Skygod68
asked on
SAN and Fibre Switch hardening
I have to apply STIGs to our SAN. A lot of the questions deal with the fibre switch. Are there experts that can answer questions on that subject?
Duncan Meyers
Yes. Depending on the vendor, I may be able to help. What do you want to know?
ASKER
I have to apply a Security Technical Implementation Guides (STIGs) to the SAN. The SAN is a EMC VNX 5400 and a Cisco 9148 Fibre switch. Most of the question are about the fibre switch.
One question is to implement hard zoning. EMC implemented soft zoning. How would I implement hard zoning.
Another question is verify the default zone visibility is set to none.
I have a bunch of other question but lets start with those two.
One question is to implement hard zoning. EMC implemented soft zoning. How would I implement hard zoning.
Another question is verify the default zone visibility is set to none.
I have a bunch of other question but lets start with those two.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
You have to qualify what they mean by hard and soft zoning - take a look at https://www.nsa.gov/ia/_files/vtechrep/i732-012r-2007.pdf (4.3.1 Zoning). ...
"Port-based hard zoning should be used to achieve a high level of access control assurance."
They're right in one way, port-based hard zoning is immune to attack from within the SAN (unless you hack the switch and re-zone it) since WWN spoofing by an attacker that has control of a rogue server on the SAN can't get past port-based zoning. It has no protection at all against someone physically plugging a cable into the wrong port though, that protection has to come from physical security.
If you only have one VNX and some servers that connect to it then you have already implemented a good enough level of port-based hard zoning anyway, only those servers that are plugged into the SAN switch can access the VNX.
"Port-based hard zoning should be used to achieve a high level of access control assurance."
They're right in one way, port-based hard zoning is immune to attack from within the SAN (unless you hack the switch and re-zone it) since WWN spoofing by an attacker that has control of a rogue server on the SAN can't get past port-based zoning. It has no protection at all against someone physically plugging a cable into the wrong port though, that protection has to come from physical security.
If you only have one VNX and some servers that connect to it then you have already implemented a good enough level of port-based hard zoning anyway, only those servers that are plugged into the SAN switch can access the VNX.
ASKER
Here is what the STIG says ,
Discussion:
Risk: In a SAN environment, we potentially have data with differing levels or need-to-know stored on the same "system". A high level of assurance that a valid entity (user/system/process) of one set of data is not inadvertently given access to data that is unauthorized. Depending on the data and implementation, lack of hard zoning could provide access to classifed, administrative configuration, or other privileged information.
A zone is considered to be "hard" if it is hardware enforced. In other words, it is considered “hard” in that they are always enforced by the destination ASIC. "Soft" zoning is more flexible but is also more vulnerable.
In "soft" or WWN-enforced zoning, however, the HBA on the initiating devices store a copy of the name server entries, which were discovered in the last IO scan/discovery. It is possible for the HBA to include old addresses, which are no longer allowed in the newly established zoning rules. So your goal is to mitigate this risk in some way.
If hardware enforced zoning is used this is not an issue as the destination port will not allow any access regardless of what the OS/HBA “thinks” it has access to.
Supplementary Note: Registry State Change Notifications ( RSCN ) storms in large SAN deployments are another factor of which the system administrator must be aware. RSCNs are a broadcast function that allows notification to registered devices when a state change occurs within a SAN topology. These changes could be as simple as a cable being unplugged or a new HBA being connected. When such changes take place, all members would have to be notified of the change and conflicts would have to be resolved, before the name servers are updated. In large configurations it could take a long time for the entire system to stabilize, impairing performance. Effective zoning on the switch would help in minimizing RSCN storms, as only devices within a zone would get notified of state changes. It would also be ideal to make note of business critical servers and make changes to zones and fabrics that affect these servers at non business critical times. Tape fabrics could also be separated from disk fabric (although this comes at a cost). Statistics of RSCN's are available from a few switch vendors. Monitoring these consistently and considering these before expansion of SAN's would help you with effective storage deployments.
Documentable: No
Potential Impacts:
If the zoning ACLs are not properly migrated from the soft zoning format to the hard zoning format a denial of service can be created where a client is not allowed to access required data. Also a compromise of sensitive data can occur if a client is allowed access to data not required. This can also happen if you are moving from no zoning to hard zoning and incorrectly configure the ACLs.
If soft zoning is used, this is a finding. If soft zoning must be used (with DAA approval), this is still a CAT II finding and a migration plan must be in place. However, note that the HBA’s memory is non-persistent, thus when zoning changes are made, a policy must be in place (show via the log that it is enforced) to force a state change update in the affected HBAs immediately after making zoning changes.
My knowledge on FC Switch OS is limited. I can change usernames and passwords. Straight forward stuff like that but I have never zoned anything before.
Discussion:
Risk: In a SAN environment, we potentially have data with differing levels or need-to-know stored on the same "system". A high level of assurance that a valid entity (user/system/process) of one set of data is not inadvertently given access to data that is unauthorized. Depending on the data and implementation, lack of hard zoning could provide access to classifed, administrative configuration, or other privileged information.
A zone is considered to be "hard" if it is hardware enforced. In other words, it is considered “hard” in that they are always enforced by the destination ASIC. "Soft" zoning is more flexible but is also more vulnerable.
In "soft" or WWN-enforced zoning, however, the HBA on the initiating devices store a copy of the name server entries, which were discovered in the last IO scan/discovery. It is possible for the HBA to include old addresses, which are no longer allowed in the newly established zoning rules. So your goal is to mitigate this risk in some way.
If hardware enforced zoning is used this is not an issue as the destination port will not allow any access regardless of what the OS/HBA “thinks” it has access to.
Supplementary Note: Registry State Change Notifications ( RSCN ) storms in large SAN deployments are another factor of which the system administrator must be aware. RSCNs are a broadcast function that allows notification to registered devices when a state change occurs within a SAN topology. These changes could be as simple as a cable being unplugged or a new HBA being connected. When such changes take place, all members would have to be notified of the change and conflicts would have to be resolved, before the name servers are updated. In large configurations it could take a long time for the entire system to stabilize, impairing performance. Effective zoning on the switch would help in minimizing RSCN storms, as only devices within a zone would get notified of state changes. It would also be ideal to make note of business critical servers and make changes to zones and fabrics that affect these servers at non business critical times. Tape fabrics could also be separated from disk fabric (although this comes at a cost). Statistics of RSCN's are available from a few switch vendors. Monitoring these consistently and considering these before expansion of SAN's would help you with effective storage deployments.
Documentable: No
Potential Impacts:
If the zoning ACLs are not properly migrated from the soft zoning format to the hard zoning format a denial of service can be created where a client is not allowed to access required data. Also a compromise of sensitive data can occur if a client is allowed access to data not required. This can also happen if you are moving from no zoning to hard zoning and incorrectly configure the ACLs.
If soft zoning is used, this is a finding. If soft zoning must be used (with DAA approval), this is still a CAT II finding and a migration plan must be in place. However, note that the HBA’s memory is non-persistent, thus when zoning changes are made, a policy must be in place (show via the log that it is enforced) to force a state change update in the affected HBAs immediately after making zoning changes.
My knowledge on FC Switch OS is limited. I can change usernames and passwords. Straight forward stuff like that but I have never zoned anything before.
Follow the instructions I provided above - it's reasonably straightforward. The beauty of a Cisco FC switch is that, as long as you haven't saved the new configuration as the startup config, if you get it completely cocked-up you can just restart the switch and it reverts to the previously saved configuration.
ASKER
Thank you for all the help Duncan, I'm going to accept this as a solution. I know I will follow with more questions with the FC switch.
Thanks! Glad I could help.