Title

End-user platforms are directly attached to the Fibre Channel network or access storage devices directly. (Cat III impact)

Discussion

End-user platforms should only be connected to servers that run applications that access the data found on the SAN devices. SANs do not supply a robust user identification and authentication platform. They depend on the servers and applications to authenticate the users and restrict access to users as required. The IAO/NSO will ensure that end-user platforms are not directly attached to the Fibre Channel network and may not access storage devices directly.

Check Content

The reviewer will, with the assistance of the IAO/NSO, verify that end-user platforms are not directly attached to the Fibre Channel network and may not access storage devices directly. If the SAN is small with all of its components collocated, this can be done by a visual inspection but in most cases the reviewer will have to check the SAN network drawing.

Fix Text

Develop a plan to remove end-user platforms from the SAN. Obtain CM approval for the plan and implement the plan.

Additional Identifiers

Rule ID: SV-6807r1_rule

Vulnerability ID: V-6660

Group Title: Fibre Channel network End-User Platform Restricted

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.