Skip to content
Log In

Arista MLS EOS 4.2x Router Security Technical Implementation Guide

Rules, Groups, and Values defined within the XCCDF Benchmark

  • SRG-NET-000019-RTR-000008

    Group
    Show

  • SRG-NET-000019-RTR-000009

    Group
    Show

  • The Arista perimeter router must be configured to not be a Border Gateway Protocol (BGP) peer to an alternate gateway service provider.

    ISPs use BGP to share route information with other autonomous systems (i.e., other ISPs and corporate networks). If the perimeter router was configured to BGP peer with an ISP, NIPRNet routes could...
    Rule High Severity
    Show

  • SRG-NET-000019-RTR-000010

    Group
    Show

  • The Arista perimeter router must be configured to not redistribute static routes to an alternate gateway service provider into BGP or an IGP peering with the NIPRNet or to other autonomous systems.

    If the static routes to the alternate gateway are being redistributed into an Exterior Gateway Protocol or Interior Gateway Protocol to a NIPRNet gateway, this could make traffic on NIPRNet flow to...
    Rule Low Severity
    Show

  • SRG-NET-000019-RTR-000011

    Group
    Show

  • The out-of-band management (OOBM) Arista gateway router must be configured to have separate IGP instances for the managed network and management network.

    If the gateway router is not a dedicated device for the OOBM network, implementation of several safeguards for containment of management and production traffic boundaries must occur. Since the mana...
    Rule Medium Severity
    Show

  • SRG-NET-000019-RTR-000012

    Group
    Show

  • SRG-NET-000019-RTR-000013

    Group
    Show

  • The multicast Rendezvous Point (RP) Arista router must be configured to filter Protocol Independent Multicast (PIM) Register and Join messages received from the Designated Router (DR) for any undesirable multicast groups and sources.

    Real-time multicast traffic can entail multiple large flows of data. An attacker can flood a network segment with multicast packets, over-using the available bandwidth and thereby creating a denial...
    Rule Low Severity
    Show

  • SRG-NET-000076-RTR-000001

    Group
    Show

  • SRG-NET-000131-RTR-000035

    Group
    Show

  • The Arista router must be configured to have all non-essential capabilities disabled.

    A compromised router introduces risk to the entire network infrastructure, as well as data resources that are accessible via the network. The perimeter defense has no oversight or control of attack...
    Rule Low Severity
    Show

  • SRG-NET-000168-RTR-000077

    Group
    Show

  • The Arista router must be configured to authenticate all routing protocol messages using NIST-validated FIPS 198-1 message authentication code algorithm.

    A rogue router could send a fictitious routing update to convince a site's perimeter router to send traffic to an incorrect or even a rogue destination. This diverted traffic could be analyzed to l...
    Rule Medium Severity
    Show

  • SRG-NET-000193-RTR-000001

    Group
    Show

  • SRG-NET-000193-RTR-000112

    Group
    Show

  • The PE router must be configured to enforce a Quality-of-Service (QoS) policy to limit the effects of packet flooding denial-of-service (DoS) attacks.

    DoS is a condition when a resource is not available for legitimate users. Packet flooding distributed denial-of-service (DDoS) attacks are referred to as volumetric attacks and have the objective o...
    Rule Medium Severity
    Show

  • SRG-NET-000193-RTR-000113

    Group
    Show

  • The PE router must be configured to enforce a Quality-of-Service (QoS) policy in accordance with the QoS DODIN Technical Profile.

    Different applications have unique requirements and toleration levels for delay, jitter, bandwidth, packet loss, and availability. To manage the multitude of applications and services, a network re...
    Rule Low Severity
    Show

  • SRG-NET-000193-RTR-000114

    Group
    Show

  • The PE router must be configured to enforce a Quality-of-Service (QoS) policy in accordance with the QoS GIG Technical Profile.

    Different applications have unique requirements and toleration levels for delay, jitter, bandwidth, packet loss, and availability. To manage the multitude of applications and services, a network re...
    Rule Low Severity
    Show

  • SRG-NET-000202-RTR-000001

    Group
    Show

  • SRG-NET-000205-RTR-000001

    Group
    Show

  • The Arista router must be configured to restrict traffic destined to itself.

    The route processor handles traffic destined to the router, the key component used to build forwarding paths that is also instrumental with all network management functions. Hence, any disruption o...
    Rule High Severity
    Show

  • SRG-NET-000205-RTR-000002

    Group
    Show

  • The Arista router must be configured to drop all fragmented Internet Control Message Protocol (ICMP) packets destined to itself.

    Fragmented ICMP packets can be generated by hackers for DoS attacks such as Ping O' Death and Teardrop. It is imperative that all fragmented ICMP packets are dropped.
    Rule Medium Severity
    Show

  • SRG-NET-000205-RTR-000003

    Group
    Show

  • The Arista perimeter router must be configured to filter ingress traffic at the external interface on an inbound direction.

    Access lists are used to separate data traffic into that which it will route (permitted packets) and that which it will not route (denied packets). Secure configuration of routers makes use of acce...
    Rule Medium Severity
    Show

  • SRG-NET-000205-RTR-000005

    Group
    Show

  • The Arista perimeter router must be configured to filter egress traffic at the internal interface on an inbound direction.

    Access lists are used to separate data traffic into that which it will route (permitted packets) and that which it will not route (denied packets). Secure configuration of routers makes use of acce...
    Rule Medium Severity
    Show

  • SRG-NET-000205-RTR-000006

    Group
    Show

  • SRG-NET-000205-RTR-000008

    Group
    Show

  • The Arista router must be configured with Unicast Reverse Path Forwarding (uRPF) loose mode enabled on all CE-facing interfaces.

    The uRPF feature is a defense against spoofing and denial-of-service (DoS) attacks by verifying if the source address of any ingress packet is reachable. To mitigate attacks that rely on forged sou...
    Rule Medium Severity
    Show

  • SRG-NET-000205-RTR-000010

    Group
    Show

  • The out-of-band management (OOBM) Arista gateway router must be configured to forward only authorized management traffic to the Network Operations Center (NOC).

    The OOBM network is an IP network used exclusively for the transport of OAM&P data from the network being managed to the OSS components located at the NOC. Its design provides connectivity to each ...
    Rule Medium Severity
    Show

  • SRG-NET-000205-RTR-000011

    Group
    Show

  • The out-of-band management (OOBM) Arista gateway router must be configured to block any traffic destined to itself that is not sourced from the OOBM network or the NOC.

    If the gateway router is not a dedicated device for the OOBM network, several safeguards must be implemented for containment of management and production traffic boundaries. It is imperative that h...
    Rule Medium Severity
    Show

  • SRG-NET-000205-RTR-000012

    Group
    Show

  • SRG-NET-000205-RTR-000014

    Group
    Show

  • SRG-NET-000230-RTR-000002

    Group
    Show

  • The Arista BGP router must be configured to use a unique key for each autonomous system (AS) that it peers with.

    If the same keys are used between eBGP neighbors, the chance of a hacker compromising any of the BGP sessions increases. It is possible that a malicious user exists in one autonomous system who wou...
    Rule Medium Severity
    Show

  • SRG-NET-000343-RTR-000001

    Group
    Show

  • The PE router providing MPLS Layer 2 Virtual Private Network (L2VPN) services must be configured to authenticate targeted Label Distribution Protocol (LDP) sessions used to exchange virtual circuit (VC) information using a FIPS-approved message authentication code algorithm.

    LDP provides the signaling required for setting up and tearing down pseudowires (virtual circuits used to transport Layer 2 frames) across an MPLS IP core network. Using a targeted LDP session, eac...
    Rule Medium Severity
    Show

  • SRG-NET-000362-RTR-000109

    Group
    Show

  • The Arista router must not be configured to have any zero-touch deployment feature enabled when connected to an operational network.

    Network devices that are configured via a zero-touch deployment or auto-loading feature can have their startup configuration or image pushed to the device for installation via TFTP or Remote Copy (...
    Rule Medium Severity
    Show

  • SRG-NET-000362-RTR-000111

    Group
    Show

  • The Arista router must be configured to have gratuitous ARP disabled on all external interfaces.

    A gratuitous ARP is an ARP broadcast in which the source and destination MAC addresses are the same. It is used to inform the network about a host IP address. A spoofed gratuitous ARP message can c...
    Rule Medium Severity
    Show

  • SRG-NET-000362-RTR-000112

    Group
    Show

  • SRG-NET-000362-RTR-000113

    Group
    Show

Node 2

siemur/test-space

The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.

Capacity
Modules