STIGQter: STIG Summary: Arista MLS DCS-7000 Series NDM Security Technical Implementation Guide Version: 1 Release: 3 Benchmark Date: 25 Oct 2019:

Arista Multilayer Switches used for nonlocal maintenance sessions must implement cryptographic mechanisms to protect the confidentiality of nonlocal maintenance and diagnostic communications.

DISA Rule

SV-75329r1_rule

Vulnerability Number

V-60871

Group Title

SRG-APP-000412-NDM-000331

Rule Version

AMLS-NM-000350

Severity

CAT II

CCI(s)

• CCI-003123 - The information system implements cryptographic mechanisms to protect the confidentiality of nonlocal maintenance and diagnostic communications.

Weight

10

Fix Recommendation

Configure the network device to use secure protocols instead of their unsecured counterparts.

Configuration Example:

Disable unsecure protocols.
configure
management telnet
shutdown
exit
management api http-commands
no protocol http
protocol https
exit

Other protocols (FTP) can be denied using AAA and RBAC. For connections that require use of these maintenance protocols, creation of SSH tunnels can fulfill this security requirement. This is summarized here and available at length in the Common Criteria guidance document.

Configuration Example:

management ssh
tunnel NEW
local port 514
ssh-server syslogServer user authuser port 22
remote host localhost port 514
no shutdown

Check Contents

Determine if the network device uses secure protocols instead of their unsecured counterparts.

If any unsecured maintenance protocols are in use (e.g., telnet, FTP, HTTP) and these protocols are not wrapped in a secure tunnel, this is a finding.

Validate by checking that unsecure protocols are either disabled or wrapped in SSH tunnels.

Executing a "show run" command will provide a means to validate this config. From the output of this command, verify that there is no statement enabling telnet, no statement enabling FTP, no statement enabling HTTP, and no statement enabling the API, or the API is configured to use only HTTPS.

Vulnerability Number

V-60871

Documentable

False

Rule Version

AMLS-NM-000350

Severity Override Guidance

Determine if the network device uses secure protocols instead of their unsecured counterparts.

If any unsecured maintenance protocols are in use (e.g., telnet, FTP, HTTP) and these protocols are not wrapped in a secure tunnel, this is a finding.

Validate by checking that unsecure protocols are either disabled or wrapped in SSH tunnels.

Executing a "show run" command will provide a means to validate this config. From the output of this command, verify that there is no statement enabling telnet, no statement enabling FTP, no statement enabling HTTP, and no statement enabling the API, or the API is configured to use only HTTPS.

Check Content Reference

M

Target Key

2825

Comments