Arista Multilayer Switches used for nonlocal maintenance sessions must implement cryptographic mechanisms to protect the integrity of nonlocal maintenance and diagnostic communications.

An XCCDF Rule

Description

<VulnDiscussion>This requires the use of secure protocols instead of their unsecured counterparts, such as SSH instead of telnet, SCP instead of FTP, and HTTPS instead of HTTP.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

ID: SV-75327r1_rule
Severity: Medium
References: CCI-002890
Updated: about 1 year ago

Configure the network device to use secure protocols instead of their unsecured counterparts.

Configuration Example: 

Disable unsecure protocols.
configuremanagement telnet
shutdown
exit
management api http-commands
no protocol http
protocol https
exit 

Other protocols (FTP) can be denied using AAA and RBAC. For connections that require use of these maintenance protocols, creation of SSH tunnels can fulfill this security requirement. This is summarized here and available at length in the Common Criteria guidance document.

Configuration Example: 

management ssh
tunnel NEW
local port 514
ssh-server syslogServer user authuser port 22
remote host localhost port 514
no shutdown

Arista Multilayer Switches used for nonlocal maintenance sessions must implement cryptographic mechanisms to protect the integrity of nonlocal maintenance and diagnostic communications.

Description

Remediation - Manual Procedure