I - Mission Critical Public
Rules and Groups employed by this XCCDF Profile
-
SRG-NET-000193-RTR-000113
Group -
The PE router must be configured to enforce a Quality-of-Service (QoS) policy in accordance with the QoS DODIN Technical Profile.
Different applications have unique requirements and toleration levels for delay, jitter, bandwidth, packet loss, and availability. To manage the multitude of applications and services, a network re...Rule Low Severity -
SRG-NET-000193-RTR-000114
Group -
The PE router must be configured to enforce a Quality-of-Service (QoS) policy in accordance with the QoS GIG Technical Profile.
Different applications have unique requirements and toleration levels for delay, jitter, bandwidth, packet loss, and availability. To manage the multitude of applications and services, a network re...Rule Low Severity -
SRG-NET-000202-RTR-000001
Group -
The Arista perimeter router must be configured to deny network traffic by default and allow network traffic by exception.
A deny-all, permit-by-exception network communications traffic policy ensures that only connections that are essential and approved are allowed. This requirement applies to both inbound and outbou...Rule High Severity -
SRG-NET-000205-RTR-000001
Group -
The Arista router must be configured to restrict traffic destined to itself.
The route processor handles traffic destined to the router, the key component used to build forwarding paths that is also instrumental with all network management functions. Hence, any disruption o...Rule High Severity -
SRG-NET-000205-RTR-000002
Group -
The Arista router must be configured to drop all fragmented Internet Control Message Protocol (ICMP) packets destined to itself.
Fragmented ICMP packets can be generated by hackers for DoS attacks such as Ping O' Death and Teardrop. It is imperative that all fragmented ICMP packets are dropped.Rule Medium Severity -
SRG-NET-000205-RTR-000003
Group -
The Arista perimeter router must be configured to filter ingress traffic at the external interface on an inbound direction.
Access lists are used to separate data traffic into that which it will route (permitted packets) and that which it will not route (denied packets). Secure configuration of routers makes use of acce...Rule Medium Severity -
SRG-NET-000205-RTR-000005
Group -
The Arista perimeter router must be configured to filter egress traffic at the internal interface on an inbound direction.
Access lists are used to separate data traffic into that which it will route (permitted packets) and that which it will not route (denied packets). Secure configuration of routers makes use of acce...Rule Medium Severity -
SRG-NET-000205-RTR-000006
Group -
The Arista BGP router must be configured to reject outbound route advertisements for any prefixes belonging to the IP core.
Outbound route advertisements belonging to the core can result in traffic either looping or being black holed, or at a minimum, using a non-optimized path.Rule Medium Severity -
SRG-NET-000205-RTR-000007
Group -
The Arista router must be configured to block any traffic that is destined to IP core infrastructure.
IP/MPLS networks providing VPN and transit services must provide, at the least, the same level of protection against denial-of-service (DoS) attacks and intrusions as Layer 2 networks. Although the...Rule High Severity -
SRG-NET-000205-RTR-000008
Group -
The Arista router must be configured with Unicast Reverse Path Forwarding (uRPF) loose mode enabled on all CE-facing interfaces.
The uRPF feature is a defense against spoofing and denial-of-service (DoS) attacks by verifying if the source address of any ingress packet is reachable. To mitigate attacks that rely on forged sou...Rule Medium Severity -
SRG-NET-000205-RTR-000010
Group -
The out-of-band management (OOBM) Arista gateway router must be configured to forward only authorized management traffic to the Network Operations Center (NOC).
The OOBM network is an IP network used exclusively for the transport of OAM&P data from the network being managed to the OSS components located at the NOC. Its design provides connectivity to each ...Rule Medium Severity -
SRG-NET-000205-RTR-000011
Group -
The out-of-band management (OOBM) Arista gateway router must be configured to block any traffic destined to itself that is not sourced from the OOBM network or the NOC.
If the gateway router is not a dedicated device for the OOBM network, several safeguards must be implemented for containment of management and production traffic boundaries. It is imperative that h...Rule Medium Severity -
SRG-NET-000205-RTR-000012
Group -
The Arista router must be configured to only permit management traffic that ingresses and egresses the out-of-band management (OOBM) interface.
The OOBM access router will connect to the management interface of the managed network elements. The management interface can be a true OOBM interface or a standard interface functioning as the man...Rule Medium Severity -
SRG-NET-000205-RTR-000014
Group -
The Arista perimeter router must be configured to restrict it from accepting outbound IP packets that contain an illegitimate address in the source address field via egress filter or by enabling Unicast Reverse Path Forwarding (uRPF).
A compromised host in an enclave can be used by a malicious platform to launch cyberattacks on third parties. This is a common practice in "botnets", a collection of compromised computers using mal...Rule High Severity -
SRG-NET-000230-RTR-000002
Group -
The Arista BGP router must be configured to use a unique key for each autonomous system (AS) that it peers with.
If the same keys are used between eBGP neighbors, the chance of a hacker compromising any of the BGP sessions increases. It is possible that a malicious user exists in one autonomous system who wou...Rule Medium Severity -
SRG-NET-000343-RTR-000001
Group -
The PE router providing MPLS Layer 2 Virtual Private Network (L2VPN) services must be configured to authenticate targeted Label Distribution Protocol (LDP) sessions used to exchange virtual circuit (VC) information using a FIPS-approved message authentication code algorithm.
LDP provides the signaling required for setting up and tearing down pseudowires (virtual circuits used to transport Layer 2 frames) across an MPLS IP core network. Using a targeted LDP session, eac...Rule Medium Severity -
SRG-NET-000362-RTR-000109
Group -
The Arista router must not be configured to have any zero-touch deployment feature enabled when connected to an operational network.
Network devices that are configured via a zero-touch deployment or auto-loading feature can have their startup configuration or image pushed to the device for installation via TFTP or Remote Copy (...Rule Medium Severity -
SRG-NET-000362-RTR-000111
Group -
The Arista router must be configured to have gratuitous ARP disabled on all external interfaces.
A gratuitous ARP is an ARP broadcast in which the source and destination MAC addresses are the same. It is used to inform the network about a host IP address. A spoofed gratuitous ARP message can c...Rule Medium Severity -
SRG-NET-000362-RTR-000112
Group -
The Arista router must be configured to have IP directed broadcast disabled on all interfaces.
An IP-directed broadcast is a datagram sent to the broadcast address of a subnet that is not directly attached to the sending machine. The directed broadcast is routed through the network as a unic...Rule Low Severity -
SRG-NET-000362-RTR-000113
Group -
The Arista router must be configured to have Internet Control Message Protocol (ICMP) unreachable notifications disabled on all external interfaces.
The ICMP supports IP traffic by relaying information about paths, routes, and network conditions. Routers automatically send ICMP messages under a wide variety of conditions. Host unreachable ICMP ...Rule Medium Severity -
SRG-NET-000362-RTR-000114
Group -
The Arista router must be configured to have Internet Control Message Protocol (ICMP) mask replies disabled on all external interfaces.
The ICMP supports IP traffic by relaying information about paths, routes, and network conditions. Routers automatically send ICMP messages under a wide variety of conditions. Mask Reply ICMP messag...Rule Medium Severity -
SRG-NET-000362-RTR-000115
Group -
The Arista router must be configured to have Internet Control Message Protocol (ICMP) redirects disabled on all external interfaces.
The ICMP supports IP traffic by relaying information about paths, routes, and network conditions. Routers automatically send ICMP messages under a wide variety of conditions. Redirect ICMP messages...Rule Medium Severity -
SRG-NET-000362-RTR-000117
Group -
The Arista BGP router must be configured to use the maximum prefixes feature to protect against route table flooding and prefix de-aggregation attacks.
The effects of prefix de-aggregation can degrade router performance due to the size of routing tables and also result in black-holing legitimate traffic. Initiated by an attacker or a misconfigured...Rule Medium Severity -
SRG-NET-000362-RTR-000118
Group -
The Arista BGP router must be configured to limit the prefix size on any inbound route advertisement to /24 or the least significant prefixes issued to the customer.
The effects of prefix de-aggregation can degrade router performance due to the size of routing tables and also result in black-holing legitimate traffic. Initiated by an attacker or a misconfigured...Rule Low Severity -
SRG-NET-000362-RTR-000120
Group -
The multicast Rendezvous Point (RP) Arista router must be configured to limit the multicast forwarding cache so that its resources are not saturated by managing an overwhelming number of Protocol Independent Multicast (PIM) and Multicast Source Discovery Protocol (MSDP) source-active entries.
MSDP peering between networks enables sharing of multicast source information. Enclaves with an existing multicast topology using PIM-SM can configure their RP routers to peer with MSDP routers. As...Rule Low Severity
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.