• Author : Ethan Rahn


Commit Signing with Git at Enterprise Scale

Commit Signing with Git at Enterprise Scale Git is one of the most ubiquitous version control systems used today, seeing extensive usage in projects both around the world and within Arista. Everyday numerous Arista employees, located around the world, make commits to the codebase to fix bugs, add features, and save works in progress. The same scenario plays out with many other people, both when working for private enterprises, government institutions, and open source projects. The following paper discusses changes made to alleviate a fundamental security problem with Git, and version control systems in general. It is assumed that readers...
Continue reading →

CloudVision Portal Hardening Guide

Introduction This guide is provided as a starting point for securing CloudVision Portal, also known as CVP. In the below sections various best practices such as non-default configurations, setup instructions, and discussions of other monitoring systems are discussed.  The best way to ensure that a CVP system remains secure is to combine the configuration instructions discussed below with a monitoring solution for log output. In addition, keeping CVP up to date and monitoring Arista’s list of security advisories ( https://www.arista.com/en/support/advisories-notices/security-advisories ) is always recommended.  CVP Default Settings By default CVP should be expected to ship with settings that will work...
Continue reading →

Arista EOS is not vulnerable to CVE-2020-9015

Recently a third party submission was made to MITRE’s CVE database about a possible vulnerability in Arista EOS products. This vulnerability was given the identifier CVE-2020-9015 and can be viewed here: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9015. This post is to discuss how this CVE was submitted in error and clarify that Arista EOS is not vulnerable to the issue discussed in the CVE. Before discussing the issue itself, it is worth noting that the CVE database is a public database, which accepts submissions from anyone. If a report is disputed, as is the case with this one, MITRE will not attempt to take sides...
Continue reading →

AAA with LDAP Support

Description This feature adds support in AAA using the LDAP protocol. LDAP can be used for authentication and authorization. This feature also supports TLS communication with the remote LDAP server. This feature interoperates with Microsoft ActiveDirectory (AD) when AD is configured with LDAP plugins. Platform Compatibility This feature is platform independent. Configuration This feature has several configuration options, the only one of which is required is authentication. A complete sample config is shown below and each subsection describes the use of the settings. The authentication and authorization settings below for “rdn attribute user” and “search filter” are the default settings...
Continue reading →

SSL support for CVX AttrLog connections

Description EOS 4.22.1F release adds support for secure In-band connection between CVX and Arista switches. Prior to this release, only Out-of-band connections between CVX and Arista switches supported secure communication.    The executive summary of this change is as follows: Added support for SSL communication in tacc  Added new SSL connection and listener modules in Sysdb and Controllerdb Uses the same configuration as SSL for out-of-band CVX connections. Seamless upgrade paths (see more below) Previously, Arista switches and CVX did not support secure communication over the In-band connections between them and the following was displayed when SSL profiles were in...
Continue reading →

Arista EOS Hardening Guide

Introduction This document is provided as a template to securing Arista devices. Configurations alone are not able to completely secure a network. Due operational diligence including threat assessment and reaction are necessary to ensure device security. This document provides recommendations that you are advised to implement, however, no document can be comprehensive for every unique environment. General Security Principles A level of security ought to be applied to all network nodes. This should govern how nodes are accessed by users and what traffic is allowed to enter the nodes: Each user should be assigned an individual user-account, with a security...
Continue reading →


Get every new post on this blog delivered to your Inbox.

Join other followers: