Arista Portal

  • Category : Security

 
 

Hardening and Security

Posted on July 30, 2020 by   |   707 Views

Overview An organisation’s communications infrastructure and the tools that surround it carry business critical, high value commercially sensitive information and are obvious targets for malicious actors to attempt to compromise and organisation or exfiltrate its intellectual property. Arista Networks takes its role in ensuring ongoing security extremely seriously through both secure manufacturing and supply as well as an ongoing commitment to vulnerability detection, mitigation and remediation. Product security must also be complemented by the implementation of product hardening best practices during the installation and operation of the infrastructure. The links provided below offer the latest best practise advice on a...
Continue reading →

CloudVision Portal Hardening Guide

Posted on July 31, 2020 by   |   592 Views

Introduction This guide is provided as a starting point for securing CloudVision Portal, also known as CVP. In the below sections various best practices such as non-default configurations, setup instructions, and discussions of other monitoring systems are discussed.  The best way to ensure that a CVP system remains secure is to combine the configuration instructions discussed below with a monitoring solution for log output. In addition, keeping CVP up to date and monitoring Arista’s list of security advisories ( https://www.arista.com/en/support/advisories-notices/security-advisories ) is always recommended.  CVP Default Settings By default CVP should be expected to ship with settings that will work...
Continue reading →

Configurations and Optimizations for Internet Edge Routing

Posted on April 14, 2020 by   |   1356 Views

Introduction For many years, network deployments for enterprise Internet edge environments have consisted of dedicated routing platforms and a switching or aggregation layer to distribute this to various network zones.  With the advances in merchant silicon forwarding engines and the software expertise put into Arista’s Extensible Operating System (EOS), we can now fully replace this legacy architecture with a collapsed routing and switching layer using Arista R Series platforms.  Arista R Series platforms allow for holding a full copy of the Internet routing table for both IPv4 and IPv6 in hardware (the Forwarding Information Base, or FIB) with plenty of...
Continue reading →

Arista products not affected by CVE-2019-15126 (Kr00k vulnerability)

Posted on March 6, 2020 by   |   612 Views

Arista products are not affected by CVE-2019-15126 (Kr00k vulnerability) Kr00k – also known as CVE-2019-15126 – is a vulnerability in certain Wi-Fi chips that allows unauthorized decryption of some WPA2-encrypted traffic. Arista Networks Wifi products AP and management systems are not exploitable by the above mentioned CVEs. The vulnerability affects all unpatched devices with Broadcom and Cypress FullMac Wi-Fi chips. Devices using Wi-Fi chips from other manufacturers, including Qualcomm, Realtek, Ralink and Mediatek do not exhibit this vulnerability. Arista networks APs do not use the Wi-Fi chips that are affected.  The vulnerability exploits a bug in the WiFi chipset that...
Continue reading →

User passwords with blank spaces

Posted on June 21, 2018 by   |   1683 Views

  Overview                 Arista EOS allows users to define local user accounts using the command “username <name> secret <password> “, where <password> is a plain text password. However, the Arista CLI does not accept blank spaces in the <password> portion of the command. This restriction is due to a limitation in the parsing algorithm EOS uses to find the password in the command. The parsing algorithm does not recognize blank spaces when parsing the password. To work around this issue a password with blank spaces can be manually converted to a SHA512 hash and the hash can be applied to...
Continue reading →

Tap Aggregration Tip: Popping MPLS tags for Untagged or VLAN based Tools

Posted on May 12, 2018 by   |   1073 Views

In Tap Aggregation scenarios common in WAN and Service Provider environments, MPLS tags are present.  Many of the analysis tools do not understand these tags and so the Arista DANZ feature set allows for these to be removed.  This functionality has been around since 4.15.0F however initially had the limitation that the traffic would always be sent out the Tool port with a VLAN tag.  However, some tools not only do not understand MPLS, but also VLAN tags, so this tip describes how to deal with both 802.1q and untagged scenarios. Step 1:  Configure MPLS pop/strip on the Tap port:...
Continue reading →

Arista Any Cloud Platform – Security Use Case

Posted on January 9, 2018 by   |   495 Views

Introduction In this document we will demonstrate how to effectively leverage Arista’s vEOS Router in a Transit – Edge VPC model to satisfy a common security use case. As most companies look to move into the public cloud space, security vulnerabilities have gained more focus than ever before. Objective Provide a centralized security model within an AWS region, which will allow for ease of visibility and control. Deploying separate AWS Internet Gateways in every VPC, increases complexity and vulnerabilities in the public cloud space.  Prerequisites This document assumes that you have the following architecture deployed: A Transit – Edge VPC topology deployed...
Continue reading →

Using stunnel (TLS Proxy) to secure OpenFlow on EOS

Posted on November 5, 2017 by   |   223 Views

Do you have an OpenFlow controller that supports communication channel encryption via TLS and you’d like to take advantage of that option with an Arista switch? No problem! Just follow these simple steps and in mere minutes you’ll have a secure TLS connection up and running. Just imagine the look of shock and amazement on the faces of your friends, family and coworkers as you extend the capabilities of your EOS powered switch in near real time! 1) Please download Stunnel from here: http://dl.fedoraproject.org/pub/archive/fedora/linux/releases/14/Fedora/i386/os/Packages/stunnel-4.33-1.fc14.i686.rpm   2) Copy it to flash on the switch: switch#copy scp://@//stunnel-4.33-1.fc14.i686.rpm flash:   3) Install the...
Continue reading →

VXLAN: security recommendations

Posted on January 16, 2017 by   |   2113 Views

Abstract This document provides recommendations that are advised to implement in order to increase the security in multitenant network environments built on Arista Networks devices using VXLAN. Introduction One of the crucial qualities of modern cloud network infrastructure is scalability. Scalability can’t be achieved if security of the network operations inside the cloud is compromised. As for example, load scalability is not achievable in environments where the VMs are not able to operate when the network between them is not working properly due to hijacked MAC-addresses. One of the technologies used nowadays to address the challenges with scalability inside the cloud networks...
Continue reading →

How to Install & Configure Arista’s DirectFlow Assist for Palo Alto Firewalls

Posted on January 12, 2016 by   |   13956 Views

Contents Summary Prerequisite Summary Prerequisite Concepts Configuring QoS Markings Configuring the DFA Modes DFA Installation Palo Alto Configuration Troubleshooting SUMMARY For the high level solution brief, view the Palo Alto Solution Brief. One of the many features of having an Arista switch is the ability to install extensions on the box. Remember that you can manage the Arista switch as if it was a Linux server (it actually is, but that’s outside the scope of this article) – and because of this we can install RPM packages. One of the packages we can install is Arista’s DirectFlow Assist (DFA), which...
Continue reading →

Follow

Get every new post on this blog delivered to your Inbox.

Join other followers: