Arista MLS DCS-7000 Series RTR Security Technical Implementation Guide
Rules, Groups, and Values defined within the XCCDF Benchmark
-
SRG-NET-000364-RTR-000109
Group -
SRG-NET-000168-RTR-000077
Group -
The Arista Multilayer Switch must not enable the RIP routing protocol.
A rogue router could send a fictitious routing update to convince a site's perimeter router to send traffic to an incorrect or even a rogue destination. This diverted traffic could be analyzed to l...Rule Medium Severity -
SRG-NET-000019-RTR-000002
Group -
The Arista Multilayer Switch must enforce approved authorizations for controlling the flow of information between interconnected networks in accordance with applicable policy.
Information flow control regulates authorized information to travel within a network and between interconnected networks. Controlling the flow of network traffic is critical so it does not introduc...Rule Medium Severity -
The Arista Multilayer Switch must disable Protocol Independent Multicast (PIM) on all interfaces that are not required to support multicast routing.
If multicast traffic is forwarded beyond the intended boundary, it is possible that it can be intercepted by unauthorized or unintended personnel. Limiting where, within the network, a given multic...Rule Medium Severity -
The Arista Multilayer Switch must protect an enclave connected to an Alternate Gateway by using an inbound filter that only permits packets with destination addresses within the sites address space.
Enclaves with Alternate Gateway connections must take additional steps to ensure there is no compromise on the enclave network or NIPRNet. Without verifying the destination address of traffic comin...Rule Medium Severity -
The Arista Multilayer Switch must enforce that any interface used for out-of-band management traffic is configured to be passive for the Interior Gateway Protocol that is utilized on that management interface.
The out-of-band management access switch will connect to the management interface of the managed network elements. The management interface can be a true out-of-band management interface or a stand...Rule Medium Severity -
The Arista Multilayer Switch must enable neighbor router authentication for control plane protocols except RIP.
A rogue router could send a fictitious routing update to convince a site's perimeter router to send traffic to an incorrect or even a rogue destination. This diverted traffic could be analyzed to l...Rule Medium Severity -
The Arista Multilayer Switch must be configured to disable non-essential capabilities.
A compromised router introduces risk to the entire network infrastructure as well as data resources that are accessible via the network. The perimeter defense has no oversight or control of attacks...Rule Medium Severity
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.