6.3 Ensure storage area network (SAN) resources are segregated properly

Information

Use zoning and logical unit number (LUN) masking to segregate storage area network (SAN) activity.

Zoning provides access control in the SAN topology. Zoning defines which host bus adapters (HBAs) can connect to which targets. The devices outside a zone are not visible to the devices inside the zone when SAN zoning is configured. For example, zones defined for testing should be managed independently within the SAN, so they do not interfere with activity in the production zones. Similarly, you can set up different zones for different departments. Zoning must take into account any host groups that have been set up on the SAN device.

LUN masking is a process that makes a LUN available to some hosts and unavailable to other hosts.

Rationale:

Segregating SAN activity can reduce the attack surface for the SAN, prevent non-ESXi systems from accessing SANs, and separate environments, for example, test and production environments.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

The remediation procedures to properly segregate SAN activity are SAN vendor or product-specific.
In general, with ESXi hosts, use a single-initiator zoning or a single-initiator-single-target zoning. The latter is a preferred zoning practice. Using the more restrictive zoning prevents problems and misconfigurations that can occur on the SAN.

See Also

https://workbench.cisecurity.org/benchmarks/12725