Check: AMLS-NM-000350
Arista MLS DCS-7000 Series NDM STIG:
AMLS-NM-000350
(in versions v1 r3 through v1 r2)
Title
Arista Multilayer Switches used for nonlocal maintenance sessions must implement cryptographic mechanisms to protect the confidentiality of nonlocal maintenance and diagnostic communications. (Cat II impact)
Discussion
This requires the use of secure protocols instead of their unsecured counterparts, such as SSH instead of telnet, SCP instead of FTP, and HTTPS instead of HTTP.
Check Content
Determine if the network device uses secure protocols instead of their unsecured counterparts. If any unsecured maintenance protocols are in use (e.g., telnet, FTP, HTTP) and these protocols are not wrapped in a secure tunnel, this is a finding. Validate by checking that unsecure protocols are either disabled or wrapped in SSH tunnels. Executing a "show run" command will provide a means to validate this config. From the output of this command, verify that there is no statement enabling telnet, no statement enabling FTP, no statement enabling HTTP, and no statement enabling the API, or the API is configured to use only HTTPS.
Fix Text
Configure the network device to use secure protocols instead of their unsecured counterparts. Configuration Example: Disable unsecure protocols. configure management telnet shutdown exit management api http-commands no protocol http protocol https exit Other protocols (FTP) can be denied using AAA and RBAC. For connections that require use of these maintenance protocols, creation of SSH tunnels can fulfill this security requirement. This is summarized here and available at length in the Common Criteria guidance document. Configuration Example: management ssh tunnel NEW local port 514 ssh-server syslogServer user authuser port 22 remote host localhost port 514 no shutdown
Additional Identifiers
Rule ID: SV-75329r1_rule
Vulnerability ID: V-60871
Group Title: SRG-APP-000412-NDM-000331
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-003123 |
The information system implements cryptographic mechanisms to protect the confidentiality of nonlocal maintenance and diagnostic communications. |
Controls
Number | Title |
---|---|
MA-4 (6) |
Cryptographic Protection |