{
"stig": {
"date": "2018-11-28",
"description": "This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.",
"findings": {
"V-60813": {
"checkid": "C-61735r1_chk",
"checktext": "Verify the use of Spanning-Tree Protocol for information flow control via the \"show spanning-tree\" command.\n\nAlternatively, from the output of the \"show running-config\" command, review the configuration for \"spanning-tree mode\" statement, and verify the line \"spanning-tree disabled\" is not present for production VLANs.\n\nIf spanning-tree is not used for controlling the flow of information, this is a finding.",
"description": "Information flow control regulates where information is allowed to travel within a network and between interconnected networks. The flow of all network traffic must be monitored and controlled so it does not introduce any unacceptable risk to the network infrastructure or data. \n\nA few examples of flow control restrictions include: keeping export-controlled information from being transmitted in the clear to the Internet and blocking information marked as classified but which is being transported to an unapproved destination. Information flow control policies and enforcement mechanisms are commonly employed by organizations to control the flow of information between designated sources and destinations (e.g., networks, individuals, devices) within information systems.\n\nEnforcement occurs, for example, in boundary protection devices (e.g., gateways, routers, guards, encrypted tunnels, and firewalls) that employ rule sets or establish configuration settings that restrict information system services, provide a packet filtering capability based on header information, or provide a message filtering capability based on message content (e.g., implementing key word searches or using document characteristics).",
"fixid": "F-66499r1_fix",
"fixtext": "Configure the switch to use spanning-tree protocol for Layer-2 connections.\n\nThe version of spanning-tree protocol as well as the VLANs upon which it is enabled must be determined according to organizational use and site policy.\n\nFor full configuration examples, refer to the Arista Configuration Manual, Chapter 20.",
"iacontrols": null,
"id": "V-60813",
"ruleID": "SV-75269r1_rule",
"severity": "medium",
"title": "The Arista Multilayer Switch must enforce approved authorizations for controlling the flow of information within the network based on organization-defined information flow control policies.",
"version": "AMLS-L2-000100"
},
"V-60821": {
"checkid": "C-61767r1_chk",
"checktext": "Verify the use of MAC Access Control Lists to prevent unintended information flow between network segments. \n\nFor network boundary interfaces, verify the use of an access control list by entering \"show mac access-list summary\" to validate the use of an access control list on the interface. \n\nVerify the access control list restricts network traffic as intended by entering \"show mac access-list [name]\" and substituting the name of the access control list for the bracketed variable.\n\nIf there is no access control list configured, or if the access control list does not prevent unintended flow of information between network segments, this is a finding.",
"description": "Information flow control regulates where information is allowed to travel within a network and between interconnected networks. The flow of all network traffic must be monitored and controlled so it does not introduce any unacceptable risk to the network infrastructure or data. \n\nExamples of flow control restrictions include blocking outside traffic claiming to be from within the organization, and not passing any web requests to the Internet not from the internal web proxy. Additional examples of restrictions include: keeping export-controlled information from being transmitted in the clear to the Internet, and blocking information marked as classified, but which is being transported to an unapproved destination. Information flow control policies and enforcement mechanisms are commonly employed by organizations to control the flow of information between designated sources and destinations (e.g., networks, individuals, and devices) within information systems.\n\nEnforcement occurs, for example, in boundary protection devices (e.g., gateways, routers, guards, encrypted tunnels, and firewalls) that employ rule sets or establish configuration settings that restrict information system services, provide a packet filtering capability based on header information, or provide a message filtering capability based on message content (e.g., implementing key word searches or using document characteristics).",
"fixid": "F-66531r1_fix",
"fixtext": "Configure an Access Control List to control information flow between connected networks.\nConfiguration Example\nconfigure\nmac access-list STIG\n permit [src mac] [src mask] [dst mac] [dst mask]/[any] [protocol]\nexit",
"iacontrols": null,
"id": "V-60821",
"ruleID": "SV-75277r1_rule",
"severity": "medium",
"title": "The Arista Multilayer Switch must enforce approved authorizations for controlling the flow of information between interconnected systems based on organization-defined information flow control policies.",
"version": "AMLS-L2-000110"
},
"V-60823": {
"checkid": "C-61769r1_chk",
"checktext": "Verify that the network device uniquely identifies network-connected endpoint devices. This requirement is not applicable to Arista switches when not used as an access switch.\n\n802.1X must be configured on any interface where there is an applicable endpoint device connected. This is demonstrated by viewing the running-config via the \"show dot1x all\" command and validating the following lines are present in the configuration:\n\nDot1X Information for Ethernet[X]\n--------------------------------------------\nPortControl : auto\nHostMode : single-host\nQuietPeriod : [value]\nTxPeriod : [value]\nReauthPeriod : 3600 seconds\nMaxReauthReq : 2\n\n!\n\n802.1X must also be globally enabled on the switch using the \"dot1x system-auth-control\" command from the configuration mode interface. When this is configured, the following line will be visible in the running-config:\n\ndot1x-system-auth-control\n\n802.1X is dependent on a properly configured RADIUS server for authentication. Refer to the RADIUS configuration example for validation of properly configured AAA services. Additionally, the user must specify to use the RADIUS server as an 802.1X authenticator with the \"aaa authentication dot1x default group [radius]\" command from the configuration mode interface, replacing the bracketed variable with either the group name of the RADIUS server group or leaving it as is to authenticate against all RADIUS servers. When properly configured, the following line is visible in the running-config:\n\naaa authentication dot1x default group radius\n\nIf 802.1X is not configured on necessary ports or is not globally enabled on the switch, or if it is not set to authenticate supplicants via RADIUS, this is a finding.",
"description": "Without identifying devices, unidentified or unknown devices may be introduced, thereby facilitating malicious activity.\n\nFor distributed architectures (e.g., service-oriented architectures), the decisions regarding the validation of identification claims may be made by services separate from the services acting on those decisions. In such situations, it is necessary to provide the identification decisions (as opposed to the actual identifiers) to the services that need to act on those decisions.\n\nThis requirement applies to applications that connect either locally, remotely, or through a network to an endpoint device (including, but not limited to, workstations, printers, servers (outside a datacenter), VoIP Phones, and VTC CODECs). Gateways and SOA applications are examples of where this requirement would apply.",
"fixid": "F-66533r1_fix",
"fixtext": "Configure 802.1X on the switch, using the following mandatory parameters for all applicable interfaces. Replace the bracketed variable with the applicable value.\n\nconfig\ninterface Ethernet[X]\n switchport access vlan [Y]\n dot1x pae authenticator\n dot1x reauthentication\n dot1x port-control auto\n dot1x host-mode single-host\n dot1x timeout quiet-period [value]\n dot1x timeout reauth-period [value]\n dot1x max-reauth-req [value]\n\nFor the global configuration, include the following command statements from the global configuration mode interface:\n\nlogging level DOT1X informational\naaa authentication dot1x default group radius\ndot1x system-auth-control",
"iacontrols": null,
"id": "V-60823",
"ruleID": "SV-75279r1_rule",
"severity": "medium",
"title": "The Arista Multilayer Switch must uniquely identify all network-connected endpoint devices before establishing any connection.",
"version": "AMLS-L2-000120"
},
"V-60825": {
"checkid": "C-61771r1_chk",
"checktext": "Verify that the network device uniquely identifies network-connected endpoint devices. This requirement is not applicable to Arista switches when not used as an access switch.\n\n802.1X must be configured on any interface where there is an applicable endpoint device connected. This is demonstrated by viewing the running-config via the \"show dot1x all\" command and validating the following lines are present in the configuration:\n\nDot1X Information for Ethernet[X]\n--------------------------------------------\nPortControl : auto\nHostMode : single-host\nQuietPeriod : [value]\nTxPeriod : [value]\nReauthPeriod : 3600 seconds\nMaxReauthReq : 2\n\n!\n\n802.1X must also be globally enabled on the switch using the \"dot1x system-auth-control\" command from the configuration mode interface. When this is configured, the following line will be visible in the running-config:\n\ndot1x-system-auth-control\n\n802.1X is dependent on a properly configured RADIUS server for authentication. Refer to the RADIUS configuration example for validation of properly configured AAA services. Additionally, the user must specify to use the RADIUS server as an 802.1X authenticator with the \"aaa authentication dot1x default group [radius]\" command from the configuration mode interface, replacing the bracketed variable with either the group name of the RADIUS server group, or leaving it as is to authenticate against all RADIUS servers. When properly configured, the following line is visible in the running-config:\n\naaa authentication dot1x default group radius\n\nIf 802.1X is not configured on necessary ports, or is not globally enabled on the switch, or if it is not set to authenticate supplicants via RADIUS, this is a finding.",
"description": "Without authenticating devices, unidentified or unknown devices may be introduced, thereby facilitating malicious activity on the network. Bidirectional authentication provides stronger safeguards to validate the identity of other devices for connections that are of greater risk (e.g., remote connections).\n\nBidirectional authentication solutions include, but are not limited to, IEEE 802.1x and Extensible Authentication Protocol (EAP) and Radius server with EAP-Transport Layer Security (TLS) authentication.\n \nA network connection is any connection with a device that communicates through a network (e.g., local area network, wide area network, or the Internet).\n\nAuthentication must use a form of cryptography to ensure a high level of trust and authenticity.",
"fixid": "F-66535r1_fix",
"fixtext": "Configure 802.1X on the switch, using the following mandatory parameters for all applicable interfaces. Replace the bracketed variable with the applicable value.\n\nconfig\ninterface Ethernet[X]\n switchport access vlan [Y]\n dot1x pae authenticator\n dot1x reauthentication\n dot1x port-control auto\n dot1x host-mode single-host\n dot1x timeout quiet-period [value]\n dot1x timeout reauth-period [value]\n dot1x max-reauth-req [value]\n\nFor the global configuration, include the following command statements from the global configuration mode interface:\n\nlogging level DOT1X informational\naaa authentication dot1x default group radius\ndot1x system-auth-control",
"iacontrols": null,
"id": "V-60825",
"ruleID": "SV-75281r1_rule",
"severity": "medium",
"title": "The Arista Multilayer Switch must authenticate all endpoint devices before establishing a network connection using bidirectional authentication that is cryptographically based.",
"version": "AMLS-L2-000130"
},
"V-60831": {
"checkid": "C-61777r1_chk",
"checktext": "This requirement only applies to devices required to employ 802.1X.\n\nVerify that the network device uniquely identifies network-connected endpoint devices. This requirement is not applicable to Arista switches when not used as an access switch.\n\n802.1X must be configured on any interface where there is an applicable endpoint device connected. This is demonstrated by viewing the running-config via the \"show dot1x all\" command and validating the following lines are present in the configuration:\n\nDot1X Information for Ethernet[X]\n--------------------------------------------\nPortControl : auto\nHostMode : single-host\nQuietPeriod : [value]\nTxPeriod : [value]\nReauthPeriod : 3600 seconds\nMaxReauthReq : 2\n\n!\n\n802.1X must also be globally enabled on the switch using the \"dot1x system-auth-control\" command from the configuration mode interface. When this is configured, the following line will be visible in the running-config:\n\ndot1x-system-auth-control\n\n802.1X is dependent on a properly configured RADIUS server for authentication. Refer to the RADIUS configuration example for validation of properly configured AAA services. Additionally, the user must specify to use the RADIUS server as an 802.1X authenticator with the \"aaa authentication dot1x default group [radius]\" command from the configuration mode interface, replacing the bracketed variable with either the group name of the RADIUS server group or leaving it as is to authenticate against all RADIUS servers. When properly configured, the following line is visible in the running-config:\n\naaa authentication dot1x default group radius\n\nIf 802.1X is not configured on necessary ports or is not globally enabled on the switch, or if it is not set to authenticate supplicants via RADIUS, this is a finding.",
"description": "Without authenticating devices, unidentified or unknown devices may be introduced, thereby facilitating malicious activity.\n\nFor distributed architectures (e.g., service-oriented architectures), the decisions regarding the validation of authentication claims may be made by services separate from the services acting on those decisions. In such situations, it is necessary to provide authentication decisions (as opposed to the actual authenticators) to the services that need to act on those decisions.\n\nThis requirement applies to applications that connect either locally, remotely, or through a network to an endpoint device (including, but not limited to, workstations, printers, servers (outside a datacenter), VoIP Phones, and VTC CODECs). Gateways and SOA applications are examples of where this requirement would apply. \n\nDevice authentication is a solution enabling an organization to manage devices. It is an additional layer of authentication ensuring only specific pre-authorized devices can access the system.",
"fixid": "F-66541r1_fix",
"fixtext": "Configure 802.1X on the switch, using the following mandatory parameters for all applicable interfaces. Replace the bracketed variable with the applicable value.\n\nconfig\ninterface Ethernet[X]\n switchport access vlan [Y]\n dot1x pae authenticator\n dot1x reauthentication\n dot1x port-control auto\n dot1x host-mode single-host\n dot1x timeout quiet-period [value]\n dot1x timeout reauth-period 3600\n dot1x max-reauth-req [value]\n\nFor the global configuration, include the following command statements from the global configuration mode interface:\n\nlogging level DOT1X informational\naaa authentication dot1x default group radius\ndot1x system-auth-control",
"iacontrols": null,
"id": "V-60831",
"ruleID": "SV-75287r1_rule",
"severity": "medium",
"title": "The Arista Multilayer Switch must authenticate 802.1X connected devices before establishing any connection.",
"version": "AMLS-L2-000160"
}
},
"profiles": {
"MAC-1_Classified": {
"description": "",
"findings": {
"V-60813": "true",
"V-60821": "true",
"V-60823": "true",
"V-60825": "true",
"V-60831": "true"
},
"id": "MAC-1_Classified",
"title": "I - Mission Critical Classified"
},
"MAC-1_Public": {
"description": "",
"findings": {
"V-60813": "true",
"V-60821": "true",
"V-60823": "true",
"V-60825": "true",
"V-60831": "true"
},
"id": "MAC-1_Public",
"title": "I - Mission Critical Public"
},
"MAC-1_Sensitive": {
"description": "",
"findings": {
"V-60813": "true",
"V-60821": "true",
"V-60823": "true",
"V-60825": "true",
"V-60831": "true"
},
"id": "MAC-1_Sensitive",
"title": "I - Mission Critical Sensitive"
},
"MAC-2_Classified": {
"description": "",
"findings": {
"V-60813": "true",
"V-60821": "true",
"V-60823": "true",
"V-60825": "true",
"V-60831": "true"
},
"id": "MAC-2_Classified",
"title": "II - Mission Support Classified"
},
"MAC-2_Public": {
"description": "",
"findings": {
"V-60813": "true",
"V-60821": "true",
"V-60823": "true",
"V-60825": "true",
"V-60831": "true"
},
"id": "MAC-2_Public",
"title": "II - Mission Support Public"
},
"MAC-2_Sensitive": {
"description": "",
"findings": {
"V-60813": "true",
"V-60821": "true",
"V-60823": "true",
"V-60825": "true",
"V-60831": "true"
},
"id": "MAC-2_Sensitive",
"title": "II - Mission Support Sensitive"
},
"MAC-3_Classified": {
"description": "",
"findings": {
"V-60813": "true",
"V-60821": "true",
"V-60823": "true",
"V-60825": "true",
"V-60831": "true"
},
"id": "MAC-3_Classified",
"title": "III - Administrative Classified"
},
"MAC-3_Public": {
"description": "",
"findings": {
"V-60813": "true",
"V-60821": "true",
"V-60823": "true",
"V-60825": "true",
"V-60831": "true"
},
"id": "MAC-3_Public",
"title": "III - Administrative Public"
},
"MAC-3_Sensitive": {
"description": "",
"findings": {
"V-60813": "true",
"V-60821": "true",
"V-60823": "true",
"V-60825": "true",
"V-60831": "true"
},
"id": "MAC-3_Sensitive",
"title": "III - Administrative Sensitive"
}
},
"slug": "arista_mls_dcs-7000_series_l2s",
"title": "Arista MLS DCS-7000 Series L2S Security Technical Implementation Guide",
"version": "1"
}
}