Arista MLS DCS-7000 Series L2S Security Technical Implementation Guide

V1R1 2015-07-06       U_Arista_MLS_DCS-7000_Series_L2S_STIG_V1R1_Manual-xccdf.xml
V1R2 2016-03-29       U_Arista_MLS_DCS-7000_Series_L2S_STIG_V1R2_Manual-xccdf.xml
This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via e-mail to the following address: [email protected]
Comparison
All 7
No Change 7
Updated 0
Added 0
Removed 0
V-60813 No Change
Findings ID: AMLS-L2-000100 Rule ID: SV-75269r1_rule Severity: medium CCI: CCI-001368

Discussion

Information flow control regulates where information is allowed to travel within a network and between interconnected networks. The flow of all network traffic must be monitored and controlled so it does not introduce any unacceptable risk to the network infrastructure or data.

A few examples of flow control restrictions include: keeping export-controlled information from being transmitted in the clear to the Internet and blocking information marked as classified but which is being transported to an unapproved destination. Information flow control policies and enforcement mechanisms are commonly employed by organizations to control the flow of information between designated sources and destinations (e.g., networks, individuals, devices) within information systems.

Enforcement occurs, for example, in boundary protection devices (e.g., gateways, routers, guards, encrypted tunnels, and firewalls) that employ rule sets or establish configuration settings that restrict information system services, provide a packet filtering capability based on header information, or provide a message filtering capability based on message content (e.g., implementing key word searches or using document characteristics).

Checks

Verify the use of Spanning-Tree Protocol for information flow control via the "show spanning-tree" command.

Alternatively, from the output of the "show running-config" command, review the configuration for "spanning-tree mode" statement, and verify the line "spanning-tree disabled" is not present for production VLANs.

If spanning-tree is not used for controlling the flow of information, this is a finding.

Fix

Configure the switch to use spanning-tree protocol for Layer-2 connections.

The version of spanning-tree protocol as well as the VLANs upon which it is enabled must be determined according to organizational use and site policy.

For full configuration examples, refer to the Arista Configuration Manual, Chapter 20.
V-60821 No Change
Findings ID: AMLS-L2-000110 Rule ID: SV-75277r1_rule Severity: medium CCI: CCI-001414

Discussion

Information flow control regulates where information is allowed to travel within a network and between interconnected networks. The flow of all network traffic must be monitored and controlled so it does not introduce any unacceptable risk to the network infrastructure or data.

Examples of flow control restrictions include blocking outside traffic claiming to be from within the organization, and not passing any web requests to the Internet not from the internal web proxy. Additional examples of restrictions include: keeping export-controlled information from being transmitted in the clear to the Internet, and blocking information marked as classified, but which is being transported to an unapproved destination. Information flow control policies and enforcement mechanisms are commonly employed by organizations to control the flow of information between designated sources and destinations (e.g., networks, individuals, and devices) within information systems.

Enforcement occurs, for example, in boundary protection devices (e.g., gateways, routers, guards, encrypted tunnels, and firewalls) that employ rule sets or establish configuration settings that restrict information system services, provide a packet filtering capability based on header information, or provide a message filtering capability based on message content (e.g., implementing key word searches or using document characteristics).

Checks

Verify the use of MAC Access Control Lists to prevent unintended information flow between network segments.

For network boundary interfaces, verify the use of an access control list by entering "show mac access-list summary" to validate the use of an access control list on the interface.

Verify the access control list restricts network traffic as intended by entering "show mac access-list [name]" and substituting the name of the access control list for the bracketed variable.

If there is no access control list configured, or if the access control list does not prevent unintended flow of information between network segments, this is a finding.

Fix

Configure an Access Control List to control information flow between connected networks.
Configuration Example
configure
mac access-list STIG
permit [src mac] [src mask] [dst mac] [dst mask]/[any] [protocol]
exit
V-60823 No Change
Findings ID: AMLS-L2-000120 Rule ID: SV-75279r1_rule Severity: medium CCI: CCI-000778

Discussion

Without identifying devices, unidentified or unknown devices may be introduced, thereby facilitating malicious activity.

For distributed architectures (e.g., service-oriented architectures), the decisions regarding the validation of identification claims may be made by services separate from the services acting on those decisions. In such situations, it is necessary to provide the identification decisions (as opposed to the actual identifiers) to the services that need to act on those decisions.

This requirement applies to applications that connect either locally, remotely, or through a network to an endpoint device (including, but not limited to, workstations, printers, servers (outside a datacenter), VoIP Phones, and VTC CODECs). Gateways and SOA applications are examples of where this requirement would apply.

Checks

Verify that the network device uniquely identifies network-connected endpoint devices. This requirement is not applicable to Arista switches when not used as an access switch.

802.1X must be configured on any interface where there is an applicable endpoint device connected. This is demonstrated by viewing the running-config via the "show dot1x all" command and validating the following lines are present in the configuration:

Dot1X Information for Ethernet[X]
--------------------------------------------
PortControl : auto
HostMode : single-host
QuietPeriod : [value]
TxPeriod : [value]
ReauthPeriod : 3600 seconds
MaxReauthReq : 2

!

802.1X must also be globally enabled on the switch using the "dot1x system-auth-control" command from the configuration mode interface. When this is configured, the following line will be visible in the running-config:

dot1x-system-auth-control

802.1X is dependent on a properly configured RADIUS server for authentication. Refer to the RADIUS configuration example for validation of properly configured AAA services. Additionally, the user must specify to use the RADIUS server as an 802.1X authenticator with the "aaa authentication dot1x default group [radius]" command from the configuration mode interface, replacing the bracketed variable with either the group name of the RADIUS server group or leaving it as is to authenticate against all RADIUS servers. When properly configured, the following line is visible in the running-config:

aaa authentication dot1x default group radius

If 802.1X is not configured on necessary ports or is not globally enabled on the switch, or if it is not set to authenticate supplicants via RADIUS, this is a finding.

Fix

Configure 802.1X on the switch, using the following mandatory parameters for all applicable interfaces. Replace the bracketed variable with the applicable value.

config
interface Ethernet[X]
switchport access vlan [Y]
dot1x pae authenticator
dot1x reauthentication
dot1x port-control auto
dot1x host-mode single-host
dot1x timeout quiet-period [value]
dot1x timeout reauth-period [value]
dot1x max-reauth-req [value]

For the global configuration, include the following command statements from the global configuration mode interface:

logging level DOT1X informational
aaa authentication dot1x default group radius
dot1x system-auth-control
V-60825 No Change
Findings ID: AMLS-L2-000130 Rule ID: SV-75281r1_rule Severity: medium CCI: CCI-001967

Discussion

Without authenticating devices, unidentified or unknown devices may be introduced, thereby facilitating malicious activity on the network. Bidirectional authentication provides stronger safeguards to validate the identity of other devices for connections that are of greater risk (e.g., remote connections).

Bidirectional authentication solutions include, but are not limited to, IEEE 802.1x and Extensible Authentication Protocol (EAP) and Radius server with EAP-Transport Layer Security (TLS) authentication.

A network connection is any connection with a device that communicates through a network (e.g., local area network, wide area network, or the Internet).

Authentication must use a form of cryptography to ensure a high level of trust and authenticity.

Checks

Verify that the network device uniquely identifies network-connected endpoint devices. This requirement is not applicable to Arista switches when not used as an access switch.

802.1X must be configured on any interface where there is an applicable endpoint device connected. This is demonstrated by viewing the running-config via the "show dot1x all" command and validating the following lines are present in the configuration:

Dot1X Information for Ethernet[X]
--------------------------------------------
PortControl : auto
HostMode : single-host
QuietPeriod : [value]
TxPeriod : [value]
ReauthPeriod : 3600 seconds
MaxReauthReq : 2

!

802.1X must also be globally enabled on the switch using the "dot1x system-auth-control" command from the configuration mode interface. When this is configured, the following line will be visible in the running-config:

dot1x-system-auth-control

802.1X is dependent on a properly configured RADIUS server for authentication. Refer to the RADIUS configuration example for validation of properly configured AAA services. Additionally, the user must specify to use the RADIUS server as an 802.1X authenticator with the "aaa authentication dot1x default group [radius]" command from the configuration mode interface, replacing the bracketed variable with either the group name of the RADIUS server group, or leaving it as is to authenticate against all RADIUS servers. When properly configured, the following line is visible in the running-config:

aaa authentication dot1x default group radius

If 802.1X is not configured on necessary ports, or is not globally enabled on the switch, or if it is not set to authenticate supplicants via RADIUS, this is a finding.

Fix

Configure 802.1X on the switch, using the following mandatory parameters for all applicable interfaces. Replace the bracketed variable with the applicable value.

config
interface Ethernet[X]
switchport access vlan [Y]
dot1x pae authenticator
dot1x reauthentication
dot1x port-control auto
dot1x host-mode single-host
dot1x timeout quiet-period [value]
dot1x timeout reauth-period [value]
dot1x max-reauth-req [value]

For the global configuration, include the following command statements from the global configuration mode interface:

logging level DOT1X informational
aaa authentication dot1x default group radius
dot1x system-auth-control
V-60827 No Change
Findings ID: AMLS-L2-000140 Rule ID: SV-75283r1_rule Severity: medium CCI: CCI-001967

Discussion

Without authenticating devices, unidentified or unknown devices may be introduced, thereby facilitating malicious activity on the network. Bidirectional authentication provides stronger safeguards to validate the identity of other devices for connections that are of greater risk (e.g., remote connections).

Bidirectional authentication solutions include, but are not limited to, IEEE 802.1x and Extensible Authentication Protocol (EAP) and Radius server with EAP-Transport Layer Security (TLS) authentication.

A network connection is any connection with a device that communicates through a network (e.g., local area network, wide area network, or the Internet).

Authentication must use a form of cryptography to ensure a high level of trust and authenticity. Re-authentication must occur to ensure session security.

Checks

This requirement only applies to devices required to employ 802.1X authentication.

Verify that the network device uniquely identifies network-connected endpoint devices and re-authenticates devices every 60 minutes or less. This can be viewed via the "show dot1x all" command. Under the interface configuration for the .1X connected port, the following statements must be present:

ReauthPeriod : 3600 seconds

If the device does not require re-authentication, or if the re-authentication period is longer than 60 minutes, this is a finding.

Fix

Configure 802.1X on the switch, including the following mandatory parameters in the interface configuration mode:

config
interface Ethernet[X]
dot1x reauthentication
dot1x timeout reauth-period 3600
V-60829 No Change
Findings ID: AMLS-L2-000150 Rule ID: SV-75285r1_rule Severity: medium CCI: CCI-002039

Discussion

Without re-authentication, users may access resources or perform tasks for which they do not have authorization.

In addition to the re-authentication requirements associated with session locks, organizations may require re-authentication of individuals and/or devices in other situations, including (but not limited to) the following circumstances:

(i) When authenticators change;
(ii) When roles change;
(iii) When security categories of information systems change;
(iv) When the execution of privileged functions occurs;
(v) After a fixed period of time; or
(vi) Periodically.

Within the DoD, the minimum circumstances requiring re-authentication are privilege escalation and role changes.

This requirement only applies to components where this is specific to the function of the device or has the concept of user authentication (e.g., VPN or ALG capability). This does not apply to authentication for the purpose of configuring the device itself (i.e., device management).

Checks

This requirement only applies to devices required to employ 802.1X.

Verify the Arista Multilayer Switch re-authenticates 802.1X connected devices every hour. If the Arista Multilayer Switch does not re-authenticate 802.1X connected devices, this is a finding.

This can be viewed via the "show dot1x all" command. Under the interface configuration for the .1X connected port, the following statements must be present:

ReauthPeriod : 3600 seconds

If the device does not require re-authentication, or if the re-authentication period is longer than 60 minutes, this is a finding.

Fix

Configure 802.1X on the switch, using the following mandatory parameters for all applicable interfaces. Replace the bracketed variable with the applicable value.

config
interface Ethernet[X]
switchport access vlan [Y]
dot1x pae authenticator
dot1x reauthentication
dot1x port-control auto
dot1x host-mode single-host
dot1x timeout quiet-period [value]
dot1x timeout reauth-period 3600
dot1x max-reauth-req [value]

For the global configuration, include the following command statements from the global configuration mode interface:

logging level DOT1X informational
aaa authentication dot1x default group radius
dot1x system-auth-control
V-60831 No Change
Findings ID: AMLS-L2-000160 Rule ID: SV-75287r1_rule Severity: medium CCI: CCI-001958

Discussion

Without authenticating devices, unidentified or unknown devices may be introduced, thereby facilitating malicious activity.

For distributed architectures (e.g., service-oriented architectures), the decisions regarding the validation of authentication claims may be made by services separate from the services acting on those decisions. In such situations, it is necessary to provide authentication decisions (as opposed to the actual authenticators) to the services that need to act on those decisions.

This requirement applies to applications that connect either locally, remotely, or through a network to an endpoint device (including, but not limited to, workstations, printers, servers (outside a datacenter), VoIP Phones, and VTC CODECs). Gateways and SOA applications are examples of where this requirement would apply.

Device authentication is a solution enabling an organization to manage devices. It is an additional layer of authentication ensuring only specific pre-authorized devices can access the system.

Checks

This requirement only applies to devices required to employ 802.1X.

Verify that the network device uniquely identifies network-connected endpoint devices. This requirement is not applicable to Arista switches when not used as an access switch.

802.1X must be configured on any interface where there is an applicable endpoint device connected. This is demonstrated by viewing the running-config via the "show dot1x all" command and validating the following lines are present in the configuration:

Dot1X Information for Ethernet[X]
--------------------------------------------
PortControl : auto
HostMode : single-host
QuietPeriod : [value]
TxPeriod : [value]
ReauthPeriod : 3600 seconds
MaxReauthReq : 2

!

802.1X must also be globally enabled on the switch using the "dot1x system-auth-control" command from the configuration mode interface. When this is configured, the following line will be visible in the running-config:

dot1x-system-auth-control

802.1X is dependent on a properly configured RADIUS server for authentication. Refer to the RADIUS configuration example for validation of properly configured AAA services. Additionally, the user must specify to use the RADIUS server as an 802.1X authenticator with the "aaa authentication dot1x default group [radius]" command from the configuration mode interface, replacing the bracketed variable with either the group name of the RADIUS server group or leaving it as is to authenticate against all RADIUS servers. When properly configured, the following line is visible in the running-config:

aaa authentication dot1x default group radius

If 802.1X is not configured on necessary ports or is not globally enabled on the switch, or if it is not set to authenticate supplicants via RADIUS, this is a finding.

Fix

Configure 802.1X on the switch, using the following mandatory parameters for all applicable interfaces. Replace the bracketed variable with the applicable value.

config
interface Ethernet[X]
switchport access vlan [Y]
dot1x pae authenticator
dot1x reauthentication
dot1x port-control auto
dot1x host-mode single-host
dot1x timeout quiet-period [value]
dot1x timeout reauth-period 3600
dot1x max-reauth-req [value]

For the global configuration, include the following command statements from the global configuration mode interface:

logging level DOT1X informational
aaa authentication dot1x default group radius
dot1x system-auth-control