Check: AMLS-L3-000170
Arista MLS DCS-7000 Series RTR STIG:
AMLS-L3-000170
(in versions v1 r3 through v1 r2)
Title
The Arista Multilayer Switch must not redistribute static routes to alternate gateway service provider into an Exterior Gateway Protocol or Interior Gateway Protocol to the NIPRNet or to other Autonomous System. (Cat II impact)
Discussion
If the static routes to the alternate gateway are being redistributed into an Exterior Gateway Protocol or Interior Gateway Protocol to a NIPRNet gateway, this could make traffic on NIPRNet flow to that particular router and not to the Internet Access Point routers. This could not only wreak havoc with traffic flows on NIPRNet, but it could overwhelm the connection from the router to the NIPRNet gateway(s) and also cause traffic destined for outside of NIPRNet to bypass the defenses of the Internet Access Points.
Check Content
This requirement applies only to DoDIN enclaves. Review the configuration of the route connecting to the Alternate Gateway. Verify redistribution of static routes to the Alternate Gateway is not occurring by reviewing the running configuration via the "show running-config" command. In the appropriate routing protocol configuration, there must not be a "redistribute static" statement. If there is a redistribute static statement, there must be an accompanying route map to prevent redistribution of routes to the alternate gateway. If the static routes to the Alternate Gateway are being redistributed into an Exterior Gateway Protocol or Interior Gateway Protocol to a NIPRNet gateway, this is a finding.
Fix Text
Configure the router so that static routes are not redistributed to an Alternate Gateway into either an Exterior Gateway Protocol or Interior Gateway Protocol to the NIPRNet or to other Autonomous System. Enter "no redistribute static" into the routing process configuration to fulfill this requirement. To configure a Route Map to allow for redistribution of some static routes, refer to Chapter 18.3 of the Arista Configuration Manual.
Additional Identifiers
Rule ID: SV-75361r1_rule
Vulnerability ID: V-60903
Group Title: SRG-NET-000019-RTR-000011
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-001414 |
The information system enforces approved authorizations for controlling the flow of information between interconnected systems based on organization-defined information flow control policies. |
Controls
Number | Title |
---|---|
AC-4 |
Information Flow Enforcement |