Check: SAN03.002.00
Storage Area Network STIG:
SAN03.002.00
(in versions v2 r4 through v2 r2)
Title
Hard zoning is not used to protect the SAN. (Cat I impact)
Discussion
Risk: In a SAN environment, we potentially have data with differing levels or need-to-know stored on the same "system". A high level of assurance that a valid entity (user/system/process) of one set of data is not inadvertently given access to data that is unauthorized. Depending on the data and implementation, lack of hard zoning could provide access to classifed, administrative configuration, or other privileged information. A zone is considered to be "hard" if it is hardware enforced. In other words, it is considered “hard” in that they are always enforced by the destination ASIC. "Soft" zoning is more flexible but is also more vulnerable. In "soft" or WWN-enforced zoning, however, the HBA on the initiating devices store a copy of the name server entries, which were discovered in the last IO scan/discovery. It is possible for the HBA to include old addresses, which are no longer allowed in the newly established zoning rules. So your goal is to mitigate this risk in some way. If hardware enforced zoning is used this is not an issue as the destination port will not allow any access regardless of what the OS/HBA “thinks” it has access to. Supplementary Note: Registry State Change Notifications ( RSCN ) storms in large SAN deployments are another factor of which the system administrator must be aware. RSCNs are a broadcast function that allows notification to registered devices when a state change occurs within a SAN topology. These changes could be as simple as a cable being unplugged or a new HBA being connected. When such changes take place, all members would have to be notified of the change and conflicts would have to be resolved, before the name servers are updated. In large configurations it could take a long time for the entire system to stabilize, impairing performance. Effective zoning on the switch would help in minimizing RSCN storms, as only devices within a zone would get notified of state changes. It would also be ideal to make note of business critical servers and make changes to zones and fabrics that affect these servers at non business critical times. Tape fabrics could also be separated from disk fabric (although this comes at a cost). Statistics of RSCN's are available from a few switch vendors. Monitoring these consistently and considering these before expansion of SAN's would help you with effective storage deployments.
Check Content
The reviewer, with the assistance of the IAO/NSO, will verify that hard zoning is used to protect the SAN. If soft zoning is used, this is a finding. If soft zoning must be used (with DAA approval), this is still a CAT II finding and a migration plan must be in place. However, note that the HBA’s memory is non-persistent, thus when zoning changes are made, a policy must be in place (show via the log that it is enforced) to force a state change update in the affected HBAs immediately after making zoning changes.
Fix Text
If zoning has not been implemented, develop a zone topography. From the topography, create a plan to implement hard zoning, obtain CM approval of the plan and then, following the plan, reconfigure the SAN to support hard zoning. If zoning has been implemented, develop a plan to migrate to hard zoning, obtain CM approval of the plan and then, following the plan, reconfigure the SAN to support hard zoning.
Additional Identifiers
Rule ID: SV-6727r1_rule
Vulnerability ID: V-6608
Group Title: Hard zoning is not used to protect the SAN.
Expert Comments
CCIs
Number | Definition |
---|---|
No CCIs are assigned to this check |
Controls
Number | Title |
---|---|
No controls are assigned to this check |