Details
Use zoning and LUN masking to segregate SAN activity. For example, zones defined for testing
should be managed independently within the SAN so they do not interfere with activity in the
production zones. Similarly, you can set up different zones for different departments. Zoning
must take into account any host groups that have been set up on the SAN device. LUN masking
is a process that makes a LUN available to some hosts and unavailable to other hosts.
*Rationale*
Segregating SAN activity can reduce the attack surface for the SAN, prevent non-ESXi
systems from accessing SANs, and separate environments, for example, test and production environments.
NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.
Solution
The remediation procedures to properly segregate SAN activity are SAN vendor or product- specific.
In general, with ESXi hosts, use a single-initiator zoning or a single-initiator-single-target
zoning. The latter is a preferred zoning practice. Using the more restrictive zoning prevents
problems and misconfigurations that can occur on the SAN.
Supportive Information
The following resource is also helpful.
This control applies to the following type of system VMware.