Hard zoning is not used to protect the SAN.

From Storage Area Network STIG

Part of Hard zoning is not used to protect the SAN.

Associated with IA controls: ECCD-2, ECCD-1

SV-6727r3_rule Hard zoning is not used to protect the SAN.

Vulnerability discussion

Risk: In a SAN environment, we potentially have data with differing levels or need-to-know stored on the same "system". A high level of assurance that a valid entity (user/system/process) of one set of data is not inadvertently given access to data that is unauthorized.A zone is considered to be "hard" if it is hardware enforced. In other words, it is considered “hard” in that they are always enforced by the destination ASIC. "Soft" zoning is more flexible but is also more vulnerable. In "soft" or WWN-enforced zoning, however, the HBA on the initiating devices store a copy of the name server entries, which were discovered in the last IO scan/discovery. It is possible for the HBA to include old addresses, which are no longer allowed in the newly established zoning rules. So your goal is to mitigate this risk in some way.If hardware enforced zoning is used this is not an issue as the destination port will not allow any access regardless of what the OS/HBA “thinks” it has access to. The IAO/NSO will ensure that hard zoning is used to protect the SAN.

Check content

The reviewer, with the assistance of the IAO/NSO, will verify that hard zoning is used to protect the SAN. If soft zoning is used this is a finding. If soft zoning must be used (with DAA approval) then this is still a CAT II finding and a migration plan must be in place. However, note that the HBA’s memory is non-persistent, thus when zoning changes are made, a policy must be in place (show via the log that it is enforced) to force a state change update in the affected HBAs immediately after making zoning changes.

Fix text

If zoning has not been implemented, develop a zone topography, from the topography create a plan to implement hard zoning, obtain CM approval of the plan and then, following the plan, reconfigure the SAN to support hard zoning. If zoning has been implemented develop a plan to migrate to hard zoning, obtain CM approval of the plan and then, following the plan, reconfigure the SAN to support hard zoning.

Pro Tips

Lavender hyperlinks in small type off to the right (of CSS class id, if you view the page source) point to globally unique URIs for each document and item. Copy the link location and paste anywhere you need to talk unambiguously about these things.

You can obtain data about documents and items in other formats. Simply provide an HTTP header Accept: text/turtle or Accept: application/rdf+xml.

Powered by sagemincer