III - Administrative Classified
Rules and Groups employed by this XCCDF Profile
-
Hard zoning is not used to protect the SAN.
<GroupDescription></GroupDescription>Group -
Hard zoning is not used to protect the SAN.
<VulnDiscussion>Risk: In a SAN environment, we potentially have data with differing levels or need-to-know stored on the same "system". A h...Rule High Severity -
Compliance with Network Infrastructure and Enclave
<GroupDescription></GroupDescription>Group -
The SANs are not compliant with overall network security architecture, appropriate enclave, and data center security requirements in the Network Infrastructure STIG and the Enclave STIG
<VulnDiscussion>Inconsistencies with the Network Infrastructure STIG, the Enclave STIG, and the SAN implementation can lead to the creation o...Rule Medium Severity -
All security related patches are not installed.
<GroupDescription></GroupDescription>Group -
All security related patches are not installed.
<VulnDiscussion>Failure to install security related patches leaves the SAN open to attack by exploiting known vulnerabilities. The IAO/NSO wi...Rule Medium Severity -
Component Compliance with applicable STIG
<GroupDescription></GroupDescription>Group -
Prior to installing SAN components (servers, switches, and management stations) onto the DOD network infrastructure, components are not configured to meet the applicable STIG requirements.
<VulnDiscussion>Many SAN components (servers, switches, management stations) have security requirements from other STIGs. It will be verifie...Rule Medium Severity -
Servers and hosts OS STIG Requirements
<GroupDescription></GroupDescription>Group -
Servers and other hosts are not compliant with applicable Operating System (OS) STIG requirements.
<VulnDiscussion>SAN servers and other hosts are hardware software combinations that actually run under the control of a native OS found on th...Rule Medium Severity -
Anti-virus on servers and host.
<GroupDescription></GroupDescription>Group -
Vendor supported, DOD approved, anti-virus software is not installed and configured on all SAN servers in accordance with the applicable operating system STIG on SAN servers and management devices and kept up-to-date with the most recent virus definition tables.
<VulnDiscussion>The SAN servers and other hosts are subject to virus and worm attacks as are any systems running an OS. If the anti-virus so...Rule High Severity -
SAN Topology Drawing
<GroupDescription></GroupDescription>Group -
A current drawing of the site’s SAN topology that includes all external and internal links, zones, and all interconnected equipment is not being maintained.
<VulnDiscussion>A drawing of the SAN topology gives the IAO and other interested individuals a pictorial representation of the SAN. This can...Rule Medium Severity -
Physical Access to SAN Network Devices
<GroupDescription></GroupDescription>Group -
All the network level devices interconnected to the SAN are not located in a secure room with limited access.
<VulnDiscussion>If the network level devices are not located in a secure area they can be tampered with which could lead to a denial of servi...Rule Medium Severity -
SAN Fabric Switch User Accounts with Passwords
<GroupDescription></GroupDescription>Group -
Individual user accounts with passwords are not set up and maintained for the SAN fabric switch.
<VulnDiscussion>Without identification and authentication unauthorized users could reconfigure the SAN or disrupt its operation by logging in...Rule Medium Severity -
Fabric Switches do not have bidirectional authentication
<GroupDescription></GroupDescription>Group -
The SAN must be configured to use bidirectional authentication.
<VulnDiscussion>Switch-to-switch management traffic does not have to be encrypted. Bidirectional authentication ensures that a rogue switch c...Rule Medium Severity -
SAN Switch encryption and DOD PKI
<GroupDescription></GroupDescription>Group -
The fabric switches must use DoD-approved PKI rather than proprietary or self-signed device certificates.
<VulnDiscussion>DOD PKI supplies better protection from malicious attacks than userid/password authentication and should be used anytime it i...Rule Low Severity -
SAN Network Management Ports Fabric Switch
<GroupDescription></GroupDescription>Group -
Network management ports on the SAN fabric switches except those needed to support the operational commitments of the sites are not disabled.
<VulnDiscussion>Enabled network management ports that are not required expose the SAN fabric switch and the entire network to unnecessary vul...Rule Medium Severity -
SAN management out-of-band or direct connect
<GroupDescription></GroupDescription>Group -
SAN management is not accomplished using the out-of-band or direct connection method.
<VulnDiscussion>Removing the management traffic from the production network diminishes the security profile of the SAN servers by allowing al...Rule Medium Severity -
Management Console to SAN Fabric Authentication
<GroupDescription></GroupDescription>Group -
Communications from the management console to the SAN fabric are not protected strong two-factor authentication.
<VulnDiscussion>Using two-factor authentication between the SAN management console and the fabric enhances the security of the communications...Rule Low Severity -
Default PKI keys
<GroupDescription></GroupDescription>Group -
The manufacturer’s default PKI keys have not been changed prior to attaching the switch to the SAN Fabric.
<VulnDiscussion>If the manufacturer's default PKI keys are allowed to remain active on the device, it can be accessed by a malicious individu...Rule Low Severity -
FIPS 140-1/2 for management to fabric.
<GroupDescription></GroupDescription>Group -
The SAN is not configured to use FIPS 140-1/2 validated encryption algorithm to protect management-to-fabric communications.
<VulnDiscussion>The communication between the SAN management consol and the SAN fabric carries sensitive privileged configuration data. This...Rule Low Severity -
Password SAN Management Console and Ports
<GroupDescription></GroupDescription>Group -
All SAN management consoles and ports are not password protected.
<VulnDiscussion>Without password protection malicious users can create a denial of service by disrupting the SAN or allow the compromise of s...Rule High Severity -
Default SAN Management Software Password
<GroupDescription></GroupDescription>Group -
The manufacturer’s default passwords have not been changed for all SAN management software.
<VulnDiscussion>The changing of passwords from the default value blocks malicious users with knowledge of the default passwords for the manuf...Rule High Severity -
SAN Fabric Zoning List Deny-By-Default
<GroupDescription></GroupDescription>Group -
The SAN fabric zoning lists are not based on a policy of Deny-by-Default with blocks on all services and protocols not required on the given port or by the site.
<VulnDiscussion>By using the Deny-by-Default based policy, any service or protocol not required by a port and overlooked in the zoning list w...Rule High Severity -
Logging Failed Access to Port, Protocols, Services
<GroupDescription></GroupDescription>Group -
Attempts to access ports, protocols, or services that are denied are not logged..
<VulnDiscussion>Logging or auditing of failed access attempts is a necessary component for the forensic investigation of security incidents. ...Rule Low Severity -
SNMP usage and configuration.
<GroupDescription></GroupDescription>Group -
Simple Network Management Protocol (SNMP) is used and it is not configured in accordance with the guidance contained in the Network Infrastructure STIG.
<VulnDiscussion>There are vulnerabilities in some implementations and some configurations of SNMP. Therefore if SNMP is used the guidelines ...Rule Medium Severity -
Authorized IP Addresses allowed for SNMP
<GroupDescription></GroupDescription>Group -
Unauthorized IP addresses are allowed Simple Network Management Protocol (SNMP) access to the SAN devices.
<VulnDiscussion>SNMP, by virtue of what it is designed to do, can be a large security risk. Because SNMP can obtain device information and se...Rule High Severity -
Only Internal Network SNMP Access to SAN
<GroupDescription></GroupDescription>Group -
The IP addresses of the hosts permitted SNMP access to the SAN management devices do not belong to the internal network.
<VulnDiscussion>SNMP, by virtue of what it is designed to do, can be a large security risk. Because SNMP can obtain device information and se...Rule Medium Severity -
Fibre Channel network End-User Platform Restricted
<GroupDescription></GroupDescription>Group -
End-user platforms are directly attached to the Fibre Channel network or access storage devices directly.
<VulnDiscussion>End-user platforms should only be connected to servers that run applications that access the data found on the SAN devices. ...Rule Low Severity -
Backup of critical SAN Software and configurations
<GroupDescription></GroupDescription>Group -
Fabric switch configurations and management station configuration are not archived and/or copies of the operating system and other critical software for all SAN components are not stored in a fire rated container or are not collocated with the operational software.
<VulnDiscussion>.Backup and recovery procedures are critical to the security and availability of the SAN system. If a system is compromised,...Rule Medium Severity
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.