DISA STIG Arista MLS DCS-7000 Series RTR v1r3

Warning! Audit Deprecated

This audit file has been deprecated and will be removed in a future update.

View Next Version

Audit Details

Name: DISA STIG Arista MLS DCS-7000 Series RTR v1r3

Updated: 8/19/2024

Authority: DISA STIG

Plugin: Arista

Revision: 1.6

Estimated Item Count: 27

File Details

Filename: DISA_STIG_Arista_RTR_STIG_v1r3.audit

Size: 99.2 kB

MD5: 539f044abafc71544984fdbc87e76d6e
SHA256: 83c65baf46381d0aa5d6a843f10fbd07caf0bd64df42bb921b6c36f848079dbc

Audit Items

DescriptionCategories
AMLS-L3-000100 - The Arista Multilayer Switch must enforce approved authorizations for controlling the flow of information between interconnected networks in accordance with applicable policy.

SYSTEM AND COMMUNICATIONS PROTECTION

AMLS-L3-000110 - The Arista Multilayer Switch must disable Protocol Independent Multicast (PIM) on all interfaces that are not required to support multicast routing.

SYSTEM AND COMMUNICATIONS PROTECTION

AMLS-L3-000120 - The Arista Multilayer Switch must bind a Protocol Independent Multicast (PIM) neighbor filter to interfaces that have PIM enabled - PIM neighbor filter to interfaces that have PIM enabled.
AMLS-L3-000130 - The Arista Multilayer Switch must establish boundaries for IPv6 Admin-Local, IPv6 Site-Local, IPv6 Organization-Local scope, and IPv4 Local-Scope multicast traffic.
AMLS-L3-000140 - The Arista Multilayer Switch must be configured so inactive router interfaces are disabled.

SYSTEM AND COMMUNICATIONS PROTECTION

AMLS-L3-000150 - The Arista Multilayer Switch must protect an enclave connected to an Alternate Gateway by using an inbound filter that only permits packets with destination addresses within the sites address space.

SYSTEM AND COMMUNICATIONS PROTECTION

AMLS-L3-000160 - If Border Gateway Protocol (BGP) is enabled on The Arista Multilayer Switch, The Arista Multilayer Switch must not be a BGP peer with a router from an Autonomous System belonging to any Alternate Gateway.

SYSTEM AND COMMUNICATIONS PROTECTION

AMLS-L3-000170 - The Arista Multilayer Switch must not redistribute static routes to alternate gateway service provider into an Exterior Gateway Protocol or Interior Gateway Protocol to the NIPRNet or to other Autonomous System.
AMLS-L3-000180 - The Arista Multilayer Switch must enforce that Interior Gateway Protocol instances configured on the out-of-band management gateway router only peer with their own routing domain.

SYSTEM AND COMMUNICATIONS PROTECTION

AMLS-L3-000190 - The Arista Multilayer Switch must enforce that the managed network domain and the management network domain are separate routing domains and the Interior Gateway Protocol instances are not redistributed or advertised to each other.
AMLS-L3-000200 - The Arista Multilayer Switch must enforce that any interface used for out-of-band management traffic is configured to be passive for the Interior Gateway Protocol that is utilized on that management interface.

SYSTEM AND COMMUNICATIONS PROTECTION

AMLS-L3-000210 - The Arista Multilayer Switch must enforce information flow control using explicit security attributes (for example, IP addresses, port numbers, protocol, Autonomous System, or interface) on information, source, and destination objects.

SYSTEM AND COMMUNICATIONS PROTECTION

AMLS-L3-000220 - The Arista Multilayer Switch must enable neighbor router authentication for control plane protocols except RIP - BGP

IDENTIFICATION AND AUTHENTICATION

AMLS-L3-000220 - The Arista Multilayer Switch must enable neighbor router authentication for control plane protocols except RIP - IS-IS auth mode

IDENTIFICATION AND AUTHENTICATION

AMLS-L3-000220 - The Arista Multilayer Switch must enable neighbor router authentication for control plane protocols except RIP - IS-IS md5 key

IDENTIFICATION AND AUTHENTICATION

AMLS-L3-000220 - The Arista Multilayer Switch must enable neighbor router authentication for control plane protocols except RIP - OSPF MD5 Key

IDENTIFICATION AND AUTHENTICATION

AMLS-L3-000220 - The Arista Multilayer Switch must enable neighbor router authentication for control plane protocols except RIP - OSPF message-digest

IDENTIFICATION AND AUTHENTICATION

AMLS-L3-000230 - The Arista Multilayer Switch must be configured to restrict it from accepting outbound IP packets that contain an illegitimate address in the source address field via egress filter or by enabling Unicast Reverse Path Forwarding.
AMLS-L3-000240 - The Arista Multilayer Switch must be configured to disable non-essential capabilities.
AMLS-L3-000250 - The Arista Multilayer Switch must encrypt all methods of configured authentication for the OSPF routing protocol - ipv6 OSPF checks
AMLS-L3-000250 - The Arista Multilayer Switch must encrypt all methods of configured authentication for the OSPF routing protocol - ospf message-digest

IDENTIFICATION AND AUTHENTICATION

AMLS-L3-000250 - The Arista Multilayer Switch must encrypt all methods of configured authentication for the OSPF routing protocol - ospf message-digest-key

IDENTIFICATION AND AUTHENTICATION

AMLS-L3-000260 - The Arista Multilayer Switch must ensure all Exterior Border Gateway Protocol (eBGP) routers are configured to use Generalized TTL Security Mechanism (GTSM) or are configured to meet RFC3682.

SYSTEM AND COMMUNICATIONS PROTECTION

AMLS-L3-000270 - The Arista Multilayer Switch must manage excess bandwidth to limit the effects of packet flooding types of denial of service (DoS) attacks - DoS attacks.

SYSTEM AND COMMUNICATIONS PROTECTION

AMLS-L3-000290 - The Arista Multilayer Switch must configure the maximum hop limit value to at least 32.

CONFIGURATION MANAGEMENT

AMLS-L3-000300 - The Arista Multilayer Switch must only allow incoming communications from authorized sources to be routed to authorized destinations.

SYSTEM AND COMMUNICATIONS PROTECTION

AMLS-L3-000320 - The Arista Multilayer Switch must not enable the RIP routing protocol.

CONFIGURATION MANAGEMENT