STIGhubSTIGhub
STIGsSearchCompare

STIGhub

A free tool to search and browse the entire DISA STIG library. Saves up to 75% in security compliance research time.

Navigation

  • Browse STIGs
  • Search
  • Compare Versions

Resources

  • About
  • Release Notes
  • VPAT
  • DISA STIG Library
STIGs updated 6 hours ago
Powered by Pylon
© 2026 Beacon Cloud Solutions, Inc. All rights reserved.
← Back to STIGs

Storage Area Network Security Technical Implementation Guide

Version

V2R5

Release Date

Jun 28, 2019

SCAP Benchmark ID

SAN

Total Checks

28

Tags

network
CAT I: 7CAT II: 15CAT III: 6

This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.

Export CKLExport CSVExport JSONDownload STIG ZIP

Checks (28)

V-6605MEDIUMThe default zone visibility setting is not set to “none”.V-6608HIGHHard zoning is not used to protect the SAN.V-6610MEDIUMThe SANs are not compliant with overall network security architecture, appropriate enclave, and data center security requirements in the Network Infrastructure STIG and the Enclave STIGV-6613MEDIUMAll security related patches are not installed.V-6619MEDIUMPrior to installing SAN components (servers, switches, and management stations) onto the DOD network infrastructure, components are not configured to meet the applicable STIG requirements.V-6622MEDIUMServers and other hosts are not compliant with applicable Operating System (OS) STIG requirements.V-6623HIGHVendor supported, DOD approved, anti-virus software is not installed and configured on all SAN servers in accordance with the applicable operating system STIG on SAN servers and management devices and kept up-to-date with the most recent virus definition tables.V-6628MEDIUMA current drawing of the site’s SAN topology that includes all external and internal links, zones, and all interconnected equipment is not being maintained.V-6631MEDIUMAll the network level devices interconnected to the SAN are not located in a secure room with limited access.V-6632MEDIUMIndividual user accounts with passwords are not set up and maintained for the SAN fabric switch.V-6633MEDIUMThe SAN must be configured to use bidirectional authentication.V-6634LOWThe fabric switches must use DoD-approved PKI rather than proprietary or self-signed device certificates.V-6635MEDIUMNetwork management ports on the SAN fabric switches except those needed to support the operational commitments of the sites are not disabled.V-6636MEDIUMSAN management is not accomplished using the out-of-band or direct connection method.V-6637LOWCommunications from the management console to the SAN fabric are not protected strong two-factor authentication.V-6638LOWThe manufacturer’s default PKI keys have not been changed prior to attaching the switch to the SAN Fabric.V-6639LOWThe SAN is not configured to use FIPS 140-1/2 validated encryption algorithm to protect management-to-fabric communications.V-6645HIGHAll SAN management consoles and ports are not password protected.V-6646HIGHThe manufacturer’s default passwords have not been changed for all SAN management software.V-6647HIGHThe SAN fabric zoning lists are not based on a policy of Deny-by-Default with blocks on all services and protocols not required on the given port or by the site.V-6648LOWAttempts to access ports, protocols, or services that are denied are not logged..V-6652MEDIUMSimple Network Management Protocol (SNMP) is used and it is not configured in accordance with the guidance contained in the Network Infrastructure STIG.V-6656HIGHUnauthorized IP addresses are allowed Simple Network Management Protocol (SNMP) access to the SAN devices.V-6657MEDIUMThe IP addresses of the hosts permitted SNMP access to the SAN management devices do not belong to the internal network.V-6660LOWEnd-user platforms are directly attached to the Fibre Channel network or access storage devices directly.V-6661MEDIUMFabric switch configurations and management station configuration are not archived and/or copies of the operating system and other critical software for all SAN components are not stored in a fire rated container or are not collocated with the operational software.V-6662HIGHThe device must be supported by the vendor.V-7081MEDIUMSAN components are not configured with fixed IP addresses.