STIGQter: STIG Summary: Arista MLS DCS-7000 Series RTR Security Technical Implementation Guide Version: 1 Release: 3 Benchmark Date: 24 Jul 2020:

The Arista Multilayer Switch must protect an enclave connected to an Alternate Gateway by using an inbound filter that only permits packets with destination addresses within the sites address space.

DISA Rule

SV-75355r1_rule

Vulnerability Number

V-60897

Group Title

SRG-NET-000019-RTR-000009

Rule Version

AMLS-L3-000150

Severity

CAT II

CCI(s)

• CCI-001414 - The information system enforces approved authorizations for controlling the flow of information between interconnected systems based on organization-defined information flow control policies.

Weight

10

Fix Recommendation

Configure the ingress filter of the perimeter router connected to an Alternate Gateway to only permit packets with destination addresses of the site's NIPRNet address space or a destination address belonging to the address block assigned by the Alternate Gateway network service provider. To configure an example of such a statement, enter:

ip access-list [name]
permit ip [source] [destination]
exit
interface [router interface]
ip access-group [name] in
exit

Check Contents

Review the configuration of each router interface connecting to an Alternate Gateway via the "show running-config" command.

Verify each permit statement of the ingress filter only permits packets with destination addresses of the site's NIPRNet address space or a destination address belonging to the address block assigned by the Alternate Gateway network service provider.

If the ingress filter permits packets with addresses other than those specified, such as destination addresses of the site's NIPRNet address space or a destination address belonging to the address block assigned by the Alternate Gateway network service provider, this is a finding.

Vulnerability Number

V-60897

Documentable

False

Rule Version

AMLS-L3-000150

Severity Override Guidance

Review the configuration of each router interface connecting to an Alternate Gateway via the "show running-config" command.

Verify each permit statement of the ingress filter only permits packets with destination addresses of the site's NIPRNet address space or a destination address belonging to the address block assigned by the Alternate Gateway network service provider.

If the ingress filter permits packets with addresses other than those specified, such as destination addresses of the site's NIPRNet address space or a destination address belonging to the address block assigned by the Alternate Gateway network service provider, this is a finding.

Check Content Reference

M

Target Key

2823

Comments