UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

Storage Area Network STIG


Overview

Date Finding Count (28)
2018-10-03 CAT I (High): 6 CAT II (Med): 15 CAT III (Low): 7
STIG Description
This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.

Available Profiles



Findings (MAC III - Administrative Sensitive)

Finding ID Severity Title
V-6656 High Unauthorized IP addresses are allowed Simple Network Management Protocol (SNMP) access to the SAN devices.
V-6623 High Vendor supported, DOD approved, anti-virus software is not installed and configured on all SAN servers in accordance with the applicable operating system STIG on SAN servers and management devices and kept up-to-date with the most recent virus definition tables.
V-6608 High Hard zoning is not used to protect the SAN.
V-6647 High The SAN fabric zoning lists are not based on a policy of Deny-by-Default with blocks on all services and protocols not required on the given port or by the site.
V-6646 High The manufacturer’s default passwords have not been changed for all SAN management software.
V-6645 High All SAN management consoles and ports are not password protected.
V-6635 Medium Network management ports on the SAN fabric switches except those needed to support the operational commitments of the sites are not disabled.
V-6636 Medium SAN management is not accomplished using the out-of-band or direct connection method.
V-6631 Medium All the network level devices interconnected to the SAN are not located in a secure room with limited access.
V-6632 Medium Individual user accounts with passwords are not set up and maintained for the SAN fabric switch.
V-6633 Medium The SAN must be configured to use bidirectional authentication.
V-6657 Medium The IP addresses of the hosts permitted SNMP access to the SAN management devices do not belong to the internal network.
V-6619 Medium Prior to installing SAN components (servers, switches, and management stations) onto the DOD network infrastructure, components are not configured to meet the applicable STIG requirements.
V-6652 Medium Simple Network Management Protocol (SNMP) is used and it is not configured in accordance with the guidance contained in the Network Infrastructure STIG.
V-6613 Medium All security related patches are not installed.
V-6610 Medium The SANs are not compliant with overall network security architecture, appropriate enclave, and data center security requirements in the Network Infrastructure STIG and the Enclave STIG
V-6622 Medium Servers and other hosts are not compliant with applicable Operating System (OS) STIG requirements.
V-6628 Medium A current drawing of the site’s SAN topology that includes all external and internal links, zones, and all interconnected equipment is not being maintained.
V-6605 Medium The default zone visibility setting is not set to “none”.
V-6661 Medium Fabric switch configurations and management station configuration are not archived and/or copies of the operating system and other critical software for all SAN components are not stored in a fire rated container or are not collocated with the operational software.
V-7081 Medium SAN components are not configured with fixed IP addresses.
V-6634 Low The fabric switches must use DoD-approved PKI rather than proprietary or self-signed device certificates.
V-6637 Low Communications from the management console to the SAN fabric are not protected strong two-factor authentication.
V-6638 Low The manufacturer’s default PKI keys have not been changed prior to attaching the switch to the SAN Fabric.
V-6639 Low The SAN is not configured to use FIPS 140-1/2 validated encryption algorithm to protect management-to-fabric communications.
V-6609 Low SAN devices are not added to the site System Security Authorization Agreement (SSAA).
V-6648 Low Attempts to access ports, protocols, or services that are denied are not logged..
V-6660 Low End-user platforms are directly attached to the Fibre Channel network or access storage devices directly.