SAN and Fibre Switch hardening

I have to apply STIGs to our SAN.  A lot of the questions deal with the fibre switch.  Are there experts that can answer questions on that subject?
Skygod68Sr. Systems AdministratorAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Duncan MeyersCommented:
Yes. Depending on the vendor, I may be able to help. What do you want to know?
Skygod68Sr. Systems AdministratorAuthor Commented:
I have to apply a Security Technical Implementation Guides (STIGs) to the SAN.  The SAN is a EMC VNX 5400 and a Cisco 9148 Fibre switch. Most of the question are about the fibre switch.  

  One question is to implement hard zoning.  EMC implemented soft zoning.  How would I implement hard zoning.
  Another question is  verify the default zone visibility is set to none.
  I have a bunch of other question but lets start with those two.
Duncan MeyersCommented:
??? that's bonkers. Hard Zoning is significantly less secure than soft zoning. Hard zoning associates ports into a group - so Port 1 can see Port 2 and Port 3 and nothing else. Anything plugged into Port 1 can access the storage plugged into Port 2 and 3. Soft zoning associates Fibre Channel WWNs with each other, so server 1 port 1 can see storage port 1 and storage port 2. If your WWNs isn't in the soft zone then the server can't access the SAN. However, that isn't what you asked and there's not a lot of point arguing with a STIG even if it's wrong. The change to hard zoning will be disruptive unless you plan it carefully and change one switch at a time - instructions follow and I'm assuming familiarity with Cisco FabricOS. If you're not familar with FabricOS and Fibre Channel, Id strongly recommend getting EMC or a trusted partner in to make the changes.

You'll need to record the following information:
The switch ports that the VNX is connected to
The switch port that each server is connected to.
Go into the switch management console and do these steps:
conf t
zone name <zone name eg server 1> vsan <choose the appropriate vsan that already exists>
member interface fc 1/1 (storage port 1)
member interface fc 1/2 (storage port 2)
member interface fc 1/3 (server port for server 1)

zone name <zone name eg server 2> vsan <choose the appropriate vsan that already exists>
member interface fc 1/1 (storage port 1)
member interface fc 1/2 (storage port 2)
member interface fc 1/4 (server port for server 2)

... and so on for each server. Once you've created your zones, you have to add them to a zone set:
conf t
zoneset name MyFirstZoneSet vsan <choose the appropriate vsan that already exists>
member server1
member server2
... and so on until you've added all the zones you've created

Then save the zoneset and make it active:
conf t
zoneset activate name MyFirstZoneSet vsan <choose the appropriate vsan that already exists>

Once you're happy with the changes, you can save them to the startup config:
copy running-config startup-config

Note: use the same VSAN for your new zoneset and keep it consistent across the zones and zoneset you create unless you really want a world of pain. VSAN IDs are best kept unique across separate switches so you don't run into trouble if you ever have to merge the FC fabrics.

Now confirm that all your hosts can see the storage as expected then rinse and repeat for the second switch.

To turn off the default zone:
conf t
no zone default-zone permit vsan 1 (vsan 1 is the default zone)

Done! Time for a cool beverage and a tasty snack.

Happy to help with the VNX, too

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Big Business Goals? Which KPIs Will Help You

The most successful MSPs rely on metrics – known as key performance indicators (KPIs) – for making informed decisions that help their businesses thrive, rather than just survive. This eBook provides an overview of the most important KPIs used by top MSPs.

andyalderSaggar maker's framemakerCommented:
You have to qualify what they mean by hard and soft zoning - take a look at (4.3.1 Zoning). ...

"Port-based hard zoning should be used to achieve a high level of access control assurance."
They're right in one way, port-based hard zoning is immune to attack from within the SAN (unless you hack the switch and re-zone it) since WWN spoofing by an attacker that has control of a rogue server on the SAN can't get past port-based zoning. It has no protection at all against someone physically plugging a cable into the wrong port though, that protection has to come from physical security.

If you only have one VNX and some servers that connect to it then you have already implemented a good enough level of port-based hard zoning anyway, only those servers that are plugged into the SAN switch can access the VNX.
Skygod68Sr. Systems AdministratorAuthor Commented:
Here is what the STIG says ,

Risk:  In a SAN environment, we potentially have data with differing levels or need-to-know stored on the same "system".  A high level of assurance that a valid entity (user/system/process) of one set of data is not inadvertently given access to data that is unauthorized. Depending on the data and implementation, lack of hard zoning could provide access to classifed, administrative configuration, or other privileged information.

A zone is considered to be "hard" if it is hardware enforced.  In other words, it is considered “hard” in that they are always enforced by the destination ASIC. "Soft" zoning is more flexible but is also more vulnerable.    

In "soft" or WWN-enforced zoning, however, the HBA on the initiating devices store a copy of the name server entries, which were discovered in the last IO scan/discovery. It is possible for the HBA to include old addresses, which are no longer allowed in the newly established zoning rules. So your goal is to mitigate this risk in some way.

If hardware enforced zoning is used this is not an issue as the destination port will not allow any access regardless of what the OS/HBA “thinks” it has access to.

Supplementary Note: Registry State Change Notifications ( RSCN ) storms in large SAN deployments are another factor of which the system administrator must be aware. RSCNs are a broadcast function that allows notification to registered devices when a state change occurs within a SAN topology. These changes could be as simple as a cable being unplugged or a new HBA being connected. When such changes take place, all members would have to be notified of the change and conflicts would have to be resolved, before the name servers are updated. In large configurations it could take a long time for the entire system to stabilize, impairing performance. Effective zoning on the switch would help in minimizing RSCN storms, as only devices within a zone would get notified of state changes. It would also be ideal to make note of business critical servers and make changes to zones and fabrics that affect these servers at non business critical times. Tape fabrics could also be separated from disk fabric (although this comes at a cost). Statistics of RSCN's are available from a few switch vendors. Monitoring these consistently and considering these before expansion of SAN's would help you with effective storage deployments.

Documentable: No

Potential Impacts:
If the zoning ACLs are not properly migrated from the soft zoning format to the hard zoning format a denial of service can be created where a client is not allowed to access required data.  Also a compromise of sensitive data can occur if a client is allowed access to data not required.  This can also happen if you are moving from no zoning to hard zoning and incorrectly configure the ACLs.

If soft zoning is used, this is a finding.  If soft zoning must be used (with DAA approval), this is still a CAT II finding and a migration plan must be in place.  However, note that the HBA’s memory is non-persistent, thus when zoning changes are made, a policy must be in place (show via the log that it is enforced) to force a state change update in the affected HBAs immediately after making zoning changes.

My knowledge on FC Switch OS is limited.  I can change usernames and passwords.  Straight forward stuff like that but I have never zoned anything before.
Duncan MeyersCommented:
Follow the instructions I provided above - it's reasonably straightforward. The beauty of a Cisco FC switch is that, as long as you haven't saved the new configuration as the startup config, if you get it completely cocked-up you can just restart the switch and it reverts to the previously saved configuration.
Skygod68Sr. Systems AdministratorAuthor Commented:
Thank you for all the help Duncan,  I'm going to accept this as a solution.  I know I will follow with more questions with the FC switch.
Duncan MeyersCommented:
Thanks! Glad I could help.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Switches / Hubs

From novice to tech pro — start learning today.