DISA STIG Arista MLS DCS-7000 Series RTR V1R2

Warning! Audit Deprecated

This audit file has been deprecated and will be removed in a future update.

View Next Version

Audit Details

Name: DISA STIG Arista MLS DCS-7000 Series RTR V1R2

Updated: 1/11/2021

Authority: DISA STIG

Plugin: Arista

Revision: 1.8

Estimated Item Count: 31

Audit Items

DescriptionCategories
AMLS-L3-000100 - Arista MLS must enforce approved authorizations for controlling the flow of info between interconnected networks.

SYSTEM AND COMMUNICATIONS PROTECTION

AMLS-L3-000110 - Arista MLS must disable PIM on all interfaces that are not required to support multicast routing.

SYSTEM AND COMMUNICATIONS PROTECTION

AMLS-L3-000120 - Arista MLS must bind a Protocol Independent Multicast (PIM) neighbor filter to interfaces that have PIM enabled.
AMLS-L3-000130 - Arista MLS must establish boundaries for IPv6 Admin, Site, Organization scope, and IPv4 Local-Scope multicast traffic.
AMLS-L3-000140 - Arista MLS must be configured so inactive router interfaces are disabled.

SYSTEM AND COMMUNICATIONS PROTECTION

AMLS-L3-000150 - Arista MLS must protect an enclave connected to an Alternate Gateway by using an inbound filter.

SYSTEM AND COMMUNICATIONS PROTECTION

AMLS-L3-000160 - If BGP is enabled on Arista MLS, it must not be a BGP peer with a router from an AS belonging to any Alternate Gateway.

SYSTEM AND COMMUNICATIONS PROTECTION

AMLS-L3-000170 - Arista MLS must not redistribute static routes to alternate gateway service provider into an EGP or IGP to the NIPRNet.
AMLS-L3-000180 - Arista MLS must enforce that IGP instances configured on the OOB management gateway only peer with their own routing domain

SYSTEM AND COMMUNICATIONS PROTECTION

AMLS-L3-000190 - Arista MLS must enforce that the managed network domain and the management network domain are separate routing domains.
AMLS-L3-000200 - Arista MLS must enforce that any interface used for OOB management traffic is configured to be passive for the IGP.

SYSTEM AND COMMUNICATIONS PROTECTION

AMLS-L3-000210 - Arista MLS must enforce info flow control using explicit security attributes on info, source, and destination objects.

SYSTEM AND COMMUNICATIONS PROTECTION

AMLS-L3-000220 - Arista MLS must enable neighbor router authentication for control plane protocols except RIP - BGP

IDENTIFICATION AND AUTHENTICATION

AMLS-L3-000220 - Arista MLS must enable neighbor router authentication for control plane protocols except RIP - IS-IS
AMLS-L3-000220 - Arista MLS must enable neighbor router authentication for control plane protocols except RIP - IS-IS auth mode

IDENTIFICATION AND AUTHENTICATION

AMLS-L3-000220 - Arista MLS must enable neighbor router authentication for control plane protocols except RIP - IS-IS md5 key

IDENTIFICATION AND AUTHENTICATION

AMLS-L3-000220 - Arista MLS must enable neighbor router authentication for control plane protocols except RIP - OSPF
AMLS-L3-000220 - Arista MLS must enable neighbor router authentication for control plane protocols except RIP - OSPF MD5 Key

IDENTIFICATION AND AUTHENTICATION

AMLS-L3-000220 - Arista MLS must enable neighbor router authentication for control plane protocols except RIP - OSPF message-digest

IDENTIFICATION AND AUTHENTICATION

AMLS-L3-000230 - Arista MLS must be configured to restrict it from accepting outbound IP packets that contain an illegitimate address.
AMLS-L3-000240 - Arista MLS must be configured to disable non-essential capabilities.
AMLS-L3-000250 - Arista MLS must encrypt all methods of configured authentication for the OSPF routing protocol - ipv6 OSPF checks
AMLS-L3-000250 - Arista MLS must encrypt all methods of configured authentication for the OSPF routing protocol - message-digest

IDENTIFICATION AND AUTHENTICATION

AMLS-L3-000250 - Arista MLS must encrypt all methods of configured authentication for the OSPF routing protocol - message-digest-key

IDENTIFICATION AND AUTHENTICATION

AMLS-L3-000250 - Arista MLS must encrypt all methods of configured authentication for the OSPF routing protocol.
AMLS-L3-000260 - Arista MLS must ensure all eBGP routers are configured to use GTSM or are configured to meet RFC3682.

SYSTEM AND COMMUNICATIONS PROTECTION

AMLS-L3-000270 - Arista MLS must manage excess bandwidth to limit the effects of packet flooding types of denial of service (DoS) attacks.

SYSTEM AND COMMUNICATIONS PROTECTION

AMLS-L3-000280 - Arista MLS must restrict BGP connections to known IP addresses of neighbor routers from trusted Autonomous Systems (AS).

SYSTEM AND COMMUNICATIONS PROTECTION

AMLS-L3-000290 - Arista MLS must configure the maximum hop limit value to at least 32.

CONFIGURATION MANAGEMENT

AMLS-L3-000300 - Arista MLS must only allow incoming communications from authorized sources to be routed to authorized destinations.

SYSTEM AND COMMUNICATIONS PROTECTION

AMLS-L3-000320 - Arista MLS must not enable the RIP routing protocol.

CONFIGURATION MANAGEMENT