• Category : Security

 
 

Logging – Basic Syslog and Beyond

Overview Logging is often viewed as a basic feature and a common element of all infrastructure devices. But the importance shouldn’t be overlooked. And the related configurations shouldn’t be taken for granted. Whether the purpose is for operations and troubleshooting or to meet compliance requirements, the topic of system logs including how they are configured and where that information is stored should be given more than passing consideration. In this article we’re going to look at basic configuration of Syslog along with some Arista related tips and tricks that will help with operations and compliance. Basic Syslog Beyond operational reasons, logging data is...
Continue reading →

Configurations and Optimizations for Internet Edge Routing

Introduction For many years, network deployments for enterprise Internet edge environments have consisted of dedicated routing platforms and a switching or aggregation layer to distribute this to various network zones.  With the advances in merchant silicon forwarding engines and the software expertise put into Arista’s Extensible Operating System (EOS), we can now fully replace this legacy architecture with a collapsed routing and switching layer using Arista R Series platforms.  Arista R Series platforms allow for holding a full copy of the Internet routing table for both IPv4 and IPv6 in hardware (the Forwarding Information Base, or FIB) with plenty of...
Continue reading →

Arista products not affected by CVE-2019-15126 (Kr00k vulnerability)

Arista products are not affected by CVE-2019-15126 (Kr00k vulnerability) Kr00k – also known as CVE-2019-15126 – is a vulnerability in certain Wi-Fi chips that allows unauthorized decryption of some WPA2-encrypted traffic. Arista Networks Wifi products AP and management systems are not exploitable by the above mentioned CVEs. The vulnerability affects all unpatched devices with Broadcom and Cypress FullMac Wi-Fi chips. Devices using Wi-Fi chips from other manufacturers, including Qualcomm, Realtek, Ralink and Mediatek do not exhibit this vulnerability. Arista networks APs do not use the Wi-Fi chips that are affected.  The vulnerability exploits a bug in the WiFi chipset that...
Continue reading →

User passwords with blank spaces

  Overview                 Arista EOS allows users to define local user accounts using the command “username <name> secret <password> “, where <password> is a plain text password. However, the Arista CLI does not accept blank spaces in the <password> portion of the command. This restriction is due to a limitation in the parsing algorithm EOS uses to find the password in the command. The parsing algorithm does not recognize blank spaces when parsing the password. To work around this issue a password with blank spaces can be manually converted to a SHA512 hash and the hash can be applied to...
Continue reading →

Tap Aggregration Tip: Popping MPLS tags for Untagged or VLAN based Tools

In Tap Aggregation scenarios common in WAN and Service Provider environments, MPLS tags are present.  Many of the analysis tools do not understand these tags and so the Arista DANZ feature set allows for these to be removed.  This functionality has been around since 4.15.0F however initially had the limitation that the traffic would always be sent out the Tool port with a VLAN tag.  However, some tools not only do not understand MPLS, but also VLAN tags, so this tip describes how to deal with both 802.1q and untagged scenarios. Step 1:  Configure MPLS pop/strip on the Tap port:...
Continue reading →

Arista Any Cloud Platform – Security Use Case

Introduction In this document we will demonstrate how to effectively leverage Arista’s vEOS Router in a Transit – Edge VPC model to satisfy a common security use case. As most companies look to move into the public cloud space, security vulnerabilities have gained more focus than ever before. Objective Provide a centralized security model within an AWS region, which will allow for ease of visibility and control. Deploying separate AWS Internet Gateways in every VPC, increases complexity and vulnerabilities in the public cloud space.  Prerequisites This document assumes that you have the following architecture deployed: A Transit – Edge VPC topology deployed...
Continue reading →

Using stunnel (TLS Proxy) to secure OpenFlow on EOS

Do you have an OpenFlow controller that supports communication channel encryption via TLS and you’d like to take advantage of that option with an Arista switch? No problem! Just follow these simple steps and in mere minutes you’ll have a secure TLS connection up and running. Just imagine the look of shock and amazement on the faces of your friends, family and coworkers as you extend the capabilities of your EOS powered switch in near real time! 1) Please download Stunnel from here: http://dl.fedoraproject.org/pub/archive/fedora/linux/releases/14/Fedora/i386/os/Packages/stunnel-4.33-1.fc14.i686.rpm   2) Copy it to flash on the switch: switch#copy scp://@//stunnel-4.33-1.fc14.i686.rpm flash:   3) Install the...
Continue reading →

VXLAN: security recommendations

Abstract This document provides recommendations that are advised to implement in order to increase the security in multitenant network environments built on Arista Networks devices using VXLAN. Introduction One of the crucial qualities of modern cloud network infrastructure is scalability. Scalability can’t be achieved if security of the network operations inside the cloud is compromised. As for example, load scalability is not achievable in environments where the VMs are not able to operate when the network between them is not working properly due to hijacked MAC-addresses. One of the technologies used nowadays to address the challenges with scalability inside the cloud networks...
Continue reading →

How to Install & Configure Arista’s DirectFlow Assist for Palo Alto Firewalls

Contents Summary Prerequisite Summary Prerequisite Concepts Configuring QoS Markings Configuring the DFA Modes DFA Installation Palo Alto Configuration Troubleshooting SUMMARY For the high level solution brief, view the Palo Alto Solution Brief. One of the many features of having an Arista switch is the ability to install extensions on the box. Remember that you can manage the Arista switch as if it was a Linux server (it actually is, but that’s outside the scope of this article) – and because of this we can install RPM packages. One of the packages we can install is Arista’s DirectFlow Assist (DFA), which...
Continue reading →

Follow

Get every new post on this blog delivered to your Inbox.

Join other followers: