Skip to content
Log In

Arista MLS EOS 4.2x Router Security Technical Implementation Guide

Rules, Groups, and Values defined within the XCCDF Benchmark

  • The Arista MSDP router must be configured to limit the amount of source-active messages it accepts on per-peer basis.

    To reduce any risk of a denial-of-service (DoS) attack from a rogue or misconfigured MSDP router, the router must be configured to limit the number of source-active messages it accepts from each peer.
    Rule Low Severity
    Show

  • SRG-NET-000018-RTR-000010

    Group
    Show

  • SRG-NET-000205-RTR-000007

    Group
    Show

  • SRG-NET-000019-RTR-000002

    Group
    Show

  • SRG-NET-000019-RTR-000003

    Group
    Show

  • The Arista multicast router must be configured to disable Protocol Independent Multicast (PIM) on all interfaces that are not required to support multicast routing.

    If multicast traffic is forwarded beyond the intended boundary, it is possible that it can be intercepted by unauthorized or unintended personnel. Limiting where, within the network, a given multic...
    Rule Medium Severity
    Show

  • SRG-NET-000019-RTR-000004

    Group
    Show

  • SRG-NET-000019-RTR-000005

    Group
    Show

  • The Arista multicast edge router must be configured to establish boundaries for administratively scoped multicast traffic.

    If multicast traffic is forwarded beyond the intended boundary, it is possible that it can be intercepted by unauthorized or unintended personnel. Administrative scoped multicast addresses are loc...
    Rule Low Severity
    Show

  • SRG-NET-000019-RTR-000007

    Group
    Show

  • SRG-NET-000019-RTR-000008

    Group
    Show

  • SRG-NET-000019-RTR-000009

    Group
    Show

  • The Arista perimeter router must be configured to not be a Border Gateway Protocol (BGP) peer to an alternate gateway service provider.

    ISPs use BGP to share route information with other autonomous systems (i.e., other ISPs and corporate networks). If the perimeter router was configured to BGP peer with an ISP, NIPRNet routes could...
    Rule High Severity
    Show

  • SRG-NET-000019-RTR-000010

    Group
    Show

  • The Arista perimeter router must be configured to not redistribute static routes to an alternate gateway service provider into BGP or an IGP peering with the NIPRNet or to other autonomous systems.

    If the static routes to the alternate gateway are being redistributed into an Exterior Gateway Protocol or Interior Gateway Protocol to a NIPRNet gateway, this could make traffic on NIPRNet flow to...
    Rule Low Severity
    Show

  • SRG-NET-000019-RTR-000011

    Group
    Show

  • The out-of-band management (OOBM) Arista gateway router must be configured to have separate IGP instances for the managed network and management network.

    If the gateway router is not a dedicated device for the OOBM network, implementation of several safeguards for containment of management and production traffic boundaries must occur. Since the mana...
    Rule Medium Severity
    Show

  • SRG-NET-000019-RTR-000012

    Group
    Show

  • SRG-NET-000019-RTR-000013

    Group
    Show

  • The multicast Rendezvous Point (RP) Arista router must be configured to filter Protocol Independent Multicast (PIM) Register and Join messages received from the Designated Router (DR) for any undesirable multicast groups and sources.

    Real-time multicast traffic can entail multiple large flows of data. An attacker can flood a network segment with multicast packets, over-using the available bandwidth and thereby creating a denial...
    Rule Low Severity
    Show

Node 2

siemur/test-space

The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.

Capacity
Modules