UCF STIG Viewer Logo

Storage Area Network STIG


Date Finding Count (27)
2019-06-28 CAT I (High): 6 CAT II (Med): 15 CAT III (Low): 6
STIG Description
This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.

Available Profiles

Findings (MAC III - Administrative Sensitive)

Finding ID Severity Title
V-6656 High Unauthorized IP addresses are allowed Simple Network Management Protocol (SNMP) access to the SAN devices.
V-6623 High Vendor supported, DOD approved, anti-virus software is not installed and configured on all SAN servers in accordance with the applicable operating system STIG on SAN servers and management devices and kept up-to-date with the most recent virus definition tables.
V-6645 High All SAN management consoles and ports are not password protected.
V-6608 High Hard zoning is not used to protect the SAN.
V-6647 High The SAN fabric zoning lists are not based on a policy of Deny-by-Default with blocks on all services and protocols not required on the given port or by the site.
V-6646 High The manufacturer’s default passwords have not been changed for all SAN management software.
V-6635 Medium Network management ports on the SAN fabric switches except those needed to support the operational commitments of the sites are not disabled.
V-6636 Medium SAN management is not accomplished using the out-of-band or direct connection method.
V-6631 Medium All the network level devices interconnected to the SAN are not located in a secure room with limited access.
V-6632 Medium Individual user accounts with passwords are not set up and maintained for the SAN fabric switch.
V-6633 Medium The SAN must be configured to use bidirectional authentication.
V-6657 Medium The IP addresses of the hosts permitted SNMP access to the SAN management devices do not belong to the internal network.
V-6619 Medium Prior to installing SAN components (servers, switches, and management stations) onto the DOD network infrastructure, components are not configured to meet the applicable STIG requirements.
V-6652 Medium Simple Network Management Protocol (SNMP) is used and it is not configured in accordance with the guidance contained in the Network Infrastructure STIG.
V-6613 Medium All security related patches are not installed.
V-6610 Medium The SANs are not compliant with overall network security architecture, appropriate enclave, and data center security requirements in the Network Infrastructure STIG and the Enclave STIG
V-6622 Medium Servers and other hosts are not compliant with applicable Operating System (OS) STIG requirements.
V-6628 Medium A current drawing of the site’s SAN topology that includes all external and internal links, zones, and all interconnected equipment is not being maintained.
V-6605 Medium The default zone visibility setting is not set to “none”.
V-6661 Medium Fabric switch configurations and management station configuration are not archived and/or copies of the operating system and other critical software for all SAN components are not stored in a fire rated container or are not collocated with the operational software.
V-7081 Medium SAN components are not configured with fixed IP addresses.
V-6634 Low The fabric switches must use DoD-approved PKI rather than proprietary or self-signed device certificates.
V-6637 Low Communications from the management console to the SAN fabric are not protected strong two-factor authentication.
V-6638 Low The manufacturer’s default PKI keys have not been changed prior to attaching the switch to the SAN Fabric.
V-6639 Low The SAN is not configured to use FIPS 140-1/2 validated encryption algorithm to protect management-to-fabric communications.
V-6648 Low Attempts to access ports, protocols, or services that are denied are not logged..
V-6660 Low End-user platforms are directly attached to the Fibre Channel network or access storage devices directly.