3.5.2 Configure FCoE Zoning

Information

Cisco uses a construction called a 'VSAN' (analagous to a VLAN) which is used to restrict access between hosts and SAN resources. In restrictive cases, a typical VSAN will include two entries for the two host FCoE interfaces, and two entries for the SAN Controller interfaces (usually an FCoE SAN will have at least two). In the most restrictive case, the FCOE infrastructure will be split into two fabrics, and zones can hold as few as 2 entries (one for the host and one for the SAN controller on that fabric).

Rationale:

Impact:

This configuration limits the reconnaissance available to a compromised or malicious host. Without configuring Zoning, a compromised host can collect the FCoE information from all other hosts in the same VSAN. It can then use that information to impersonate any of these hosts, and access their respective LUNs (unless some other control prevents that).

Note that in Virtualized environments and in most Cluster architectures, multiple hypervisor hosts will access the a common set of LUNs on the SAN. In these situations the VSAN can have significantly more members (all host interfaces as well as all target SAN controller interfaces), since the reconnaissance and impersonation risks are somewhat lessened - you would need a compromised hypervisor to attack another hypervisor. While this risk is non-zero, it is understood that hypervisors typically (hopefully) have more strict protections than many other physical hosts.

In addition, risk occurs if different server operating systems are in play. The most common issue is that if a Windows host can mount a volume that is partitioned for Linux or VMware ESXi, Windows will ask a logged in administrator for permission to 'sign' that volume. If the administrator selects 'Yes', then that volume will no longer be readable by the Linux or ESXi host(s).

At a minimum, hypervisors should not share a zone with other physical hosts. Physical hosts should not share zones with each other. Hosts with different operating systems or incompatible filesystems should never share the same zone. In the best case, the 'one host / one SAN controller / one zone' rule is the safest approach.

Solution

Create a VSAN. Give it a meaningful name

switch(config-if)# vsan database
switch(config-vsan-db)# vsan 101
switch(config-vsan-db)# vsan 101 name HOST_X_SAN_Y

Create Virtual Fiber Channel Interfaces.

switch(config)# interface vfc 1001
switch(config-if)# bind mac-address 00:01:0b:00:00:02
switch(config-if)# int vfc 1002
switch(config-if)# bind mac-address 00:01:0b:00:00:08
switch(config)# int vfc 1003
switch(config-if)# bind interface e 1/4

Add VFC interfaces to the VSAN

switch(config-if)# vsan database
switch(config-vsan-db)# vsan 101 interface vfc 1001
switch(config-vsan-db)# vsan 101 interface vfc 1002
switch(config-vsan-db)# vsan 101 interface vfc 1003

Default Value:

By default, if FCoE is not enabled. If FCoE is enabled and configured, if a single VSAN is configured all FCoE devices have access to all other FCOE devices.

See Also

https://workbench.cisecurity.org/benchmarks/6524

Item Details

Category: ACCESS CONTROL, CONFIGURATION MANAGEMENT, CONTINGENCY PLANNING, PLANNING, PROGRAM MANAGEMENT, SYSTEM AND SERVICES ACQUISITION, SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|AC-18, 800-53|AC-18(1), 800-53|AC-18(3), 800-53|CM-2, 800-53|CM-6, 800-53|CM-7, 800-53|CM-7(1), 800-53|CM-9, 800-53|CP-6, 800-53|CP-7, 800-53|PL-8, 800-53|PM-7, 800-53|SA-8, 800-53|SC-7, CSCv7|9

Plugin: Cisco

Control ID: 81b9ac444170247846e1895691fecd9d0f5e508dbc7d6c96ba1d2fb0f980b1f4