II - Mission Support Classified
Rules and Groups employed by this XCCDF Profile
-
SAN Switch encryption and DOD PKI
Group -
The fabric switches must use DoD-approved PKI rather than proprietary or self-signed device certificates.
DOD PKI supplies better protection from malicious attacks than userid/password authentication and should be used anytime it is feasible.Rule Low Severity -
SAN Network Management Ports Fabric Switch
Group -
Network management ports on the SAN fabric switches except those needed to support the operational commitments of the sites are not disabled.
Enabled network management ports that are not required expose the SAN fabric switch and the entire network to unnecessary vulnerabilities. By disabling these unneeded ports the exposure profile of...Rule Medium Severity -
SAN management out-of-band or direct connect
Group -
SAN management is not accomplished using the out-of-band or direct connection method.
Removing the management traffic from the production network diminishes the security profile of the SAN servers by allowing all the management ports to be closed on the production network. The IAO/N...Rule Medium Severity -
Management Console to SAN Fabric Authentication
Group -
Communications from the management console to the SAN fabric are not protected strong two-factor authentication.
Using two-factor authentication between the SAN management console and the fabric enhances the security of the communications carrying privileged functions. It is harder for an unauthorized manage...Rule Low Severity -
Default PKI keys
Group -
The manufacturer’s default PKI keys have not been changed prior to attaching the switch to the SAN Fabric.
If the manufacturer's default PKI keys are allowed to remain active on the device, it can be accessed by a malicious individual with access to the default key. The IAO/NSO will ensure that the manu...Rule Low Severity -
FIPS 140-1/2 for management to fabric.
Group -
The SAN is not configured to use FIPS 140-1/2 validated encryption algorithm to protect management-to-fabric communications.
The communication between the SAN management consol and the SAN fabric carries sensitive privileged configuration data. This data's confidentiality will be protected with FIPS 140-1/2 validate alg...Rule Low Severity -
Password SAN Management Console and Ports
Group -
All SAN management consoles and ports are not password protected.
Without password protection malicious users can create a denial of service by disrupting the SAN or allow the compromise of sensitive date by reconfiguring the SAN topography. The IAO/NSO will ensu...Rule High Severity -
Default SAN Management Software Password
Group -
The manufacturer’s default passwords have not been changed for all SAN management software.
The changing of passwords from the default value blocks malicious users with knowledge of the default passwords for the manufacturer's SAN Management software from creating a denial of service by d...Rule High Severity -
SAN Fabric Zoning List Deny-By-Default
Group -
The SAN fabric zoning lists are not based on a policy of Deny-by-Default with blocks on all services and protocols not required on the given port or by the site.
By using the Deny-by-Default based policy, any service or protocol not required by a port and overlooked in the zoning list will be denied access. If Deny-by-Default based policy was not used any ...Rule High Severity -
Logging Failed Access to Port, Protocols, Services
Group -
Attempts to access ports, protocols, or services that are denied are not logged..
Logging or auditing of failed access attempts is a necessary component for the forensic investigation of security incidents. Without logging there is no way to demonstrate that the access attempt ...Rule Low Severity
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.