Check: AMLS-L3-000280
Arista MLS DCS-7000 Series RTR STIG:
AMLS-L3-000280
(in version v1 r2)
Title
The Arista Multilayer Switch must restrict BGP connections to known IP addresses of neighbor routers from trusted Autonomous Systems (AS). (Cat II impact)
Discussion
Advertisement of routes by an Autonomous System for networks that do not belong to any of its trusted peers pulls traffic away from the authorized network. This causes a DoS on the network that allocated the block of addresses and may cause a DoS on the network that is inadvertently advertising it as the originator. It is also possible that a misconfigured or compromised router within the network could redistribute Interior Gateway Protocol routes into Border Gateway Protocol, thereby leaking internal routes.
Check Content
Review the router configuration to verify that Border Gateway Protocol connections are only from known neighbors in a trusted AS. Check the BGP configuration statements viewable via the "show running-config" command to validate that no dynamic BGP listen ranges are configured for EBGP peerings to external networks. This requirement to eliminate dynamic listen ranges does not apply to internal networks. If the router is configured with dynamic listen ranges for EBGP peers to external networks, this is a finding.
Fix Text
Remove any configuration statements for dynamic listen ranges to external EBGP peers. If connections must exist, use explicit neighbor statements for the peering router.
Additional Identifiers
Rule ID: SV-75383r1_rule
Vulnerability ID: V-60925
Group Title: SRG-NET-000195-RTR-000086
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-002403 |
The information system only allows incoming communications from organization-defined authorized sources routed to organization-defined authorized destinations. |
Controls
Number | Title |
---|---|
SC-7 (11) |
Restrict Incoming Communications Traffic |