6.2.1 (L1) Host must isolate storage communications

Information

Isolating storage communications through zoning and Logical Unit Number (LUN) masking is instrumental in segregating Storage Area Network (SAN) activity. Zoning defines the connections between host bus adapters (HBAs) and targets, ensuring devices outside a zone remain invisible to the devices within, thus facilitating the independent management of zones such as testing and production. On the other hand, LUN masking controls the visibility and accessibility of LUNs to different hosts, further enhancing the granularity of access control within the storage network. By implementing these measures, the attack surface of the SAN is reduced, non-ESXi systems are prevented from accessing the SAN, and separation of environments like test and production is achieved.

Employing zoning and LUN masking to isolate storage communications is vital to reduce the risk of unauthorized access and potential cross-contamination between different operational environments. It allows for a more structured and secure management of storage resources, ensuring that unauthorized or incompatible systems are prevented from interacting with or accessing the SAN, thus contributing to the overall security and operational integrity of the environment.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

The remediation procedures to properly segregate SAN activity are SAN vendor or product-specific.

In general, with ESXi hosts, use a single-initiator zoning or a single-initiator-single-target zoning. The latter is a preferred zoning practice. Using the more restrictive zoning prevents problems and misconfigurations that can occur on the SAN.

Impact:

Failing to isolate storage communications can lead to an increased risk of unauthorized access to storage resources, potential data leakage, or interference between different operational zones. The lack of segregation might also pose challenges in managing and troubleshooting storage network activities, leading to operational inefficiencies and potential security risks.

See Also

https://workbench.cisecurity.org/benchmarks/15784

Item Details

Category: SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|SC-4, CSCv7|14.1, CSCv7|14.2

Plugin: VMware

Control ID: ffa8e3278d91ff3edecdb34eea58df8a8589da49ec02e0a67e0db6314fe2cd30