6.3 Ensure storage area network (SAN) resources are segregated properly

Information

Use zoning and LUN masking to segregate SAN activity. For example, zones defined for testing
should be managed independently within the SAN so they do not interfere with activity in the
production zones. Similarly, you can set up different zones for different departments. Zoning
must take into account any host groups that have been set up on the SAN device. LUN masking
is a process that makes a LUN available to some hosts and unavailable to other hosts.

*Rationale*

Segregating SAN activity can reduce the attack surface for the SAN, prevent non-ESXi
systems from accessing SANs, and separate environments, for example, test and production environments.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

The remediation procedures to properly segregate SAN activity are SAN vendor or product- specific.
In general, with ESXi hosts, use a single-initiator zoning or a single-initiator-single-target
zoning. The latter is a preferred zoning practice. Using the more restrictive zoning prevents
problems and misconfigurations that can occur on the SAN.

See Also

https://workbench.cisecurity.org/files/2168

Item Details

Category: SECURITY ASSESSMENT AND AUTHORIZATION, SYSTEM AND COMMUNICATIONS PROTECTION, SYSTEM AND INFORMATION INTEGRITY

References: 800-53|CA-9, 800-53|SC-7(22), 800-53|SI-4, CSCv7|14.1, CSCv7|14.2

Plugin: VMware

Control ID: b389baac88790c0e71648bf1eb95b5792935a8135ad703dbd890de74c061addc