STIGQter: STIG Summary: Arista MLS DCS-7000 Series RTR Security Technical Implementation Guide Version: 1 Release: 3 Benchmark Date: 24 Jul 2020:

The Arista Multilayer Switch must be configured to restrict it from accepting outbound IP packets that contain an illegitimate address in the source address field via egress filter or by enabling Unicast Reverse Path Forwarding.

DISA Rule

SV-75373r1_rule

Vulnerability Number

V-60915

Group Title

SRG-NET-000026-RTR-000031

Rule Version

AMLS-L3-000230

Severity

CAT II

CCI(s)

• CCI-001094 - The information system restricts the ability of individuals to launch organization-defined denial of service attacks against other information systems.

Weight

10

Fix Recommendation

This check is only applicable to external-facing interfaces of a network edge router.

Configure the router to ensure that an egress filter or uRPF is configured to restrict the router from accepting any outbound IP packet that contains an external IP address in the source field.

Configure uRPF via the "ip-verify unicast source reachable-via [any/strict]" statement from the interface configuration mode.

To apply an egress filter, configure an IP access List:
ip access-list [name]
[ip access list permit/deny statement]
exit

then apply the access list to the external facing interface:

int ethernet [X]
ip access-group [name-of-ACL] out

Check Contents

This check is only applicable to external-facing interfaces of a network edge router.

Review the router configuration to verify uRPF or an egress filter to restrict the router from accepting outbound IP packets that contain an illegitimate address in the source address field has been configured on all external interfaces. This is only applicable to perimeter routers.

If uRPF or an egress filter to restrict the router from accepting outbound IP packets that contain an illegitimate address in the source address field has not been configured on all internal interfaces in an enclave, this is a finding.

To verify that uRPF is configured, review the running-config for the interfaces required. The statement "ip-verify unicast source reachable" must be in the configuration. To verify use of an egress filter, verify an IP access list is configured that permits traffic sourced from within the organization address space and that the access list is applied to the egress interface.

Vulnerability Number

V-60915

Documentable

False

Rule Version

AMLS-L3-000230

Severity Override Guidance

This check is only applicable to external-facing interfaces of a network edge router.

Review the router configuration to verify uRPF or an egress filter to restrict the router from accepting outbound IP packets that contain an illegitimate address in the source address field has been configured on all external interfaces. This is only applicable to perimeter routers.

If uRPF or an egress filter to restrict the router from accepting outbound IP packets that contain an illegitimate address in the source address field has not been configured on all internal interfaces in an enclave, this is a finding.

To verify that uRPF is configured, review the running-config for the interfaces required. The statement "ip-verify unicast source reachable" must be in the configuration. To verify use of an egress filter, verify an IP access list is configured that permits traffic sourced from within the organization address space and that the access list is applied to the egress interface.

Check Content Reference

M

Target Key

2823

Comments