ARISTA 7280 Series Switches User Manual

June 17, 2024
ARISTA

ARISTA-logo

ARISTA 7280 Series Switches

ARISTA-7280-Series-Switches-image

Product Information

Specifications:

  • Product: Arista Networks 7280 Switches
  • Operating System: EOS 4.28
  • Common Criteria Guidance Supplement Version: 2.0 07/18/2023
  • Manufacturer: Arista Networks, Inc.
  • Address: 5453 Great America Parkway Santa Clara, CA 95054

Product Usage Instructions

1. Introduction

Introduction to the product and its security features.

2. Usage Assumptions

  • No General-Purpose Computing: Ensure the switch is used for its intended networking functions only.
  • Trusted Administrator: Access and configure the switch only by authorized personnel.
  • Physical Security: Ensure physical security of the switch to prevent unauthorized access.
  • Secure Acceptance: Implement secure acceptance procedures for the switch.

3. Secure Configuration

Detailed steps for configuring the switch securely:

  • * Software Image: Use recommended software image for security.
    • Hostname, DNS Server, Time Setting, Login Banner and Password Restrictions: Configure essential settings.
    • Console Idle Timeout: Set timeout for console access.

Frequently Asked Questions

  • Q: How do I ensure secure access to the switch?
    • A: Follow the secure configuration guidelines provided in the user manual, including setting up SSH, configuring audit logs, and restricting access methods like SNMP and Telnet.
  • Q: What should I do in case of a password reset?
    • A: Refer to the user manual for password reset procedures or contact your system administrator for assistance.

Arista Networks 7280 Switches Running EOS 4.28
Common Criteria Guidance Supplement
Version: 2.0 07/18/2023
Prepared By: Arista Networks, Inc. 5453 Great America Parkway Santa Clara, CA 95054

Introduction

This Common Criteria Guidance Supplement document pertains to Arista Networks 7280 series switches running EOS 4.28.0. It provides instructions for operation of these switches consistent with the Common Criteria evaluated configuration (CC mode) described in:
· [Security Target] Security Target – “Arista Networks 7280 Switches Running EOS 4.28”.
· [User Manual] User Manual – Arista EOS. · [Quick Start] Hardware Installation Guides posted under Product Documentation
– Hardware section on the Arista website.
1.1 TOE Type
The TOE is classified as a Network Device, that is, a device composed of both hardware and software that is connected to the network and has an infrastructure role within the network.
1.2 TOE Usage
The Arista Networks Data Center and Cloud Computing Switches are networking switches (Network Devices for CC purposes) that provide OSI model Layer 2, 3, and 4 Ethernet interconnectivity and network management services (Data Link, Network, and Transport Layers, respectively). Each model is manufactured with high performance electronics making it ideally suitable for demanding data center environments.
1.3 TOE Major Security Features Summary
· Security Audit o Generates audit records, storing them locally and transmitting them to a remote audit server. o Supports secure communication to remote syslog-compatible audit servers protected by the SSHv2 Trusted Channel.
· Cryptographic Support o Utilization of NIST-specified and CAVP validated cryptographic algorithms for asymmetric key generation, AES encryption/decryption, digital signature generation/verification, hashing, and keyed-hashing (Message Authentication Code). o Cryptographic-key Destruction using PP specified methods. o Deterministic Random Bit Generation (DRBG). o Assurance of seeding the DRBG with sufficient entropy (minimum of 256bits of entropy).
· Identification and Authentication o Administrative password management. o Protected authentication data at the local and remote consoles. o Identification and authentication of the Security Administrative user. o X509 certificate-based authentication and validation. o X509 certificate request generation.

Arista Networks

Page 5 of 48

· Security Management o Trusted Update mechanism. o Restriction of TSF management to the Security Administrator. o Local and remote administration of the TOE by the Security Administrator.
· Protection of the TSF o Protection of stored passwords. o Prevention of disclosing passwords via normal management interfaces. o Prevention of disclosing private keys via normal management interfaces. o Automated self- testing upon boot-up. o Querying of the TOE firmware/software. o Reliable timestamps.
· TOE Access o Session termination (TSF initiated, and User initiated). o Display of a warning and consent banner on the local and remote management interfaces prior to authentication.
· Trusted Path/Channels o Cryptographically secure path between the TOE and the Security Administrative user for remote management. o Cryptographically secure channels between the TOE and authorized IT entities in the Operational Environment to support the TSF.
1.4 Operational Environment
The TOE’s Operational Environment must provide the following services to support the secure operation of the TOE:
· Local Console Administrative Access o RS-232 Serial Console. o VT-100 terminal emulation program.
· Remote Management o SSH client for remote interactive session utilizing SSH. o eAPI JSON-RPC Client capable of establishing a mutually authenticated TLS session.
· Audit Server o Syslog server capable of accepting an SSHv2 tunnel utilizing SSH Protocol Version 2 (SSHv2).
· Certificate Revocation List (CRL) Server o Server from where CRLs can be downloaded on TOE to check validity of X509v3 certificates.
1.4 TOE Description
The Arista 7280 series switches are fixed form factor switches. The 7280 series switches range in size between 1 and 2 RU. Models vary in total throughput, port count, port speeds, route table scales etc.
Each switch model runs Arista’s Linux-based network operating system called Extensible Operating System (EOS). The same EOS binary image runs on all TOE hardware

Arista Networks

Page 6 of 48

models. All EOS code is compiled to the same i686 assembly, making it such that no processor runs anything different from any other processor. All processors implement the i686 assembly language. All SFRs in this Security Target are implemented by EOS. Hence, they behave identically on every switch model.
The table below provides the list of appliances across different series:

Series 7280CR
7280SR

Table 1:Hardware Appliances

Models

Interfaces

SKN-7280CR3-3C2

3x100GbE (CFP2) + 2x100GbE

SKN-7280CR3-3C2-2

3x100GbE (CFP2) + 2x100GbE

SKN-7280CR3-3C2-2-DEV 3x100GbE (CFP2) + 2x100GbE

SKN-7280CR3-3C2-2G

3x100GbE (CFP2) + 2x100GbE

SKN-7280CR3-3C2-3

3x100GbE (CFP2) + 2x100GbE

SKN-7280CR3-3C2-3-DEV 3x100GbE (CFP2) + 2x100GbE

SKN-7280CR3-3C2-3G

3x100GbE (CFP2) + 2x100GbE

SKN-7280CR3-3C2-DEV 3x100GbE (CFP2) + 2x100GbE

SKN-7280CR3-4C2

4x100GbE (CFP2) + 2x100GbE

SKN-7280CR3-4C2-DEV 4x100GbE (CFP2) + 2x100GbE

SKN-7280CR3-4C2G

4x100GbE (CFP2) + 2x100GbE

SKN-7280CR3-4C6

3x100GbE (CFP2) + (9 or 10)x100GbE

SKN-7280CR3-4C6-DEV

3x100GbE (CFP2) + (9 or 10)x100GbE

SKN-7280CR3-4C6G

3x100GbE (CFP2) + (9 or 10)x100GbE

SKN-7280CR3-5C2

5x100GbE (CFP2) + 2x100GbE

SKN-7280CR3-5C2-DEV 5x100GbE (CFP2) + 2x100GbE

SKN-7280CR3-5C2G

5x100GbE (CFP2) + 2x100GbE

4x CFP2 100G/200G + 4x

SKN-7280SR3-16YC8

40/100G QSFP + 16x

25/10GbE SFP

Host CPU Intel Broadwell-DE D1519 Intel Broadwell-DE D1519 Intel Broadwell-DE D1519 Intel Broadwell-DE D1519 Intel Broadwell-DE D1519 Intel Broadwell-DE D1519 Intel Broadwell-DE D1519 Intel Broadwell-DE D1519 Intel Broadwell-DE D1519 Intel Broadwell-DE D1519 Intel Broadwell-DE D1519
Intel Broadwell-DE D1519
Intel Broadwell-DE D1519
Intel Broadwell-DE D1519
Intel Broadwell-DE D1519 Intel Broadwell-DE D1519 Intel Broadwell-DE D1519
Intel Broadwell-DE D1519

The TOE supports local administration via the local console port. Remote administration is performed over the Secure Shell v2 (SSHv2) protocol. Alternatively, the switch supports eAPI JSON-RPC interface over TLS for remote automation scripts to perform management functions on the switch. This interface supports only JSON request/response format. The eAPI interface supports both interactive and non-interactive modes of operation. In interactive mode, a user can issue commands and receive immediate feedback from the device. This allows for quick testing and debugging of eAPI scripts and applications, as well as ad hoc configuration and monitoring tasks.
In non-interactive mode, the user can use a third-party eAPI JSON-RPC client, such as Ansible, Python requests library, or cURL, to send eAPI requests and receive responses from the device. In the evaluated configuration, the switch only supports eAPI noninteractive mode over TLS for remote automation scripts to perform management

Arista Networks

Page 7 of 48

functions on the switch.
The TOE also supports storage and forwarding of audit records, protected using SSHv2, to any syslog-compatible network entity.
1.5 Console CLI access
The console port is a serial port located on the front of the switch. Figure 1: Switch Ports, shows the console port on the TOE. The TOE’s administrator should use a serial or RS-232 cable to connect to the console port. The accessory kit also includes an RJ-45 to DB-9 adapter cable for connecting to the switch.

Figure 1: Switch Ports
Use these settings when connecting the console port: · 9600 baud · no flow control. · 1 stop bit · no parity bits · 8 data bits
The boot console command configures terminal settings for serial devices connecting to the
console port. The no boot console and default boot console commands restore the factory default settings on the switch and remove the corresponding CONSOLESPEED command from the boot-config file.
Command Syntax
boot console speed baud_rate
Parameters
baud_rate console baud rate. Options include 1200, 2400, 4800, 9600, 19200, 38400, 57600, and 115200.
Example
· This command sets the console speed to 57600 baud.
switch(config)#boot console speed 57600
switch(config)#

Arista Networks

Page 8 of 48

· This command displays the result of the console-speed change.
switch(config)#show boot-config
Software image: flash:/EOS.swi Console speed: 57600
Aboot password (encrypted): (not set) switch(config)#
· The above boot console command adds the following line to boot-config.
CONSOLESPEED=57600

Usage Assumptions

At the outset, the CC mode requires the following to be followed during operation of the switch.

2.1 No General-Purpose Computing
The user must not install or run external applications, binaries or RPMs on the switch. The only allowed software to be run on the switch is the EOS image provided by Arista Networks.

2.2 Trusted Administrator
The switch administrator is trusted to follow and apply all instructions in this document.

2.3 Physical Security
The switch must be stored and installed in a physically secure location.

2.4
· ·

Secure Acceptance Obtain the product through authorized channels. Verify model identification label on the hardware.

Secure Configuration

This section describes the procedures to functionally enable the switch and operate in CC mode.

3.1 Software Image
It is likely that the factory default image running on the switch is not CC validated. Follow steps described below to run CC validated image on the switch.
1. Connect a terminal to the console port (9600/N/8/1) and login over the console port with username “admin”. This username does not have a password in factory default configuration. So just press enter on the password prompt.
2. Cancel zero touch provisioning for the current and subsequent boot sequences.
localhost>enable localhost# zerotouch cancel localhost# write

Arista Networks

Page 9 of 48

3. Download and validate the proper software image. a. Use a USB drive formatted with MS-DOS or FAT file system. Most USB drives are pre-formatted with a compatible file system.
b. Download the CC validated image from the “Software Download” section of Arista website and save it to the USB drive. Keep the name of the image file as it is.
c. Insert the USB flash drive into the USB flash port on the switch. The USB drive is auto-mounted to the following point /mnt/usb1.
d. Before installing the CC validated version, do the following steps.
Check the current version of the EOS and note it down for the record.
localhost#show version
Copy the running-config file to the flash drive in case you need to refer to it later.
localhost#copy running-config flash:my_config
e. Determine the size of the flash drive to make sure sufficient space is available for the new EOS image.
localhost#dir flash:
f. Copy the image file from USB to flash.
localhost#copy usb1: flash:EOS.swi
g. Verify SHA512 checksum of the image file.
localhost#verify /sha512 flash:EOS.swi
The output of the command will be in this format:
verify /sha512 (flash:EOS.swi) =
The output hash consists of 128 hex characters. Compare it with the published hash value on the Arista website. If the values match, the image is valid. However, if the values do not match the image is either corrupt or has been tampered with. Do not use it and contact Arista support to report the issue. Note: During the update no services or functions of the TOE will cease working.
4. Install the software image. a. Modify boot-config file to point to the image on the flash.
localhost#config localhost(config)#boot system flash:EOS.swi localhost(config)#show boot-config Note: The activation of the new software image located in the flash: is activated after the reboot of the switch using the command “reload”. During this delayed activation of the new software image, the command “show boot-config” will display the loaded but inactive version of the

Arista Networks

Page 10 of 48

software image.
b. Set up an event handler to log the state of the self-tests at startup:
localhost#config localhost(config)#event-handler startupLog
localhost(config-handler-startupLog)# trigger on-boot
localhost(config-handler-startupLog)# action bash
Enter Multi-line Action. Type ‘EOF’ on its own line to end. sudo echo “ARISTA_ENABLE_FIPS=1” >> /etc/environment sudo echo “ARISTA_ENABLE_FIPS_LOGGING=1” >> /etc/environment logger -p local4.info swi info /mnt/flash/.bootimage.swi EOF localhost(config-handler-startupLog)#
localhost(config-handler-startupLog)# write
Copy completed successfully. hrm101(config-handler-startupLog)# copy runningconfig startup-config Copy completed successfully.
c. Save the configuration to the startup-config file and reboot the switch for the new image to take effect.
localhost(config)#write
localhost(config)#reload
Note: As part of the update procedure, a reboot of the switch will be required to facilitate the loading of the new image. Consequently, there will be a brief window of disruption affecting all functions and features until the switch is successfully reinitialized with the updated image. Subsequently, upon completion of the reboot process, all functions and features will be restored to their normal operational state.
d. Once the switch comes up, login back into the switch as “admin” and verify that the switch is running with the CC validated image.
localhost>enable
localhost#show version
3.2 Hostname, DNS Server, Time Setting, Login Banner and Password Restrictions
Set the hostname. For example, to set the hostname as “switch”, run the following command.
localhost#config
localhost(config)#hostname switch
Optionally, set the address of a DNS server to allow the use of resolvable hostnames in later instructions instead of IP addresses. For example, to set a DNS server whose IP address is “10.10.3.456” run the following command
localhost(config)#ip name-server 10.10.3.456

Arista Networks

Page 11 of 48

Set the current time.
switch(config)#clock timezone switch(config)#clock set <mm/dd/yyyy> switch(config)#show clock
Interactive sessions between the user and the switch must show a banner before connecting to warn the user on proper usage. Configure banner as follows. The exact banner text is entered as per organization policy and requirements.
switch(config)#banner login Enter TEXT message. Type ‘EOF’ on its own line to end. This is a secure switch for networking. Do not attempt to connect to this switch unless permitted to do so. EOF
switch(config)#write
Password length of 8 characters is the minimum requirement for CC mode, though this can be increased to 15 depending on the organizational policy. Configure it as follows.
switch(config)#management security switch(config-mgmt-security)#password minimum length 8
Confirm the configuration.
switch(config-mgmt-security)#show run all | grep length switch(config-mgmt- security)#write switch(config-mgmt-security)#exit switch(config)#
Make the default hash function used for storing passwords as SHA-512.
switch(config)#management defaults switch(config-mgmt-defaults)#secret hash sha512
Confirm the configuration.
switch(config-mgmt-defaults)#show run all | section defaults switch(config- mgmt-defaults)#write switch(config-mgmt-defaults)#exit switch(config)#
3.3 Console Idle Timeout Configure idle timeout for console port. SSH idle timeout is configured later during SSH configuration. Following commands set the console idle timeout to 10 minutes.
switch(config)#management console switch(config-mgmt-console)#idle-timeout 10
Confirm the configuration.
switch(config-mgmt-console)#show run all | section console

Arista Networks

Page 12 of 48

switch(config-mgmt-console)#write switch(config-mgmt-console)#exit
switch(config)#
Note: Console session can be manually terminated by the user by entering “logout” command. The “exit” and “quit” commands also perform logout.
3.4 Default Accounts Protection The “admin” account by default has no password. Assign a password to it.
switch(config)#username admin secret 0
The switch has an integrated bootloader called Aboot that handles booting the main software image (EOS). This bootloader provides a shell and it must be password protected. This is accomplished with the following configuration:
switch(config)#boot secret 0
The following characters can be used in the password: uppercase and lowercase letters, numbers and special characters “!”, “@”, “#”, “$”, “%”, “^”, “&”, “*”, “(“, “)”. The length of the password needs to be as least as much as configured in Password Restrictions, else password entry will be rejected.
User account “root” is disabled by default. To reaffirm, you can run the following command.
switch(config)#no aaa root
Arista recommends following these guidelines for creating a strong password:
1. Length: Create a password that is at least 12 characters long. Longer passwords provide better security.
2. Complexity: Include a combination of uppercase and lowercase letters, numbers, and special characters. Using a variety of character types makes the password more difficult to guess.
3. Avoid Common Patterns: Avoid using easily guessable patterns such as sequential numbers or letters (e.g., 12345678 or abcdefgh), repeated characters (e.g., 11111111), or common words and phrases.
4. Unique and Random: Generate a password that is unique and not easily associated with personal information, such as your name, birthdate, or address. Randomly generated passwords are typically more secure.
5. Avoid Dictionary Words: Avoid using common dictionary words or easily recognizable terms, as they can be easily guessed using brute-force or dictionary-based attacks.
6. Regular Updates: Change your password regularly. It is good practice to update your passwords every 90 days or according to your organization’s security policies.
Remember to keep your password confidential and avoid sharing it with others.

3.5 Disallowed Access Methods (SNMP, Telnet, API)

Arista Networks

Page 13 of 48

SNMP, Telnet and some APIs must not be used in CC mode.
3.5.1 SNMP By default SNMP is disabled. Reaffirm by running following command:
switch(config)#show snmp
There should be “SNMP agent disabled: no communities or users configured” in the output.
3.5.2 Telnet By default Telnet is disabled. Reaffirm by running following command:
switch#show run all | section telnet
Look inside the “management telnet” section of the output and ensure that it says a “shutdown”.
3.5.3 API By default all API management interfaces are disabled. Reaffirm by running following commands.
switch#show management api ?
This will list all available management API methods. Reaffirm that each one is disabled (except http-commands which is required for eAPI access). For example,
switch#show management api gnmi
In case, you see any of these enabled, you can disable it as follows.
switch#config switch(config)#no management api gnmi switch(config)#write
3.6 IP Address
The switch provides an Ethernet management port for configuring the switch and managing the network out of band. Only one port is required to manage the switch. Assign IP address to this management port. Use the management interface number that is displayed when “interface management ?” is run. In the example below, IP address 192.168.0.105 on /24 subnet is assigned to the management interface number 1/1 and default route is configured to the gateway located at 192.168.0.1.
switch#config switch(config)#interface management 1/1 switch(config-if-Ma1)#IP address 192.168.0.105/24 switch(config-if-Ma1)#exit switch(config)#ip route 0.0.0.0/0 192.168.0.1 switch(config)#write
3.7 Entropy

Arista Networks

Page 14 of 48

In CC mode, the switch uses two sources of entropy: i) network interrupts, ii) hardware-based entropy (from TPM). Network interrupts entropy source is always running when the switch is running. Hardware-based entropy needs to be enabled as follows.
switch(config)#management security switch(config-mgmt-sec)#entropy source hardware
3.8 SSH Configuration

switch(config)#management ssh
Configure FIPS mode for SSH by running the following command.
switch(config-mgmt-ssh)#fips restrictions
Confirm that FIPS mode is enabled.
switch(config-mgmt-ssh)#show management ssh
When this configuration is done, it forces FIPS power-on self-tests every time a new SSH connection instance is created. Note that this happens during run time, not configuration time. After self-tests pass, then the SSH connection instance is started. When a new SSH connection instance is successfully started, a log such as follows is generated showing service id [PID] of SSH connection instance.
2022 Jun 1 11:22:23 switch sshd[32499]: Connection from 10.95.66.234 port 63766 on 172.30.167.171 port 22
If power-on self-tests fail, the SSH connection instance is not started. The failure is indicated by log pair such as follows.
2022 Jun 4 16:46:21 switch kernel: [ 721.533308] potentially unexpected fatal signal 6. 2022 Jun 4 16:46:21 switch kernel: [ 721.533315] CPU: 0 PID: 4200 Comm: ssh Tainted: P O 4.9.122.Ar-11549262.eostrunk.1 #1 If you see repeated failures to start SSH connection instance during run time, contact Arista Networks.
Continuing with the configuration, specify cryptographic options used by both SSH server and client: Symmetric encryption cipher, key exchange, message authentication and server host key algorithms.
switch(config-mgmt-ssh)#cipher aes256-cbc aes128-cbc
switch(config-mgmt-ssh)#key-exchange diffie-hellman-group14-sha1
switch(config-mgmt-ssh)#mac hmac-sha2-256 hmac-sha2-512
switch(config-mgmt-ssh)#hostkey server rsa-sha2-256 ecdsanistp384
When the switch connects to a remote host (e.g., Syslog server) over SSH, it acts as SSH client. The switch must ensure that the public key presented by the remote host matches up with the public key imported in the switch for that host. To enforce such checking, run the following command.
Switch(config-mgmt-ssh)#hostkey client strict-checking

Arista Networks

Page 15 of 48

Set SSH logging level to verbose and enable logging to “show target system”.
Switch(config-mgmt-ssh)#log-level verbose switch(config-mgmt-ssh)#logging target system
Configure idle timeout for SSH. For example, set idle timeout of 10 minutes for SSH sessions as follows.
Switch(config-mgmt-ssh)#idle-timeout 10
Note: SSH session can be manually terminated by user by entering “logout” command. The “exit” and “quit” commands also perform logout.
Warning: To guarantee adherence to the common criteria requirements, it is important that the SSH rekeying function is executed with unwavering compliance. This necessitates a specific timeframe of no more than 60 minutes from either the last SSH rekeying process or the initiation of the connection. Additionally, an alternative trigger for the rekeying function is upon reaching an absolute data transfer threshold of no more than a 1GB of data, whichever circumstance takes precedence.
Complete remaining SSH configurations as follows.
Switch(config-mgmt-ssh)#rekey frequency 1 gbytes switch(config-mgmt-ssh)#rekey interval 1 hours
switch(config-mgmt-ssh)#exit
Allow the configuration to be processed by the switch, and once processed, verify it. Note that “wait-for-warmup” is a handy command to run any time to wait until the most recent configuration takes effect.
Switch(config)#wait-for-warmup switch(config)#show run all | section management ssh
switch(config)#write switch(config)#exit
Generate RSA host key pair for SSH. The size of the key is 2048 bits and is not configurable. Note that the following command deletes the previous key and replaces it with the new key. There can be only one rsa key for SSH at any one time. FIPS conditional self-test is performed at this time on the generated key pair and only if it passes the command completes successfully. If the command does not complete successfully repeatedly, please contact Arista Networks.
Switch#reset ssh hostkey rsa
To view the new public key, use the following command:
switch#show management ssh hostkey rsa public switch#write
If the above changes succeed, the old key files have been destroyed per FCS_CKM.4. If these changes do not take effect, please contact Arista Support before continuing the operation of the switch.
Copy the above public key (in entirety including leading `ssh-rsa’ and trailing

Arista Networks

Page 16 of 48

`chassisAddr=xx:xx:xx:xx:xx:xx’ strings) to USB as it will be required to set up SSH Tunnel to the remote Syslog server.
3.9 SSH Tunnel Audit log forwarding from the switch to the remote Syslog server is done inside an SSH Tunnel. To configure SSH Tunnel to the Syslog server, configure SSH Tunnel endpoints on the switch and the Syslog server.
3.9.1 Tunnel Endpoint on the Syslog Server Perform following steps to configure log tunnel endpoint on the Syslog server. The user account “authuser” on the Syslog server is used in below command samples.
3.9.1.1 Add switch’s public key for authentication to Syslog server Log into the Syslog server with username “authuser”. Copy the switch’s entire public key from the USB to the ~/.ssh/authorized_keys file in the home directory of “authuser” and give following permissions to the file.
authuser@syslog: sudo chmod 700 ~/.ssh authuser@syslog: sudo chmod 600 ~/.ssh/authorized_keys suthuser@syslog: sudo service sshd restart
3.9.1.2 Generate/Copy public host key of Syslog server Syslog server should contain its public host key in /etc/ssh/ssh_host_rsa_key.pub file automatically created at the time the SSH service was started. You can also regenerate the host key pair if desired as follows.
authuser@syslog: sudo ssh-keygen -f /etc/ssh/ssh_host_rsa_key -t rsa -b 2048
Copy the public host key file of Syslog server located at /etc/ssh/ssh_host_rsa_key.pub to USB. This will be required to set up the tunnel endpoint on the switch to include Syslog server into the known hosts list.
3.9.1.3 Enable public key authentication for authuser Enable PublicKeyAuthentication for the “authuser” in the Syslog server. If Syslog server uses OpenSSH, it is enabled by default. This can be reaffirmed by uncommenting the following line in /etc/ssh/sshd_config file.
PubkeyAuthentication yes
3.9.1.4 Software settings on Syslog server Configuration for the logging software running on the Syslog server to collect logs forwarded by the switch to port 514 on the Syslog server is outside the scope of EOS user guidance. Please follow the corresponding software guidance (e.g., syslon-ng, rsylog, vendor proprietary syslog etc.) for these instructions.
3.9.2 Tunnel Endpoint on the Switch Perform following steps to configure log tunnel endpoint on the switch.

Arista Networks

Page 17 of 48

First import public host key of the Syslog server from USB into known-hosts list of the switch. The key should be used in the command as Base 64 string, without its leading ssh-rsa’ and trailingroot@syslog’ strings.
Switch#config
switch(config)#management ssh
If using the non-default VRF, now enter the “vrf ” submode, otherwise the commands will be configured in the default VRF. Then continue configuring the commands.
Switch(config-mgmt-ssh)#known-hosts rsa
If using ECDSA host keys, there is a known issue where the above command will not configure the known-hosts list correctly. As a workaround, configure the following event-handler to adjust the known-hosts list of the switch:
switch(config)# event-handler knownHosts
switch(config-handler-knownHosts)# action bash echo ecdsa- sha2-nistp384 >> /etc/ssh/ssh_known_hosts- switch(config- handler-knownHosts)# trigger on-logging switch(config-handler-knownHosts- logging)# poll interval 1 switch(config-handler-knownHosts-logging)# regex SSH_TUNNEL_HOSTKEY_VERIFY_FAILED
With this workaround, the switch will automatically add the host key to the known-hosts list directly if it detects a failure in host key verification. If using the default VRF, use /etc/ssh/ssh_known_hosts instead of /etc/ssh/ssh_known_hosts-. Then, go back to the management SSH mode (and vrf submode if applicable) to continue configuring the commands.
Now, to create a tunnel with name “LogTunnel”.
Switch(config-mgmt-ssh)#tunnel LogTunnel
Configure the tunnel so that the messages sent to the switch port 514 in the switch will be forwarded to the remote Syslog server on port 22 using the user account “authuser” and then forwarded to port 514 on the remote Syslog server. If the remote syslog server is listening on a different port than 514, the port number under “remote host” will need to be changed to that listening port.
Switch(config-mgmt-ssh-tunnel-LogTunnel)#local port 514
switch(config-mgmt-ssh-tunnel-LogTunnel)#ssh-server user authuser port 22
switch(config-mgmt-ssh-tunnel-LogTunnel)#remote host localhost port 514
Set the rate that SSH keep-alive packets will be sent and how many can be lost before the connection is declared dead. Note that these packets are sent inside the SSH tunnel. Run the following command to send 6 keep-alive packets in 60 seconds.
Switch(config-mgmt-ssh-tunnel-LogTunnel)#server-alive count-max 6
switch(config-mgmt-ssh-tunnel-LogTunnel)#server-alive interval 10

Arista Networks

Page 18 of 48

switch(config-mgmt-ssh-tunnel-LogTunnel)#no shutdown switch(config-mgmt-ssh- tunnel-LogTunnel)#exit switch(config-mgmt-ssh)#exit
Allow the configuration to be processed by the switch, and once processed, verify it.
Switch(config)#wait-for-warmup switch(config)#show run all | section management ssh switch(config)#write
3.10 Audit Logs Configuration Configure logging to specific port number (514 is default) on the switch. By virtue of configuration of SSH Tunnel on this port as described before, log messages are securely tunneled inside SSH to remote Syslog server. Log is sent into the tunnel as soon as it is generated.
Switch(config)#logging host localhost protocol tcp
The above command is if logging is running in the default VRF. If a different VRF is being used, use the following command instead:
switch(config)#logging vrf host localhost protocol tcp
Configure local persistent audit log storage. Log is written to local persistent storage as soon as it is generated.
Switch(config)#logging persistent 4096
Here the number 1024 indicates the size limit of the persistent log file in bytes. When the file exceeds its size limit, it is trimmed to remove the oldest audit logs until the size drops below 1024 bytes. Run following commands to ensure that logs for necessary security relevant events are generated.
Switch(config)#logging format timestamp traditional year switch(config)#logging trap informational
switch(config)#logging level all 6
switch(config)#logging trap system tag sshd
switch(config)#logging trap system tag ssh
switch(config)#logging trap system tag nginx
switch(config)#logging trap system tag rsyslogd
switch(config)#aaa accounting exec default start-stop logging
switch(config)#aaa accounting system default start-stop logging
switch(config)#aaa accounting commands all default start-stop

Arista Networks

Page 19 of 48

logging
switch(config)#wait-for-warmup
switch(config)#show logging system
switch(config)#write
Run following command to see the logs on CLI. You can also do | grep to this command to search specific keywords.
Switch(config)#show logging system
The number of logs returned can be limited by passing a number that indicates the number of most recent logs to view. For example, the below command will return the 10 most recent logs.
Switch(config)#show logging system 10
3.11 Named User Accounts Consecutive authentication failures result into temporary account lockout for remote administrative user. The threshold number of failures between 1 and 255 and subsequent lockout period are configured by Security Administrator when initializing the TOE. The RS232/VT-100 local administrative interface is never locked out. The “admin” account should not be used during operation of the switch in CC mode. Once the switch is operation in CC mode, the “admin” account can be used to take the switch out of CC mode to provide system updates, maintenance and user management. During operation of the switch in CC mode, the named user accounts created in “cc- admin” role as described below must be used. Configure user authentication:
switch(config)#aaa authentication login default local switch(config)#aaa authentication enable default local
Configure authentication policy to log successful and failed login attempts:
switch(config)#aaa authentication policy on-success log switch(config)#aaa authentication policy on-failure log
Configure authentication policy to lockout invalid login attempts. For example, to configure 15 minutes lockout after 3 consecutive failures in 5 minutes window, run the following command.
Switch(config)#aaa authentication policy lockout failure 3 window 300 duration 900
Configure command authorization:
switch(config)#aaa authorization exec default local switch(config)#aaa authorization commands all default local switch(config)#aaa authorization serial-console
Set up default authorization role as “cc-admin”. This way, if user is created without specifying a role, the user gets this default role.

Arista Networks

Page 20 of 48

Switch(config)#aaa authorization policy local default-role ccadmin
Confirm the configuration:
switch(config)#show run all | section aaa
switch(config)#wait-for-warmup
switch(config)#write
Configure authorizations for “cc-admin” role. If following rules are configured for “cc-admin” role, users in this role can do most configurations except AAA. They cannot execute general purpose commands. Also any secrets such as password hashes are suppressed in their output. Note that you have to enter as escape signal before entering ?.
switch(config)#role cc-admin
switch(config-role-cc-admin)#permit command show running-config all sanitized
switch(config-role-cc-admin)#permit command copy . certificate:
switch(config-role-cc-admin)#permit command copy .
sslkey:
switch(config-role-cc-admin)#permit command copy . flash:EOS.swi
switch(config-role-cc-admin)#permit command copy running-config startup-config
switch(config-role-cc-admin)#permit command ssh-server
switch(config-role-cc-admin)#permit command delete certificate:.

switch(config-role-cc-admin)#permit command delete sslkey:.*
switch(config-role-cc-admin)#deny command

|>>|extension|||session|do|delete|copy|rmdir|mkdir|pythonshell|bash|platform|scp|append|redirect|tee|more|diag|less|ssh |who|show run.|show start.
switch(config-role-cc-admin)#deny mode config command (no|default)?(role|aaa|tcpdump|schedule|event.)
switch(config-role-cc-admin)#permit command .

switch(config-role-cc-admin)#exit
View the role authorization definition (note that network-admin and network- operator are roles that are natively defined in EOS).
Switch(config)#wait-for-warmup
switch(config)#show users roles
switch(config)#write
Note: You can remove any rule from the role by entering “no ” command when inside that role submode and then exiting the role submode.
If organization policy so requires, custom roles can be created using guidance provided in “Section 4.4 Role-Based Authorization” of [User Manual]. You can use online tools such as regexper.com to visualize the rule implemented by regular expression.
Create named users in “cc-admin” role as follows.
Switch(config)#username secret 0 role

Arista Networks

Page 21 of 48

cc-admin
Valid usernames begin with A-Z, a-z, or 0-9 and may also contain any of these characters: @ # $ % ^ & – _ =+ ; < > , . ~ |.
The following characters can be used in the password: uppercase and lowercase letters, numbers and special characters “!”, “@”, “#”, “$”, “%”, “^”, “&”, “
”, “(“, “)”. The length of the password needs to be as least as much as configured before in Password Restrictions, else password entry will be rejected.
In order to configure key based SSH authentication for the user, use following command.
Switch(config)# username sshkey
Note that the SSH-KEY will have the key type mentioned at the beginning (ssh- rsa) followed by the space and the key value. The key size for user authentication must be at least 2048 bits. When key based authentication is configured, that is performed by the switch first. If that fails, the switch performs password based authentication. If password based authentication is not desired for the key based user, disable password based authentication for that user by running the following command.
Switch(config)# username secret *
To view the user accounts, run the following command.
Switch(config)#show users accounts

Additionally, a default’ role must be configured to prevent users that are not assigned a role from running any commands. Configure the following to set this: switch(config)#role do-nothing switch(config-role-do-nothing)#10 deny command .* switch(config-role-do-nothing)#exit switch(config)#aaa authorization policy local default-role donothing Now, any username which does not have a role assigned will be assigned the donothing’ role upon logging in. They will be able to log in but will be unable to run any commands other than `exit’ to disconnect from the system. This behavior sees the most usage in eAPI, which is documented in a different section.
3.12 TLS Server Perform following steps to securely configure TLS Server. It will be used by eAPI.
3.12.1 Create SSL profile Run the following commands to create SSL profile called “TLSserv”.
Switch#config switch(config)#management security switch(config-mgmt- security)#ssl profile TLSserv
3.12.2 Enable FIPS mode

Arista Networks

Page 22 of 48

Run the following command to enable FIPS mode for TLS server.
Switch(config-mgmt-sec-ssl-profile-TLSserv)#fips restrictions
When the above command is run, FIPS power-up self-tests are performed. If they succeed, FIPS mode is enabled. Confirm that FIPS mode is enabled.
Switch(config-mgmt-sec-ssl-profile-TLSserv)#show management httpserver
If power-up self-tests fail, the TLS server (nginx service) does not start. The failure s is indicated by a pair of audit logs as follows:
2022 Jun 4 16:48:40 switch kernel: [ 860.681208] potentially unexpected fatal signal 6.
2022 Jun 4 16:48:40 switch kernel: [ 860.681216] CPU: 0 PID: 4970 Comm: nginx Tainted: P O 4.9.122.Ar-11549262.eostrunk.1 #1
If you see repeated failures to start nginx service, please contact Arista Networks.

When FIPS mode is enabled for the TLS server issues with client certificate authentication result in a rejection at the TLS layer. This is different from the normal behavior where the rejection occurs at the HTTP (application) layer and contains a detailed log message on the switch. Rejections at the TLS layer will not contain detailed log messages. If detailed failure information for client certificates is required, for example, when testing the creation of valid client certificates, FIPS mode for the TLS server can be temporarily turned off. The following sample error messages show the detailed failure reasons that can be seen when FIPS mode is off:
Error log when the client certificate signing CA is unknown:
2021 Oct 14 14:59:33 do392 nginx: 2021/10/14 14:59:33 [info] 11974#0: *29 SSL_do_handshake() failed (SSL: error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca:SSL alert number 48) while SSL handshaking, client: ::ffff:10.242.233.93, server: [::]:443

Error log for when the client certificate has expired:
2021/10/15 10:38:20 [info] 19710#0: 1 client SSL certificate verify error: (10:certificate has expired) while reading client request headers, client: ::ffff:10.242.233.93, server: , request: “POST /command-api HTTP/1.1”, host: “172.30.167.157”
Error log when the client certificate has been revoked by a CRL:
2021 Oct 14 15:07:48 do392 nginx: 2021/10/14 15:07:48 [info] 12434#0:
32 client SSL certificate verify error: (23:certificate revoked) while reading client request headers, client: ::ffff:10.242.233.93, server: , request: “POST /command-api HTTP/1.1”, host: “172.30.167.194”

Turning off FIPS mode is only allowed for testing purposes. When testing is completed FIPS mode must be turned back on for the TLS server.
3.12.3 Generate CSR and obtain signed certificate Generate a TLS server RSA key pair of 2048 bits, let us call this key TLSserv_key. Note that if this

Arista Networks

Page 23 of 48

key already exists, it will be modified after running the following command. If it does not exist, it will be newly created. Also, FIPS conditional self- test is performed at this time on the generated key pair and only if it passes the command completes successfully. If the command does not complete successfully repeatedly, please contact Arista Networks.
Switch#security pki key generate rsa 2048 TLSserv_key
The list of keys can be viewed by running the following command.
Switch#dir sslkey:
If any key is not needed, it can be deleted by running the following command. You can confirm that key is generated by doing the following:
switch#deletedir sslkey:
Using the above key, generate CSR by running the following command. When the command is run, the user is prompted to answer a number of questions. Provides answers to some of those questions as stated below. Providing answers to other questions is optional.
Switch#security pki certificate generate signing-request
PKI Key to use for CSR: TLSserv_key
Common Name for use in subject:
Two-Letter Country Code for use in subject:
Organization Name for use in subject:
Organization Unit Name for use in subject:
Copy and paste the output to a file on USB. Submit this file to a trusted CA to obtain an X.509v3 certificate signed by it. Suppose the signed certificate file is TLSserv.pem. Import this file into the switch’s certificate folder. Note that if this certificate already existed, it will be modified after running the following command. If it did not exist, it would be newly created.
Switch#copy usb1:/TLSserv_certificate.pem certificate:TLSserv_certificate.pem
Import all intermediate certificates and root certificates for the above certificate in the switch’s certificate folder. For example, suppose TLSserv_certificate.pem is signed by IntCA_certificate.pem, which in turn is signed by RootCA_certificate.pem.
switch#copy usb1:/IntCA_certificate.pem certificate:IntCA_certificate.pem
switch#copy usb1:/RootCA_certificate.pem certificate:RootCA_certificate.pem
The list of certificates can be viewed by running the following command.
Switch#dir certificate:
If any certificate there is not needed, it can be deleted by running the following command.
Switch# delete certificate:
If the above changes succeed, any old certificates or key files have been destroyed per FCS_CKM.4. If these changes do not take effect, please contact Arista Support before continuing the operation of the switch.

Arista Networks

Page 24 of 48

3.12.4 Define cipher suites Configure FIPS compliant ciphers and Diffie- Hellman parameters. EOS supports the DiffieHellman parameters ffdhe2048, ffdhe3072, and ffdhe4096.
Switch(config-mgmt-sec-ssl-profile-TLSserv)#tls versions 1.2
switch(config-mgmt-sec-ssl-profile-TLSserv)#cipher-list AES128SHA256:AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256SHA256:AES256 -GCM-SHA384:DHE-RSA-AES256-GCM-SHA384
switch(config-mgmt-sec-ssl-profile-TLSserv)#diffie-hellman parameters ffdhe2048
The ffdhe3072 and ffdhe4096 parameters can be configured similarly. Only one parameter can be enabled at a time.
switch(config-mgmt-sec-ssl-profile-TLSserv)#write
Note: The TLS server implements session resumption using session IDs according to RFC 5246 (TLS 1.2). Session resumption is enabled by default and cannot be disabled. There is no configuration on the TOE to modify the session resumption behavior.
3.12.5 Configure certificate check restrictions Extended key usage in server certificate must have Server Authentication purpose and in client presented certificate must have Client Authentication purpose.
switch(config)#management security switch(config-mgmt-sec)#ssl profile TLSserv switch(config-mgmt-sec-ssl-profile-TLSserv)#certificate requirement extended- key-usage
Basic constraints must be set True for all CA certificates.
switch(config-mgmt-sec-ssl-profile-TLSserv)#trust certificate requirement basic-constraint ca true switch(config-mgmt-sec-ssl-profile-TLSserv)#chain certificate requirement basic-constraint ca true
Certificate chain imported in the switch must end in root.
switch(config-mgmt-sec-ssl-profile-TLSserv)#chain certificate requirement include root-ca

3.12.6 Load certificate chain and CRLs
Load server leaf certificate.
switch(config-mgmt-sec-ssl-profile-TLSserv)#certificate TLSserv_certificate.pem key TLSserv_key
Designate intermediate and root certificates in the chain and mark them as trusted. Note that when the certificate chain is presented by an eAPI client, it will be verified by TLS Server up to the first CA encountered in the presented chain that is among the above designated trusted CAs.
switch(config-mgmt-sec-ssl-profile-TLSserv)#chain certificate

Arista Networks

Page 25 of 48

IntCA_certificate.pem switch(config-mgmt-sec-ssl-profile-TLSserv)#trust certificate IntCA_certificate.pem switch(config-mgmt-sec-ssl-profile- TLSserv)#chain certificate RootCA_certificate.pem switch(config-mgmt-sec-ssl- profile-TLSserv)#trust certificate RootCA_certificate.pem
Obtain current CRLs of IntCA and RootCA and import them into switch as follows.
switch(config-mgmt-sec-ssl-profile-TLSserv)#copy usb1:IntCA_CRL.pem certificate:IntCA_CRL.pem switch(config-mgmt-sec-ssl-profile-TLSserv)#crl IntCA_CRL.pem switch(config-mgmt-sec-ssl-profile-TLSserv)#copy usb1:RootCA_CRL.pem certificate:RootCA_CRL.pem switch(config-mgmt-sec-ssl- profile-TLSserv)#crl RootCA_CRL.pem
Now make configuration for daily update of above CRLs. To do this you have to make a bash script as follows. Please note that “bash” access is only allowed for the “admin” user during setup. Once the “role” is loaded for the cc-admin, bash access is disallowed.
switch(config)#bash [admin@switch ~]$cd /mnt/flash
Make a bash script file called IntCA_CRL.sh.
[admin@switch flash]$vi IntCA_CRL.sh
Add the following lines in the file, then save the file and exit the editor. You have to enter “i” to enter the edit mode of the vi editor and ESC :wq ENTER to save and exit the vi editor.

!/bin/bash FastCli -p15 -e -c $’conf ndelete certificate: AcumenInterCA.crl

nend n’ sudo ip netns exec ns-mgmt curl http://10.1.4.175/AcumenInterCA.crl -o /tmp/AcumenInterCA.crl FastCli -p15 -e -c $’conf ncopy file:/tmp/AcumenInterCA.crl certificate:IntCA_CRL.pem nend n’
Now schedule the periodic execution of the above script as follows.
switch(config)#schedule updateIntCRL interval 1440 timeout 10 max-log-files 3 command bash /mnt/flash/IntCA_CRL.sh
Confirm the schedule.
switch(config)#show schedule summary switch(config)#write
Do the same steps as above for Root CA CRL and other Int CA CRL updates.
Note: If you want to remove any schedule, you can do it with the “no schedule

” command.

Arista Networks

Page 26 of 48

Every time the above bash script runs, it first deletes an existing CRL. This causes the SSL profile to become invalid. Thereafter, when a new valid CRL download and copy succeeds, the SSL profile becomes valid again. Thus, successful outcome of the script in each run generates a sequence of audit logs as shown in below sample.
A. 2022 May 31 12:03:03 switch Aaa: %ACCOUNTING-6-CMD: unknown,uid=0 unknown unknown stop task_id=27351 start_time=1559329383.66 timezone=PST service=shell priv-lvl=15 cmd=delete certificate:IntCA_CRL.pem
B. 2022 May 31 12:04:35 switch ConfigAgent: %SECURITY- 6SSL_KEY_CERTIFICATE_DELETED: SSL certificate IntCA_CRL.pem has been deleted with the SHA-256 hash of c336aad7bf58403b9235c460de6c01a9de576c965bb86838be412fe570cd7145
C. 2022 May 31 12:05:03 switch SuperServer: %SECURITY-3-SSL_PROFILE_INVALID: SSL profile ‘TLSserv’ is invalid. Check ‘show management security ssl profile TLSserv’ for details
D. 2022 May 31 12:05:54 switch Aaa: %ACCOUNTING-6-CMD: unknown,uid=0 unknown unknown stop task_id=27354 start_time=1559329384.11 timezone=PST service=shell priv-lvl=15 cmd=copy certificate:IntCA_CRL.pem
E. 2022 May 31 12:08:29 switch ConfigAgent: %SECURITY- 6SSL_KEY_CERTIFICATE_IMPORTED: SSL certificate IntCA_CRL.pem has been imported with the SHA-256 hash of c336aad7bf58403b9235c460de6c01a9de576c965bb86838be412fe570cd7145
F. 2022 May 31 12:10:23 switch SuperServer: %SECURITY-6-SSL_PROFILE_VALID: SSL profile ‘TLSserv’ is valid
If the new valid CRL download and copy does not succeed, logs E and F above will not be generated, and the SSL profile will remain invalid until the valid CRL is again downloaded and copied. No new authentication attempts succeed when the SSL profile is invalid.
In the unlikely situation that the script fails to execute, logs A to F above will not generate.
In the unlikely situation that the delete command fails, logs B and C will not generate.
Administrators must monitor the above logs to ensure that they all generate around the time the script is scheduled to run. If they don’t, it indicates a problem with CRL update and must be investigated.
3.12.7 Validate SSL profile configuration At this time, make sure that the SSL profile is valid. If not, the state of the profile will be shown as invalid in the output of the command along with the reason for invalidity. Make sure to remediate the reason for invalidity and then exit the profile sub-mode.
switch(config-mgmt-sec-ssl-profile-TLSserv)#wait-for-warmup
switch(config-mgmt-sec-ssl-profile-TLSserv)#show management security ssl profile
switch(config-mgmt-sec-ssl-profile-TLSserv)#write
switch(config-mgmt-sec-ssl-profile-TLSserv)#exit
switch(config-mgmt-sec)#exit

Arista Networks

Page 27 of 48

Note: During the configuration, if it is required to delete a CRL or an SSL Profile, use commands “no crl ” and “no ssl profile ”. Trust certificates can be removed via “no trust certificate <certificate name>”. Chain certificates can be removed via “no chain certificate

”. 3.12.8 Cryptographic key destruction There are limited circumstances under which the destruction of cryptographic keys could be delayed, but not prevented. When cryptographic keys are generated, they are initially saved to disk on a RAM backed folder named /persist/secure. Any changes made to /persist/secure are backed up as an archive to flash memory. Before saving a new archive to flash memory, the old archive is removed using the UNIX “scrub” command. The new archive is then saved to flash memory in a single move operation.

The combination of the “scrub” command followed by the move operation ensures that old cryptographic keys are first scrubbed before they are deleted, thereby delaying their destruction. This approach provides a defense in depth for clearing the keys, as it is not possible to prevent the destruction of the keys. However, if other operations are being performed, the flash memory may take a brief period of time to process, causing a delay in the destruction of the keys.
3.12.9 X509 certificate validation During the establishment of a TLS connection, the eAPI client presents its x.509v3 certificate to the TLS server within the TOE (Target of Evaluation). This certificate is utilized by the TOE to authenticate the eAPI client. The TOE performs the following checks on the certificate provided by the eAPI client:
· The TOE verifies that the certificate chain presented by the eAPI client can be traced back to the lowest CA certificate within the hierarchy of certificates imported into the TOE. This lowest CA certificate acts as the trust anchor. It is important to note that the trust anchor can either be an intermediate CA certificate or the root CA certificate.
· The TOE validates that the current date and time fall within the “Valid from” and “Valid to” time frame for each certificate in the chain presented by the eAPI client, starting from the leaf certificate up to and including the trust anchor.
· The TOE checks that the basicConstraints extension is included in all CA certificates within the chain, with the CA flag set to TRUE.
· The TOE ensures that the leaf certificate in the chain presented by the eAPI client contains the extendedKeyUsage field with the purpose of Client Authentication (id-kp 2 with OID 1.3.6.1.5.5.7.3.2).
· The TOE verifies the correctness of the digital signatures in all certificates.
· The TOE confirms that none of the certificates within the chain, from the leaf up to the trust anchor, are revoked. It is not necessary to check the revocation status of the trust anchor and other CA certificates upstream of the trust anchor.
If any of the mentioned checks fail, the TLS connection is rejected. The TOE does not support a X509 certificate fallback authentication function, if any of these x509 certificate validity checks fail, the session is terminated.

Arista Networks

Page 28 of 48

The EOS does not provide support for code signing and OCSP signing attributes in the extendedKeyUsage field of the leaf certificate when presented by the e-API client or when included in an x509 certificate imported into its trusted store.
To enable revocation checking on the eAPI client certificate chain as described above, the Security Administrator is responsible for specifying Certificate Distribution Points (CDPs) during the initial configuration of the TOE (Target of Evaluation). It is mandatory for the Security Administrator to designate CDPs for the Certificate Revocation Lists (CRLs) published by the trust anchor and each CA certificate between the trust anchor and the leaf certificate of the eAPI client.

The TOE automatically downloads CRLs from the designated CDPs at regular intervals, refer to Section 3.14 for the instructions, and stores the most recently retrieved CRLs locally. During the download process, the digital signatures on the downloaded CRLs are validated. If the signature verification fails, the CRL is not added to the local copy.

The locally stored copies of the CRLs are utilized for performing certificate revocation checking. During revocation checking, the TOE ensures that the current time falls within the validity period of the CRL, which is specified between the effective date and the next update date mentioned in the CRL.

Revocation checking can result in failure for two reasons. Firstly, the certificate may be revoked according to the CRL. Secondly, the recent CRL for the CA that issued the certificate may not be present in the local copy, thus preventing the revocation checking from being performed.
3.13 eAPI Server Configuration Now that the SSL profile is configured, eAPI can be set to use that profile as follows. First ensure that the http-commands API is appropriately initialized.
switch(config)#no management api http-commands switch(config)#management api http-commands switch(config-mgmt-api-http-cmds)#vrf mgmt switch(config-mgmt- api-http-cmds)#no shutdown switch(config-mgmt-api-http-cmds)#write switch (config-mgmt-api-http-cmds)#exit switch(config)#write switch#show management api http-commands
Configure HTTP server settings.
switch(config)#management http-server switch(config-mgmt-http-server)#no protocol http switch(config-mgmt-http-server)#no default-services switch (config-mgmt-http-server)#protocol https ssl profile TLSserv

Arista Networks

Page 29 of 48

switch(config-mgmt-http-server)#log-level info
switch(config-mgmt-http-server)#exit
Check HTTPS server settings.
switch(config)#wait-for-warmup
switch(config)#show management http-server
switch#show management api http-commands
switch(config)#write
In the event of X509 authentication failure for any reason, the Target of Evaluation (TOE) terminates the TLS communication with the eAPI client. It’s important to note that the TOE does not incorporate any mechanism for overriding x509 certificates. Clients are required to authenticate using x509 certificates. This is achieved by creating a user account whose password is disabled. The common name provided in the certificate must exist on the switch. Perform the following steps to create user account for eAPI client. This assigns network-operator role to eAPI client. So, it can remotely run show commands, but cannot run any config commands. Also, eAPI client cannot login with password credential.
switch(config)#username eAPI secret * role network-operator
One last step is to restrict untrusted connection attempts to the eAPI TLS server. To that end, first, set up an access control list (ACL) to only allow trusted IP addresses to access the TLS server:
switch(config)# ip access-list block-untrusted
This is how to add an ACL to permit a specific subnet:
switch(config-acl-block-untrusted)#permit tcp any eq https
As an example, permitting a specific subnet would look like:
switch(config-acl-block-untrusted)#permit tcp 172.16.0.0/16 any eq https
This is how to add an ACL to permit a specific IP address:
switch(config-acl-block-untrusted)#permit tcp host any eq https
As an example, permitting a specific ip address would look like:
switch(config-acl-block-untrusted)#permit tcp host 10.0.0.3 any eq https
Multiple rules can be configured depending on which IP addresses are allowed. When all rules have been entered, exit the mode and save the configuration.
switch(config-acl-block-untrusted)#exit
switch(config)#write
Then, configure the ACL on the server as follows:
switch(config)#management http-server
switch(config-mgmt-http-server)#vrf <fill in with VRF name or use “default” if no VRF configured>

Arista Networks

Page 30 of 48

switch(config-mgmt-http-server-vrf-)#ip access-group block-untrusted in
switch(config)#write
3.13.1 eAPI Fallback authentication The eAPI provides support for password- based authentication as a fallback option. The availability of fallback authentication depends on the configuration of the “secret” parameter in the “username” command. To enable or disable fallback authentication, the following command should be used as a replacement:
switch(config)#username eAPI secret role networkoperator
If the “secret” parameter is configured with a password, such as in the example “username eAPIAdmin1 secret myPassw0rd role cc-admin”, fallback authentication is enabled. In this case, the client can authenticate by providing their password (myPassw0rd) instead of a client certificate.
However, if the “secret” parameter is configured with the “” (asterisk) character, as shown in the “username eAPIAdmin1 secret role cc-admin” command, fallback authentication is disabled. In this scenario, the client will not be able to authenticate using their password.
It is highly recommended to prioritize the use of client certificates over passwords whenever possible. This can be achieved by disabling fallback authentication through the configuration “secret *”
3.14 eAPI Client Operation The eAPI client can issue a subset of CLI commands and receive response using any program that can retrieve content from the server via HTTP methods. For example, a popular Linux utility called `wget’ provides such facility. Run the following command on client machine to issue eAPI request to the switch.
eapi-host#wget –ca-certificate= –certificate= -private- key= -q -O – https:///command-api –postdata=”$(cat <file-with- json-request>)”
Here stores bundle of certificate authorities in PEM format to verify server’s certificate, stores client certificate in PEM format and

stores client’s private key. Request details are stored in in following format: { “jsonrpc”: “2.0”, “method”: “runCmds”, “params”: { “version”: 1, “cmds”: [ “” ], “format”: “text”

Arista Networks

Page 31 of 48

}, “id”: “1” } The response from the switch will contain the output of the command if the command succeeded or error indication if there was a problem with running the command. Note that the certificate used to authenticate,

in the above example, must have the username as the CN attribute in the Subject: of the x509 certificate. This is to tie the username to the allowed role. An example output obtained by running “openssl x509 -text -in ” shows a certificate tied to the user account eAPIAdmin1. Certificate: Data: Version: 3 (0x2) Serial Number: 8 (0x8) Signature Algorithm: sha256WithRSAEncryption Issuer: CN=IntCA1_Good_EKU Validity Not Before: Aug 22 17:59:19 2021 GMT Not After : Aug 21 17:59:19 2022 GMT Subject: CN=eAPIAdmin1 Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit)

For the login to complete there should be a corresponding username configured on the switch, with the correct role, via a command like:
switch(config)#username eAPIAdmin1 secret role cc-admin
The account used for eAPI operations must be configured with the “secret
” command, as demonstrated in the provided configuration. This command serves two purposes: disallowing password-based logins and enforcing the use of client certificate authentication. It is important to note that client certificate authentication is always available for eAPI, but it is not mandatory. The purpose of configuring “secret ” is to prevent the use of passwords entirely and maximize security by requiring the use of certificates during the authentication process.
It is worth mentioning that even if a client certificate is not provided, application data flow will still occur. This is because, as a fallback measure, the application will request a password. However, due to the “secret
” setting, no password will ever be accepted. The reason for

Arista Networks

Page 32 of 48

requesting a password despite its inability to succeed is to avoid leaking information about the device configuration. If the EOS switch did not request a password and simply closed the connection, it would signal to a malicious client that the connected account does exist and is configured with “secret *”. To prevent information leakage, a password is always requested but will never result in a successful authentication.
3.15 Timekeeping
After each power cycle it is important to confirm, and potentially reset, the time of the clock. To confirm the time of the clock use “show clock” which will return an output along the lines of:
switch >show clock Fri Apr 14 13:32:19 2023 Timezone: UTC (using ) Clock source: local
If the time is off by more than 30 seconds the time must be reset to the current time using the command “clock set hh:mm:ss yyyy-mm-dd”. An example of setting the time to Apr 14, 2023, at 1:32 PM is:
(config)#clock set 13:32:00 2023-04-12
After setting the time the “show clock” command can be used to confirm the value being set.

Auditable Events

This section describes the format of audit logs. The format identifies what and where the key information is present in the audit logs. Actual audit logs may have additional system specific information in them. Several log samples are provided below for actual audit logs.
4.1 FAU_GEN.1.1 – Audit Data Generation
4.1.1 Start-up and Shut-Down of Audit Functions The audit function is automatically started when the EOS is loaded. The audit function runs as long as the system is running. By preventing the user in the cc-admin role to run any config mode commands as described in the Named User Accounts section, it is ensured that no changes are made to the audit configuration by the user.
4.1.2 Administrative Login and Logout See description of audit logs for FIA_UIA_EXT.1 and FIA_UIA_EXT.2.
4.1.3 TSF Data Related Configuration Changes
See description of audit logs for FMT_SMF.1.

Arista Networks

Page 33 of 48

4.1.4 Cryptographic Keys
SSH key The system permits only one SSH host key of a given algorithm type to be present. In CC mode, since we have restricted SSH to use only RSA for the host key, the only host key for SSH that is relevant here is the one with key name as “rsa”. This key is created or updated by using the same command. Execution of this commands is logged as follows.
· Command Log Format:

Arista Networks

Page 34 of 48

cmd=security pki key generate rsa 2048 TLSserv_key
2022 May 24 01:51:06 switch Aaa: %ACCOUNTING-6-CMD: admin vty3 10.95.66.234 stop task _id=361 start_time=1558680667.0 timezone=EST service=shell priv- lvl=15 cmd=delete TLSserv_key
The above log will be followed by the following log to provide additional information.
· SSL_KEY_CERTIFICATE_IMORTED Format:

Arista Networks

Page 35 of 48

the command will highlight this discrepancy. Audit events are generated for both invalid and valid profiles.
Invalid commands are not outright rejected to prevent services from utilizing an invalid configuration. Instead, the SSL Profile ensures that such configurations are not used by the end service. To validate the correct configuration of a profile, you can use the command “show management security ssl profile ”.
Signed certificate is imported into the switch by copying it to the certificate: folder. The certificate is identified by certificate file name. The certificate can be later updated by copying a new certificate file to it. Certificates can also be deleted. Execution of these commands is logged as follows.
· Command Logs Format:

] has been imported with the SHA-256 hash of . Log Sample: 2022 May 29 09:17:29 switch ConfigAgent: %SECURITY- 6SSL_KEY_CERTIFICATE_IMPORTED: SSL certificate TLSserv_certificate.pem has been imported with the SHA-256 hash of c336aad7bf58403b9235c460de6c01a9de576c965bb86838be412fe570cd7145 · SSL_KEY_CERTIFICATE_DELETED Format:

Related Manuals