The Arista router must be configured to block any traffic that is destined to IP core infrastructure.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-256021	ARST-RT-000400	SV-256021r882405_rule		High

Description
IP/MPLS networks providing VPN and transit services must provide, at the least, the same level of protection against denial-of-service (DoS) attacks and intrusions as Layer 2 networks. Although the IP core network elements are hidden, security should never rely entirely on obscurity. IP addresses can be guessed. Core network elements must not be accessible from any external host. Protecting the core from any attack is vital for the integrity and privacy of customer traffic as well as the availability of transit services. A compromise of the IP core can result in an outage or, at a minimum, non-optimized forwarding of customer traffic. Protecting the core from an outside attack also prevents attackers from using the core to attack any customer. Hence, it is imperative that all routers at the edge deny traffic destined to any address belonging to the IP core infrastructure.

Description

IP/MPLS networks providing VPN and transit services must provide, at the least, the same level of protection against denial-of-service (DoS) attacks and intrusions as Layer 2 networks. Although the IP core network elements are hidden, security should never rely entirely on obscurity. IP addresses can be guessed. Core network elements must not be accessible from any external host. Protecting the core from any attack is vital for the integrity and privacy of customer traffic as well as the availability of transit services. A compromise of the IP core can result in an outage or, at a minimum, non-optimized forwarding of customer traffic. Protecting the core from an outside attack also prevents attackers from using the core to attack any customer. Hence, it is imperative that all routers at the edge deny traffic destined to any address belonging to the IP core infrastructure.

STIG	Date
Arista MLS EOS 4.2x Router Security Technical Implementation Guide	2023-01-17

Details

Check Text ( C-59697r882403_chk )
Review the Arista router configuration to verify an ingress ACL is applied to all CE-facing interfaces. Verify the ingress ACL rejects and logs packets destined to the IP core address block. Note: Internet Control Message Protocol (ICMP) echo requests and traceroutes will be allowed to the edge from external adjacent peers. Step 1: Verify the ingress ACL is configured to drop any traffic with destination address assigned to the IP core infrastructure. Execute the command "sh ip access-list". ip access-list DROP_INBOUND deny ip any 172.16.0.0/16 log permit icmp any any permit ip any any Step 2: To verify the ingress ACL applied to all CE facing interfaces inbound to drop all the traffic coming toward the CE, execute the command "sh run int Eth YY". interface Ethernet 2 ip access-group DROP_INBOUND in If the Arista PE router is not configured to block any traffic with a destination address assigned to the IP core infrastructure, this is a finding.

Check Text ( C-59697r882403_chk )

Review the Arista router configuration to verify an ingress ACL is applied to all CE-facing interfaces.

Verify the ingress ACL rejects and logs packets destined to the IP core address block.

Note: Internet Control Message Protocol (ICMP) echo requests and traceroutes will be allowed to the edge from external adjacent peers.

Step 1: Verify the ingress ACL is configured to drop any traffic with destination address assigned to the IP core infrastructure. Execute the command "sh ip access-list".

ip access-list DROP_INBOUND
deny ip any 172.16.0.0/16 log
permit icmp any any
permit ip any any

Step 2: To verify the ingress ACL applied to all CE facing interfaces inbound to drop all the traffic coming toward the CE, execute the command "sh run int Eth YY".

interface Ethernet 2
ip access-group DROP_INBOUND in

If the Arista PE router is not configured to block any traffic with a destination address assigned to the IP core infrastructure, this is a finding.

Fix Text (F-59640r882404_fix)
Configure protection for the IP core to be implemented at the edges by blocking any traffic with a destination address assigned to the IP core infrastructure. Step 1: Configure an ingress ACL to drop any traffic with destination address assigned to the IP core infrastructure. router(config)#ip access-list DROP_INBOUND router(config-acl-DROP_INBOUND)#deny ip any 172.16.0.0/16 log router(config-acl-DROP_INBOUND)#permit icmp any any router(config-acl-DROP_INBOUND)#permit ip any any router(config-acl-DROP_INBOUND)#exit Step 2: Apply the ACL to all CE-facing interfaces inbound to drop all the traffic coming toward the CE. router(config)#interface Ethernet 2 router(config-if-Et2)#ip access-group DROP_INBOUND in router(config-if-Et2)#end

Fix Text (F-59640r882404_fix)

Configure protection for the IP core to be implemented at the edges by blocking any traffic with a destination address assigned to the IP core infrastructure.

Step 1: Configure an ingress ACL to drop any traffic with destination address assigned to the IP core infrastructure.

router(config)#ip access-list DROP_INBOUND
router(config-acl-DROP_INBOUND)#deny ip any 172.16.0.0/16 log
router(config-acl-DROP_INBOUND)#permit icmp any any
router(config-acl-DROP_INBOUND)#permit ip any any
router(config-acl-DROP_INBOUND)#exit

Step 2: Apply the ACL to all CE-facing interfaces inbound to drop all the traffic coming toward the CE.

router(config)#interface Ethernet 2
router(config-if-Et2)#ip access-group DROP_INBOUND in
router(config-if-Et2)#end