Arista MLS DCS-7000 Series RTR STIG Version Comparison

There are 1 differences between versions v1 r2 (April 22, 2016) (the "left" version) and v1 r3 (July 24, 2020) (the "right" version).

Check AMLS-L3-000280 was removed from the benchmark in the "right" version. The text below reflects the old wording.

This check's original form is available here.

Title

The Arista Multilayer Switch must restrict BGP connections to known IP addresses of neighbor routers from trusted Autonomous Systems (AS).

Check Content

Review the router configuration to verify that Border Gateway Protocol connections are only from known neighbors in a trusted AS. Check the BGP configuration statements viewable via the "show running-config" command to validate that no dynamic BGP listen ranges are configured for EBGP peerings to external networks. This requirement to eliminate dynamic listen ranges does not apply to internal networks. If the router is configured with dynamic listen ranges for EBGP peers to external networks, this is a finding.

Discussion

Advertisement of routes by an Autonomous System for networks that do not belong to any of its trusted peers pulls traffic away from the authorized network. This causes a DoS on the network that allocated the block of addresses and may cause a DoS on the network that is inadvertently advertising it as the originator. It is also possible that a misconfigured or compromised router within the network could redistribute Interior Gateway Protocol routes into Border Gateway Protocol, thereby leaking internal routes.

Fix

Remove any configuration statements for dynamic listen ranges to external EBGP peers. If connections must exist, use explicit neighbor statements for the peering router.