ONTAP must be configured to use a data authentication key to safeguard against denial-of-service (DoS) attacks.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-246963	NAOT-SC-000005	SV-246963r835277_rule		Medium

Description
DoS is a condition when a resource is not available for legitimate users. When this occurs, the organization either cannot accomplish its mission or must operate at degraded capacity. Usually, DoS attacks are assumed to be network related where the attacker floods the network with traffic that causes legitimate network traffic to be either slowed or blocked. For a storage device, a DoS attack can also occur when an attacker is able to make the data on the disks unreadable, thus unavailable, to the customer. This is a common attack used by ransomware where the attacker encrypts the data on the drives requesting payment for the unencryption key. By using data authentication keys, an attacker is unable to read or write data to the drives. It is also important to make sure the mode of the drives is set to full, otherwise only some of the data on the drive is protected.

Description

DoS is a condition when a resource is not available for legitimate users. When this occurs, the organization either cannot accomplish its mission or must operate at degraded capacity. Usually, DoS attacks are assumed to be network related where the attacker floods the network with traffic that causes legitimate network traffic to be either slowed or blocked. For a storage device, a DoS attack can also occur when an attacker is able to make the data on the disks unreadable, thus unavailable, to the customer. This is a common attack used by ransomware where the attacker encrypts the data on the drives requesting payment for the unencryption key. By using data authentication keys, an attacker is unable to read or write data to the drives. It is also important to make sure the mode of the drives is set to full, otherwise only some of the data on the drive is protected.

STIG	Date
NetApp ONTAP DSC 9.x Security Technical Implementation Guide	2022-06-07

Details

Check Text ( C-50395r835275_chk )
Validate that a data authentication key has been assigned using the command "storage encryption disk show". If any of the disks has a mode other than "full" or the Data Key ID is missing, this is a finding.

Fix Text (F-50349r835276_fix)
Configure ONTAP to use a data authentication key for access with the command "storage encryption disk modify -disk -data-key-id " where disk_ID is the disk and key_ID is the data authentication key. To verify the key is set, use the command "storage encryption disk show -disk ". The command will show the data mode. The mode must be set to full. If the mode is not set to full, use the command "disk modify -disk -protection-mode full" to set the mode to full. Validate the mode changed using the command "storage encryption disk show -disk ".

Fix Text (F-50349r835276_fix)

Configure ONTAP to use a data authentication key for access with the command "storage encryption disk modify -disk -data-key-id " where disk_ID is the disk and key_ID is the data authentication key.

To verify the key is set, use the command "storage encryption disk show -disk ". The command will show the data mode. The mode must be set to full.

If the mode is not set to full, use the command "disk modify -disk -protection-mode full" to set the mode to full. Validate the mode changed using the command "storage encryption disk show -disk ".