Cyber Trackr - Free Compliance Library
Cyber Trackr
The Free Compliance Library

Arista MLS DCS-7000 Series L2S Security Technical Implementation Guide

  • Version/Release: V1R3
  • Published: 2018-11-28
  • Expand All:
  • Severity:
  • Sort:
Compare

Select any two versions of this STIG to compare the individual requirements

View

Select any old version/release of this STIG to view the previous requirements

This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.
b
The Arista Multilayer Switch must enforce approved authorizations for controlling the flow of information within the network based on organization-defined information flow control policies.
AC-4 - Medium - CCI-001368 - V-60813 - SV-75269r1_rule
RMF Control
AC-4
Severity
Medium
CCI
CCI-001368
Version
AMLS-L2-000100
Vuln IDs
  • V-60813
Rule IDs
  • SV-75269r1_rule
Information flow control regulates where information is allowed to travel within a network and between interconnected networks. The flow of all network traffic must be monitored and controlled so it does not introduce any unacceptable risk to the network infrastructure or data. A few examples of flow control restrictions include: keeping export-controlled information from being transmitted in the clear to the Internet and blocking information marked as classified but which is being transported to an unapproved destination. Information flow control policies and enforcement mechanisms are commonly employed by organizations to control the flow of information between designated sources and destinations (e.g., networks, individuals, devices) within information systems. Enforcement occurs, for example, in boundary protection devices (e.g., gateways, routers, guards, encrypted tunnels, and firewalls) that employ rule sets or establish configuration settings that restrict information system services, provide a packet filtering capability based on header information, or provide a message filtering capability based on message content (e.g., implementing key word searches or using document characteristics).
Checks: C-61735r1_chk

Verify the use of Spanning-Tree Protocol for information flow control via the "show spanning-tree" command. Alternatively, from the output of the "show running-config" command, review the configuration for "spanning-tree mode" statement, and verify the line "spanning-tree disabled" is not present for production VLANs. If spanning-tree is not used for controlling the flow of information, this is a finding.

Fix: F-66499r1_fix

Configure the switch to use spanning-tree protocol for Layer-2 connections. The version of spanning-tree protocol as well as the VLANs upon which it is enabled must be determined according to organizational use and site policy. For full configuration examples, refer to the Arista Configuration Manual, Chapter 20.

b
The Arista Multilayer Switch must enforce approved authorizations for controlling the flow of information between interconnected systems based on organization-defined information flow control policies.
AC-4 - Medium - CCI-001414 - V-60821 - SV-75277r1_rule
RMF Control
AC-4
Severity
Medium
CCI
CCI-001414
Version
AMLS-L2-000110
Vuln IDs
  • V-60821
Rule IDs
  • SV-75277r1_rule
Information flow control regulates where information is allowed to travel within a network and between interconnected networks. The flow of all network traffic must be monitored and controlled so it does not introduce any unacceptable risk to the network infrastructure or data. Examples of flow control restrictions include blocking outside traffic claiming to be from within the organization, and not passing any web requests to the Internet not from the internal web proxy. Additional examples of restrictions include: keeping export-controlled information from being transmitted in the clear to the Internet, and blocking information marked as classified, but which is being transported to an unapproved destination. Information flow control policies and enforcement mechanisms are commonly employed by organizations to control the flow of information between designated sources and destinations (e.g., networks, individuals, and devices) within information systems. Enforcement occurs, for example, in boundary protection devices (e.g., gateways, routers, guards, encrypted tunnels, and firewalls) that employ rule sets or establish configuration settings that restrict information system services, provide a packet filtering capability based on header information, or provide a message filtering capability based on message content (e.g., implementing key word searches or using document characteristics).
Checks: C-61767r1_chk

Verify the use of MAC Access Control Lists to prevent unintended information flow between network segments. For network boundary interfaces, verify the use of an access control list by entering "show mac access-list summary" to validate the use of an access control list on the interface. Verify the access control list restricts network traffic as intended by entering "show mac access-list [name]" and substituting the name of the access control list for the bracketed variable. If there is no access control list configured, or if the access control list does not prevent unintended flow of information between network segments, this is a finding.

Fix: F-66531r1_fix

Configure an Access Control List to control information flow between connected networks. Configuration Example configure mac access-list STIG permit [src mac] [src mask] [dst mac] [dst mask]/[any] [protocol] exit

b
The Arista Multilayer Switch must uniquely identify all network-connected endpoint devices before establishing any connection.
IA-3 - Medium - CCI-000778 - V-60823 - SV-75279r1_rule
RMF Control
IA-3
Severity
Medium
CCI
CCI-000778
Version
AMLS-L2-000120
Vuln IDs
  • V-60823
Rule IDs
  • SV-75279r1_rule
Without identifying devices, unidentified or unknown devices may be introduced, thereby facilitating malicious activity. For distributed architectures (e.g., service-oriented architectures), the decisions regarding the validation of identification claims may be made by services separate from the services acting on those decisions. In such situations, it is necessary to provide the identification decisions (as opposed to the actual identifiers) to the services that need to act on those decisions. This requirement applies to applications that connect either locally, remotely, or through a network to an endpoint device (including, but not limited to, workstations, printers, servers (outside a datacenter), VoIP Phones, and VTC CODECs). Gateways and SOA applications are examples of where this requirement would apply.
Checks: C-61769r1_chk

Verify that the network device uniquely identifies network-connected endpoint devices. This requirement is not applicable to Arista switches when not used as an access switch. 802.1X must be configured on any interface where there is an applicable endpoint device connected. This is demonstrated by viewing the running-config via the "show dot1x all" command and validating the following lines are present in the configuration: Dot1X Information for Ethernet[X] -------------------------------------------- PortControl : auto HostMode : single-host QuietPeriod : [value] TxPeriod : [value] ReauthPeriod : 3600 seconds MaxReauthReq : 2 ! 802.1X must also be globally enabled on the switch using the "dot1x system-auth-control" command from the configuration mode interface. When this is configured, the following line will be visible in the running-config: dot1x-system-auth-control 802.1X is dependent on a properly configured RADIUS server for authentication. Refer to the RADIUS configuration example for validation of properly configured AAA services. Additionally, the user must specify to use the RADIUS server as an 802.1X authenticator with the "aaa authentication dot1x default group [radius]" command from the configuration mode interface, replacing the bracketed variable with either the group name of the RADIUS server group or leaving it as is to authenticate against all RADIUS servers. When properly configured, the following line is visible in the running-config: aaa authentication dot1x default group radius If 802.1X is not configured on necessary ports or is not globally enabled on the switch, or if it is not set to authenticate supplicants via RADIUS, this is a finding.

Fix: F-66533r1_fix

Configure 802.1X on the switch, using the following mandatory parameters for all applicable interfaces. Replace the bracketed variable with the applicable value. config interface Ethernet[X] switchport access vlan [Y] dot1x pae authenticator dot1x reauthentication dot1x port-control auto dot1x host-mode single-host dot1x timeout quiet-period [value] dot1x timeout reauth-period [value] dot1x max-reauth-req [value] For the global configuration, include the following command statements from the global configuration mode interface: logging level DOT1X informational aaa authentication dot1x default group radius dot1x system-auth-control

b
The Arista Multilayer Switch must authenticate all endpoint devices before establishing a network connection using bidirectional authentication that is cryptographically based.
IA-3 - Medium - CCI-001967 - V-60825 - SV-75281r1_rule
RMF Control
IA-3
Severity
Medium
CCI
CCI-001967
Version
AMLS-L2-000130
Vuln IDs
  • V-60825
Rule IDs
  • SV-75281r1_rule
Without authenticating devices, unidentified or unknown devices may be introduced, thereby facilitating malicious activity on the network. Bidirectional authentication provides stronger safeguards to validate the identity of other devices for connections that are of greater risk (e.g., remote connections). Bidirectional authentication solutions include, but are not limited to, IEEE 802.1x and Extensible Authentication Protocol (EAP) and Radius server with EAP-Transport Layer Security (TLS) authentication. A network connection is any connection with a device that communicates through a network (e.g., local area network, wide area network, or the Internet). Authentication must use a form of cryptography to ensure a high level of trust and authenticity.
Checks: C-61771r1_chk

Verify that the network device uniquely identifies network-connected endpoint devices. This requirement is not applicable to Arista switches when not used as an access switch. 802.1X must be configured on any interface where there is an applicable endpoint device connected. This is demonstrated by viewing the running-config via the "show dot1x all" command and validating the following lines are present in the configuration: Dot1X Information for Ethernet[X] -------------------------------------------- PortControl : auto HostMode : single-host QuietPeriod : [value] TxPeriod : [value] ReauthPeriod : 3600 seconds MaxReauthReq : 2 ! 802.1X must also be globally enabled on the switch using the "dot1x system-auth-control" command from the configuration mode interface. When this is configured, the following line will be visible in the running-config: dot1x-system-auth-control 802.1X is dependent on a properly configured RADIUS server for authentication. Refer to the RADIUS configuration example for validation of properly configured AAA services. Additionally, the user must specify to use the RADIUS server as an 802.1X authenticator with the "aaa authentication dot1x default group [radius]" command from the configuration mode interface, replacing the bracketed variable with either the group name of the RADIUS server group, or leaving it as is to authenticate against all RADIUS servers. When properly configured, the following line is visible in the running-config: aaa authentication dot1x default group radius If 802.1X is not configured on necessary ports, or is not globally enabled on the switch, or if it is not set to authenticate supplicants via RADIUS, this is a finding.

Fix: F-66535r1_fix

Configure 802.1X on the switch, using the following mandatory parameters for all applicable interfaces. Replace the bracketed variable with the applicable value. config interface Ethernet[X] switchport access vlan [Y] dot1x pae authenticator dot1x reauthentication dot1x port-control auto dot1x host-mode single-host dot1x timeout quiet-period [value] dot1x timeout reauth-period [value] dot1x max-reauth-req [value] For the global configuration, include the following command statements from the global configuration mode interface: logging level DOT1X informational aaa authentication dot1x default group radius dot1x system-auth-control

b
The Arista Multilayer Switch must authenticate 802.1X connected devices before establishing any connection.
IA-3 - Medium - CCI-001958 - V-60831 - SV-75287r1_rule
RMF Control
IA-3
Severity
Medium
CCI
CCI-001958
Version
AMLS-L2-000160
Vuln IDs
  • V-60831
Rule IDs
  • SV-75287r1_rule
Without authenticating devices, unidentified or unknown devices may be introduced, thereby facilitating malicious activity. For distributed architectures (e.g., service-oriented architectures), the decisions regarding the validation of authentication claims may be made by services separate from the services acting on those decisions. In such situations, it is necessary to provide authentication decisions (as opposed to the actual authenticators) to the services that need to act on those decisions. This requirement applies to applications that connect either locally, remotely, or through a network to an endpoint device (including, but not limited to, workstations, printers, servers (outside a datacenter), VoIP Phones, and VTC CODECs). Gateways and SOA applications are examples of where this requirement would apply. Device authentication is a solution enabling an organization to manage devices. It is an additional layer of authentication ensuring only specific pre-authorized devices can access the system.
Checks: C-61777r1_chk

This requirement only applies to devices required to employ 802.1X. Verify that the network device uniquely identifies network-connected endpoint devices. This requirement is not applicable to Arista switches when not used as an access switch. 802.1X must be configured on any interface where there is an applicable endpoint device connected. This is demonstrated by viewing the running-config via the "show dot1x all" command and validating the following lines are present in the configuration: Dot1X Information for Ethernet[X] -------------------------------------------- PortControl : auto HostMode : single-host QuietPeriod : [value] TxPeriod : [value] ReauthPeriod : 3600 seconds MaxReauthReq : 2 ! 802.1X must also be globally enabled on the switch using the "dot1x system-auth-control" command from the configuration mode interface. When this is configured, the following line will be visible in the running-config: dot1x-system-auth-control 802.1X is dependent on a properly configured RADIUS server for authentication. Refer to the RADIUS configuration example for validation of properly configured AAA services. Additionally, the user must specify to use the RADIUS server as an 802.1X authenticator with the "aaa authentication dot1x default group [radius]" command from the configuration mode interface, replacing the bracketed variable with either the group name of the RADIUS server group or leaving it as is to authenticate against all RADIUS servers. When properly configured, the following line is visible in the running-config: aaa authentication dot1x default group radius If 802.1X is not configured on necessary ports or is not globally enabled on the switch, or if it is not set to authenticate supplicants via RADIUS, this is a finding.

Fix: F-66541r1_fix

Configure 802.1X on the switch, using the following mandatory parameters for all applicable interfaces. Replace the bracketed variable with the applicable value. config interface Ethernet[X] switchport access vlan [Y] dot1x pae authenticator dot1x reauthentication dot1x port-control auto dot1x host-mode single-host dot1x timeout quiet-period [value] dot1x timeout reauth-period 3600 dot1x max-reauth-req [value] For the global configuration, include the following command statements from the global configuration mode interface: logging level DOT1X informational aaa authentication dot1x default group radius dot1x system-auth-control