STIGQter: STIG Summary: Arista MLS DCS-7000 Series NDM Security Technical Implementation Guide Version: 1 Release: 3 Benchmark Date: 25 Oct 2019:

The Arista Multilayer Switch must be configured to prohibit the use of all unnecessary and/or nonsecure functions, ports, protocols, and/or services, as defined in the PPSM CAL and vulnerability assessments.

DISA Rule

SV-75309r1_rule

Vulnerability Number

V-60853

Group Title

SRG-APP-000142-NDM-000245

Rule Version

AMLS-NM-000210

Severity

CAT II

CCI(s)

• CCI-000382 - The organization configures the information system to prohibit or restrict the use of organization-defined functions, ports, protocols, and/or services.

Weight

10

Fix Recommendation

Configure the network device to prohibit the use of all unnecessary and/or nonsecure functions, ports, protocols, and/or services, as defined in the PPSM CAL and vulnerability assessments.

To configure an access control list, use the following commands:

configure
ip access-list [name]
10 deny [protocol] [src port] [src mask] [dst port] [dst mask] [options]
exit

To apply an access control list to an interface, use the following commands from the interface configuration mode:

ip access-group [name] [direction]

Check Contents

Determine if the network device prohibits the use of all unnecessary and/or nonsecure functions, ports, protocols, and/or services, as defined in the PPSM CAL and vulnerability assessments.

This can be verified by reviewing the access control list configuration on the device and comparing against the PPSM CAL. The access control list configuration must deny ports, protocols, and services defined by the PPSM CAL. IP access list configuration can be viewed via the "show ip access-lists" command. To verify an interface has the appropriate access control list on it, use the "show ip access-list" summary command.

If any unnecessary or nonsecure functions are permitted, this is a finding.

Vulnerability Number

V-60853

Documentable

False

Rule Version

AMLS-NM-000210

Severity Override Guidance

Determine if the network device prohibits the use of all unnecessary and/or nonsecure functions, ports, protocols, and/or services, as defined in the PPSM CAL and vulnerability assessments.

This can be verified by reviewing the access control list configuration on the device and comparing against the PPSM CAL. The access control list configuration must deny ports, protocols, and services defined by the PPSM CAL. IP access list configuration can be viewed via the "show ip access-lists" command. To verify an interface has the appropriate access control list on it, use the "show ip access-list" summary command.

If any unnecessary or nonsecure functions are permitted, this is a finding.

Check Content Reference

M

Target Key

2825

Comments