assurance Officer
Checks: C-2487r2_chk

Verify that all fabric switches are configured to bidirectional authentication.

Fix: F-6221r2_fix

Configure the SAN fabric switches to use bidirectional authentication between switches.

a
The fabric switches must use DoD-approved PKI rather than proprietary or self-signed device certificates.
Low - V-6634 - SV-6768r2_rule
RMF Control
Severity
L
CCI
Version
SAN04.011.00
Vuln IDs
  • V-6634
Rule IDs
  • SV-6768r2_rule
DOD PKI supplies better protection from malicious attacks than userid/password authentication and should be used anytime it is feasible.Failure to develop a plan for the coordinated correction of these vulnerabilities across the SAN could lead to a denial of service caused by a disruption or failure of the SAN.Network Security OfficerInformation Assurance Officer
Checks: C-2526r2_chk

The reviewer will, with the assistance of the IAO/NSO, verify fabric switches are protected by DOD PKI. View the installed device certificates. Verify a DoD -approved certificate is loaded. If any of the certificates have the name or identifier of a non-DoD- approved source in the Issuer field, this is a finding.

Fix: F-6229r2_fix

Generate a new key-pair from a DoD-approved certificate issuer. Sites must consult the PKI/PKI pages on the http://iase.disa.mil/ website for procedures for NIPRNet and SIPRNet.

b
Network management ports on the SAN fabric switches except those needed to support the operational commitments of the sites are not disabled.
Medium - V-6635 - SV-6769r1_rule
RMF Control
Severity
M
CCI
Version
SAN04.012.00
Vuln IDs
  • V-6635
Rule IDs
  • SV-6769r1_rule
Enabled network management ports that are not required expose the SAN fabric switch and the entire network to unnecessary vulnerabilities. By disabling these unneeded ports the exposure profile of the device and network is diminished. The IAO/NSO will disable all network management ports on the SAN fabric switches except those needed to support the operational commitments of the sites.Information Assurance OfficerSwitch AdministratorDCBP-1
Checks: C-2529r1_chk

The reviewer will, with the assistance of the IAO/NSO, verify that all network management ports on the SAN fabric switches are disabled except those needed to support the operational commitments of the sites.

Fix: F-6230r1_fix

Develop a plan to locate and disable all network management ports that are not required to support the operational commitments of the sites. Obtain CM approval of the plan and then execute the plan.

b
SAN management is not accomplished using the out-of-band or direct connection method.
Medium - V-6636 - SV-6773r1_rule
RMF Control
Severity
M
CCI
Version
SAN04.013.00
Vuln IDs
  • V-6636
Rule IDs
  • SV-6773r1_rule
Removing the management traffic from the production network diminishes the security profile of the SAN servers by allowing all the management ports to be closed on the production network. The IAO/NSO will ensure that SAN management is accomplished using the out-of-band or direct connection method.Information Assurance OfficerNetwork Security Officer
Checks: C-2537r1_chk

The reviewer will interview the IAO and view the SAN network drawings provided.

Fix: F-6233r1_fix

Develop a plan to migrate the SAN management to an out-of-band network or a direct connect method. Obtain CM approval for the plan and implement the plan.

a
Communications from the management console to the SAN fabric are not protected strong two-factor authentication.
Low - V-6637 - SV-6778r1_rule
RMF Control
Severity
L
CCI
Version
SAN04.014.00
Vuln IDs
  • V-6637
Rule IDs
  • SV-6778r1_rule
Using two-factor authentication between the SAN management console and the fabric enhances the security of the communications carrying privileged functions. It is harder for an unauthorized management console to take control of the SAN. The preferred solution for two-factor authentication is DoD PKI implemented on the CAC or Alternative (Alt) token.Information Assurance OfficerNetwork Security Officer
Checks: C-2544r1_chk

The reviewer will, with the assistance of the IAO/NSO, verify that communications from the management console to the SAN fabric are protected using DOD PKI. If another method of two-factor authentication is used, then inspect approval documentation. If two-factor authentication is not used, this is a finding. If two-factor authentication method is not DoD PKI and no approval documentation exists, this is a finding.

Fix: F-6235r1_fix

Develop a plan to migrate to the use of DoD PKI authentication between the SAN management console and the SAN fabric. Obtain CM approval of the plan and implement the plan.

a
The manufacturer’s default PKI keys have not been changed prior to attaching the switch to the SAN Fabric.
Low - V-6638 - SV-6780r1_rule
RMF Control
Severity
L
CCI
Version
SAN04.015.00
Vuln IDs
  • V-6638
Rule IDs
  • SV-6780r1_rule
If the manufacturer's default PKI keys are allowed to remain active on the device, it can be accessed by a malicious individual with access to the default key. The IAO/NSO will ensure that the manufacturer’s default PKI keys are changed prior to attaching the switch to the SAN Fabric.The manufacturer may need to access the device for maintenance. If the PKI keys cannot be reestablished this will fail.Network Security OfficerInformation Assurance OfficerIAIA-1, IAIA-2
Checks: C-2548r1_chk

The reviewer will, with the assistance of the IAO/NSO, verify that the manufacturer’s default PKI keys have been changed prior to attaching the switch to the SAN Fabric.

Fix: F-6237r1_fix

Depending on the functionality allowed by the device, develop a plan remove, disable or change the manufacturer’s default PKI certificate so that it cannot be used for identification and authorization. Obtain CM approval for the plan and implement the plan.

a
The SAN is not configured to use FIPS 140-1/2 validated encryption algorithm to protect management-to-fabric communications.
Low - V-6639 - SV-6783r1_rule
RMF Control
Severity
L
CCI
Version
SAN04.016.00
Vuln IDs
  • V-6639
Rule IDs
  • SV-6783r1_rule
The communication between the SAN management consol and the SAN fabric carries sensitive privileged configuration data. This data's confidentiality will be protected with FIPS 140-1/2 validate algorithm for encryption. Configuration data could be used to create a denial of service by disrupting the SAN fabric. The storage administrator will configure the SAN to use FIPS 140-1/2 validated encryption algorithm to protect management-to-fabric communications.Other
Checks: C-2555r1_chk

The reviewer will, with the assistance of the storage administrator, verify that the SAN is configured to use FIPS 140-1/2 validated encryption algorithm to protect management-to-fabric communications.

Fix: F-6240r1_fix

Develop a plan to implement FIPS-140-1/2 validated encryption to protect management-to-fabric communications. Obtain CM approval of the plan and execute the plan.

c
All SAN management consoles and ports are not password protected.
High - V-6645 - SV-6791r1_rule
RMF Control
Severity
H
CCI
Version
SAN04.017.00
Vuln IDs
  • V-6645
Rule IDs
  • SV-6791r1_rule
Without password protection malicious users can create a denial of service by disrupting the SAN or allow the compromise of sensitive date by reconfiguring the SAN topography. The IAO/NSO will ensure that all SAN management consoles and ports are password protected.Network Security OfficerInformation Assurance Officer
Checks: C-2571r1_chk

The reviewer will, with the assistance of the IAO/NSO, verify that all SAN management consoles and ports are password protected.

Fix: F-6248r1_fix

Develop a plan for implementing password protection on the SAN’s management consoles and ports. Obtain CM approval of the plan and execute the plan.

c
The manufacturer’s default passwords have not been changed for all SAN management software.
High - V-6646 - SV-6792r1_rule
RMF Control
Severity
H
CCI
Version
SAN04.018.00
Vuln IDs
  • V-6646
Rule IDs
  • SV-6792r1_rule
The changing of passwords from the default value blocks malicious users with knowledge of the default passwords for the manufacturer's SAN Management software from creating a denial of service by disrupting the SAN or reconfigure the SAN topology leading to a compromise of sensitive data. The IAO/NSO will ensure that the manufacturer’s default passwords are changed for all SAN management software.Network Security OfficerInformation Assurance Officer
Checks: C-2572r1_chk

The reviewer will, with the assistance of the IAO/NSO, verify that the manufacturer’s default passwords have been changed for all SAN management software.

Fix: F-6249r1_fix

Develop a plan to change manufacturer’s default passwords for all SAN management software. Obtain CM approval of the plan and implement the plan.

c
The SAN fabric zoning lists are not based on a policy of Deny-by-Default with blocks on all services and protocols not required on the given port or by the site.
High - V-6647 - SV-6793r1_rule
RMF Control
Severity
H
CCI
Version
SAN04.019.00
Vuln IDs
  • V-6647
Rule IDs
  • SV-6793r1_rule
By using the Deny-by-Default based policy, any service or protocol not required by a port and overlooked in the zoning list will be denied access. If Deny-by-Default based policy was not used any overlooked service or protocol not required by a port could have access to sensitive data compromising that data. The IAO/NSO will ensure that SAN fabric zoning lists are based on a policy of Deny-by-Default with blocks on all services and protocols not required on the given port or by the site.Changing to a policy based on Deny-by-Default can cause overlooked services or protocols required by a port to be denied access to data they need.Network Security OfficerInformation Assurance OfficerDCBP-1
Checks: C-2573r1_chk

The reviewer will, with the assistance of the IAO/NSO, verify that SAN fabric zoning lists are based on a policy of Deny-by-Default with blocks on all services and protocols not required on the given port or by the site.

Fix: F-6250r1_fix

Develop a plan to identify all services and protocols needed by each port in the SAN, modify the routing lists to enforce a Deny-by-Default policy and allow only the identified services and protocols on each port that requires them. Obtain CM approval for the plan and implement the plan.

a
Attempts to access ports, protocols, or services that are denied are not logged..
Low - V-6648 - SV-6794r1_rule
RMF Control
Severity
L
CCI
Version
SAN04.020.00
Vuln IDs
  • V-6648
Rule IDs
  • SV-6794r1_rule
Logging or auditing of failed access attempts is a necessary component for the forensic investigation of security incidents. Without logging there is no way to demonstrate that the access attempt was made or when it was made. Additionally a pattern of access failures cannot be demonstrated to assert that an intended attack was being made as apposed to an accidental intrusion. The IAO/NSO will ensure that all attempts to any port, protocol, or service that is denied are logged.If sufficient space is not allowed for logging or auditing, a denial of service or loss of data could be caused by overflowing the space allocated.Network Security OfficerInformation Assurance Officer
Checks: C-2574r1_chk

The reviewer will, with the assistance of the IAO/NSO, verify that all attempts to any port, protocol, or service that is denied are logged.

Fix: F-6251r1_fix

Develop a plan to implement the logging of failed or rejected ports, protocols or services requests. The plan should include a projection of the storage requirements of the logged events. Obtain CM approval of the plan and execute it.

b
Simple Network Management Protocol (SNMP) is used and it is not configured in accordance with the guidance contained in the Network Infrastructure STIG.
Medium - V-6652 - SV-6798r1_rule
RMF Control
Severity
M
CCI
Version
SAN04.021.00
Vuln IDs
  • V-6652
Rule IDs
  • SV-6798r1_rule
There are vulnerabilities in some implementations and some configurations of SNMP. Therefore if SNMP is used the guidelines found in the Network Infrastructure STIG in selecting a version of SNMP to use and how to configure it will be followed. If Simple Network Management Protocol (SNMP) is used, the IAO/NSO will ensure it is configured in accordance with the guidance contained in the Network Infrastructure STIG.Network monitoring tools that are not modified to match the configuration used for SNMP in the SAN will fail.Network Security OfficerInformation Assurance Officer
Checks: C-2576r1_chk

With the assistance of the IAO/NSO, verify that if Simple Network Management Protocol (SNMP) is used, it is configured in accordance with the guidance contained in the Network Infrastructure STIG. NOTE: The intent of this check is to ensure that the other checklists were applied. If they are applied then, regardless of what the findings are, this is not a finding. The objective of this policy is met if the other checklist was applied and documented.

Fix: F-6252r1_fix

Develop a plan to implement SNMP that is compliant with the Network Infrastructure STIG. Obtain CM approval and execute the plan. NOTE: The intent of this check is to ensure that the other applicable checklists were applied. If they are applied then, regardless of what the findings are, this is not a finding. The objective of this policy is met if the other checklists were applied and documented.

c
Unauthorized IP addresses are allowed Simple Network Management Protocol (SNMP) access to the SAN devices.
High - V-6656 - SV-6802r1_rule
RMF Control
Severity
H
CCI
Version
SAN04.022.00
Vuln IDs
  • V-6656
Rule IDs
  • SV-6802r1_rule
SNMP, by virtue of what it is designed to do, can be a large security risk. Because SNMP can obtain device information and set device parameters, unauthorized users can cause damage. Restricting IP address that can access SNMP on the SAN devices will further limit the possibility of malicious access being made. The IAO/NSO will ensure that only authorized IP addresses are allowed Simple Network Management Protocol (SNMP) access to the SAN devices.Network Security OfficerInformation Assurance OfficerDCBP-1
Checks: C-2581r1_chk

The reviewer will, with the assistance of the IAO/NSO, verify that only authorized IP addresses are allowed Simple Network Management Protocol (SNMP) access to the SAN devices. This can be done with by checking the ACLs for the SAN device ports.

Fix: F-6253r1_fix

Develop a plan to restrict SNMP access to SAN devices to authorized IP addresses. Obtain CM approval for the plan and implement the plan.

b
The IP addresses of the hosts permitted SNMP access to the SAN management devices do not belong to the internal network.
Medium - V-6657 - SV-6803r1_rule
RMF Control
Severity
M
CCI
Version
SAN04.023.00
Vuln IDs
  • V-6657
Rule IDs
  • SV-6803r1_rule
SNMP, by virtue of what it is designed to do, can be a large security risk. Because SNMP can obtain device information and set device parameters, unauthorized users can cause damage. Therefore access to a SAN device from an IP address outside of the internal network will not be allowed. The IAO/NSO will ensure IP addresses of the hosts that are permitted SNMP access to the SAN management devices belong to the internal network.Network Security OfficerInformation Assurance Officer
Checks: C-2583r1_chk

The reviewer will, with the assistance of the IAO/NSO, verify that the IP addresses of the hosts permitted SNMP access to the SAN management devices belong to the internal network. The ACLs for the SAN ports should be checked.

Fix: F-6254r1_fix

Develop a plan to restrict SNMP access to SAN devices to only internal network IP addresses. Obtain CM approval of the plan and implement the plan.

a
End-user platforms are directly attached to the Fibre Channel network or access storage devices directly.
Low - V-6660 - SV-6807r1_rule
RMF Control
Severity
L
CCI
Version
SAN04.024.00
Vuln IDs
  • V-6660
Rule IDs
  • SV-6807r1_rule
End-user platforms should only be connected to servers that run applications that access the data found on the SAN devices. SANs do not supply a robust user identification and authentication platform. They depend on the servers and applications to authenticate the users and restrict access to users as required. The IAO/NSO will ensure that end-user platforms are not directly attached to the Fibre Channel network and may not access storage devices directly.End-user platforms attached to the SAN may be dependent upon the SAN for storage. An alternate type of storage will need to be found for these platforms.Network Security OfficerInformation Assurance OfficerDCBP-1
Checks: C-2586r1_chk

The reviewer will, with the assistance of the IAO/NSO, verify that end-user platforms are not directly attached to the Fibre Channel network and may not access storage devices directly. If the SAN is small with all of its components collocated, this can be done by a visual inspection but in most cases the reviewer will have to check the SAN network drawing.

Fix: F-6255r1_fix

Develop a plan to remove end-user platforms from the SAN. Obtain CM approval for the plan and implement the plan.

b
Fabric switch configurations and management station configuration are not archived and/or copies of the operating system and other critical software for all SAN components are not stored in a fire rated container or are not collocated with the operational software.
Medium - V-6661 - SV-6809r1_rule
RMF Control
Severity
M
CCI
Version
SAN05.001.00
Vuln IDs
  • V-6661
Rule IDs
  • SV-6809r1_rule
.Backup and recovery procedures are critical to the security and availability of the SAN system. If a system is compromised, shut down, or otherwise not available for service, this could hinder the availability of resources to the warfighter. The IAO/NSO will ensure that all fabric switch configurations and management station configuration are archived and copies of the operating system and other critical software for all SAN components are stored in a fire rated container or otherwise not collocated with the operational software.Network Security OfficerInformation Assurance OfficerCOSW-1
Checks: C-2589r1_chk

The reviewer will interview the IAO/NSO and view the stored information to verify that all fabric switch configurations and management station configuration are archived and copies of the operating system and other critical software for all SAN components are stored in a fire rated container or otherwise not collocated with the operational software.

Fix: F-6256r1_fix

Develop a plan that will ensure that all fabric switch configurations and management station configuration are archived and copies of the operating system and other critical software for all SAN components are stored in a fire rated container or otherwise not collocated with the operational software. Obtain CM approval for the plan and implement the plan.

b
SAN components are not configured with fixed IP addresses.
Medium - V-7081 - SV-7465r1_rule
RMF Control
Severity
M
CCI
Version
SAN04.025.00
Vuln IDs
  • V-7081
Rule IDs
  • SV-7465r1_rule
Without fixed IP address filtering or restricting of access based on IP addressing will not function correctly allowing unauthorized access to SAN components or creating a denial of service by blocking legitimate traffic from authorized components. The storage administrator will ensure that all SAN components are configured to use static IP addresses.If this is not done in a coordinated manner with all access lists a denial of service could be created.System AdministratorDCBP-1
Checks: C-4374r1_chk

The reviewer with the assistance of the SA will verify that all SAN components are configured with fixed IP addresses.

Fix: F-6781r1_fix

Configure all SAN components to have fixed IP addresses.