Storage Area Network STIG

Hard zoning is not used to protect the SAN.

Hard zoning is not used to protect the SAN.

Compliance with Network Infrastructure and Enclave

The SANs are not compliant with overall network security architecture, appropriate enclave, and data center security requirements in the Network Infrastructure STIG and the Enclave STIG

All security related patches are not installed.

All security related patches are not installed.

Component Compliance with applicable STIG

Prior to installing SAN components (servers, switches, and management stations) onto the DOD network infrastructure, components are not configured to meet the applicable STIG requirements.

Servers and hosts OS STIG Requirements

Servers and other hosts are not compliant with applicable Operating System (OS) STIG requirements.

Anti-virus on servers and host.

Vendor supported, DOD approved, anti-virus software is not installed and configured on all SAN servers in accordance with the applicable operating system STIG on SAN servers and management devices and kept up-to-date with the most recent virus definition tables.

SAN Topology Drawing

SAN Fabric Zoning List Deny-By-Default

Physical Access to SAN Network Devices

All the network level devices interconnected to the SAN are not located in a secure room with limited access.

SAN Fabric Switch User Accounts with Passwords

Individual user accounts with passwords are not set up and maintained for the SAN fabric switch.

Fabric Switches do not have bidirectional authentication

The SAN must be configured to use bidirectional authentication.

SAN Switch encryption and DOD PKI

The fabric switches must use DoD-approved PKI rather than proprietary or self-signed device certificates.

SAN Network Management Ports Fabric Switch

Network management ports on the SAN fabric switches except those needed to support the operational commitments of the sites are not disabled.

SAN management out-of-band or direct connect

SAN management is not accomplished using the out-of-band or direct connection method.

Management Console to SAN Fabric Authentication

Communications from the management console to the SAN fabric are not protected strong two-factor authentication.

Default PKI keys

FIPS 140-1/2 for management to fabric.

The SAN is not configured to use FIPS 140-1/2 validated encryption algorithm to protect management-to-fabric communications.

Password SAN Management Console and Ports

All SAN management consoles and ports are not password protected.

Default SAN Management Software Password

The SAN fabric zoning lists are not based on a policy of Deny-by-Default with blocks on all services and protocols not required on the given port or by the site.

Logging Failed Access to Port, Protocols, Services

Attempts to access ports, protocols, or services that are denied are not logged..

SNMP usage and configuration.

Simple Network Management Protocol (SNMP) is used and it is not configured in accordance with the guidance contained in the Network Infrastructure STIG.

Authorized IP Addresses allowed for SNMP

Unauthorized IP addresses are allowed Simple Network Management Protocol (SNMP) access to the SAN devices.

Only Internal Network SNMP Access to SAN

The IP addresses of the hosts permitted SNMP access to the SAN management devices do not belong to the internal network.

Fibre Channel network End-User Platform Restricted

End-user platforms are directly attached to the Fibre Channel network or access storage devices directly.

Backup of critical SAN Software and configurations

Fabric switch configurations and management station configuration are not archived and/or copies of the operating system and other critical software for all SAN components are not stored in a fire rated container or are not collocated with the operational software.

SAN Fixed IP Required.

SAN components are not configured with fixed IP addresses.

A current drawing of the site’s SAN topology that includes all external and internal links, zones, and all interconnected equipment is not being maintained.