Tag :: Security

Measured boot is an anti-tamper mechanism. It calculates the cryptographic signatures for software system components and extends the signatures into the Trusted Platform Module (TPM) security chip. Upon startup, with the feature turned on, the Aboot bootloader and EOS calculate the hash of various system components and extend the hashes into the Platform Configuration Registers (PCRs), which is one of the resources of the Trusted Platform Module (TPM) security chip. The calculation and extension event is called the measured boot event, which is associated with a revision number to help the user identify changes to the event.

Measured boot is an anti-tamper mechanism. It calculates the cryptographic signatures for software system components and extends the signatures into the Trusted Platform Module (TPM) security chip. Upon startup, with the feature turned on, the Aboot bootloader and EOS calculate the hash of various system components and extend the hashes into the Platform Configuration Registers (PCRs), which is one of the resources of the Trusted Platform Module (TPM) security chip. The calculation and extension event is called the measured boot event, which is associated with a revision number to help the user identify changes to the event.

Measured boot is an anti-tamper mechanism. It calculates the cryptographic signatures for software system components and extends the signatures into the Trusted Platform Module (TPM) security chip. Upon startup, with the feature turned on, the Aboot bootloader and EOS calculate the hash of various system components and extend the hashes into the Platform Configuration Registers (PCRs), which is one of the resources of the Trusted Platform Module (TPM) security chip. The calculation and extension event is called the measured boot event, which is associated with a revision number to help the user identify changes to the event.

Measured boot is an anti-tamper mechanism. It calculates the cryptographic signatures for software system components and extends the signatures into the Trusted Platform Module (TPM) security chip. Upon startup, with the feature turned on, the Aboot bootloader and EOS calculate the hash of various system components and extend the hashes into the Platform Configuration Registers (PCRs), which is one of the resources of the Trusted Platform Module (TPM) security chip. The calculation and extension event is called the measured boot event, which is associated with a revision number to help the user identify changes to the event.

Measured boot is an anti-tamper mechanism. It calculates the cryptographic signatures for software system components and extends the signatures into the Trusted Platform Module (TPM) security chip. Upon startup, with the feature turned on, the Aboot bootloader and EOS calculate the hash of various system components and extend the hashes into the Platform Configuration Registers (PCRs), which is one of the resources of the Trusted Platform Module (TPM) security chip. The calculation and extension event is called the measured boot event, which is associated with a revision number to help the user identify changes to the event.

Measured boot is an anti-tamper mechanism. It calculates the cryptographic signatures for software system components and extends the signatures into the Trusted Platform Module (TPM) security chip. Upon startup, with the feature turned on, the Aboot bootloader and EOS calculate the hash of various system components and extend the hashes into the Platform Configuration Registers (PCRs), which is one of the resources of the Trusted Platform Module (TPM) security chip. The calculation and extension event is called the measured boot event, which is associated with a revision number to help the user identify changes to the event.

Measured boot is an anti-tamper mechanism. It calculates the cryptographic signatures for software system components and extends the signatures into the Trusted Platform Module (TPM) security chip. Upon startup, with the feature turned on, the Aboot bootloader and EOS calculate the hash of various system components and extend the hashes into the Platform Configuration Registers (PCRs), which is one of the resources of the Trusted Platform Module (TPM) security chip. The calculation and extension event is called the measured boot event, which is associated with a revision number to help the user identify changes to the event.

Measured boot is an anti-tamper mechanism. It calculates the cryptographic signatures for software system components and extends the signatures into the Trusted Platform Module (TPM) security chip. Upon startup, with the feature turned on, the Aboot bootloader and EOS calculate the hash of various system components and extend the hashes into the Platform Configuration Registers (PCRs), which is one of the resources of the Trusted Platform Module (TPM) security chip. The calculation and extension event is called the measured boot event, which is associated with a revision number to help the user identify changes to the event.

Measured boot is an anti-tamper mechanism. It calculates the cryptographic signatures for software system components and extends the signatures into the Trusted Platform Module (TPM) security chip. Upon startup, with the feature turned on, the Aboot bootloader and EOS calculate the hash of various system components and extend the hashes into the Platform Configuration Registers (PCRs), which is one of the resources of the Trusted Platform Module (TPM) security chip. The calculation and extension event is called the measured boot event, which is associated with a revision number to help the user identify changes to the event.

Support for AES GCM has been added as a method for storing symmetric secrets in EOS. This applies to secrets that must be

Automatic certificate management provides support for retrieving signed x509v3 certificates from a server under the Enrollment over Secure Transport (EST) protocol, described in RFC 7030. The feature provides only EST client capabilities.

Dynamic CLI Access VLAN is a command that sets the effective access VLAN in a port without changing the running

NDR switch sensor aka “monitor security awake” feature provides deep network analysis by doing deep packet inspection of some or all packets of traffic that's forwarded by the switch.

Measured boot is an anti-tamper mechanism. It calculates the cryptographic signatures for software system components and extends the signatures into the Trusted Platform Module (TPM) security chip. Upon startup, with the feature turned on, the Aboot bootloader and EOS calculate the hash of various system components and extend the hashes into the Platform Configuration Registers (PCRs), which is one of the resources of the Trusted Platform Module (TPM) security chip. The calculation and extension event is called the measured boot event, which is associated with a revision number to help the user identify changes to the event.

Systems with support for Arista secure boot protect against tampering of the BIOS firmware & Aboot by write-protecting the BIOS SPI flash before EOS is loaded (refer to the “Security model” section in the secure boot TOI for details). While effective at protecting against unauthorized changes made from EOS, such a mechanism has limitations. For example, it is ineffective at protecting against physical reprogramming of the contents of the BIOS SPI flash, tampering through privileged serial console access, undiscovered security vulnerabilities in BIOS upgrade mechanism, etc.

The Segment security feature provides the convenience of applying policies on segments rather than interfaces or subnets. Hosts/networks are classified into segments based on prefixes. Grouping prefixes into segments allows for definition of policies that govern flow of traffic between segments. Policies define inter-segment or intra-segment communication rules, e.g. segment A can communicate with segment B but hosts in segment B can not communicate with each other.

This feature involves the use of packet’s Time to Live (TTL) (IPv4) or Hop Limit (IPv6) attributes to protect

This feature involves the use of packet’s Time to Live (TTL) (IPv4) or Hop Limit (IPv6) attributes to protect

Measured boot is a tamper-detection mechanism that records a system's boot process. It calculates cryptographic hashes of system components and configurations, which are then securely stored in the Platform Configuration Registers (PCRs) of a Trusted Platform Module (TPM) chip. This process creates a secure "hash chain" of the boot sequence. After the system starts, the TPM Quote operation, along with the PCR extension records, can be used to verify the PCR values, confirming that the system components are unchanged and the software is trusted.

Measured boot is an anti-tamper mechanism. It calculates the cryptographic signatures for software system components and extends the signatures into the Trusted Platform Module (TPM) security chip. Upon startup, with the feature turned on, the Aboot bootloader and EOS calculate the hash of various system components and extend the hashes into the Platform Configuration Registers (PCRs), which is one of the resources of the Trusted Platform Module (TPM) security chip. The calculation and extension event is called the measured boot event, and the event is associated with a revision number to help the user identify changes to the event.

Macro Segmentation Service with Layer 3 firewall (MSS FW) provides a mechanism to offload policy enforcement on TORs

Macro Segmentation Service with Layer 3 firewall (MSS FW) enforces all security policies bi directionally by

This can be done with multiple groups today, as long as we have enough unique group entries in hardware. In the absence of this configuration ( default behavior ), bridged traffic will be assigned to the default VRF and policies of default VRF will be applied to bridged traffic. With this feature, bridged traffic is never subject to MSS-G configuration.

Measured boot is a tamper-detection mechanism that records a system's boot process. It calculates cryptographic hashes of system components and configurations, which are then securely stored in the Platform Configuration Registers (PCRs) of a Trusted Platform Module (TPM) chip.

EOS 4.35.0F introduces support for Network Time Security (NTS), as defined in RFC8915. NTS provides modern cryptographic security for the client-server mode of the Network Time Protocol (NTP). It separates key establishment from time synchronization by using a TLS-based NTS Key Establishment (NTS-KE) protocol to negotiate symmetric keys and encrypted cookies. These cookies are included in subsequent NTP packets to enable stateless authentication by the server. NTS ensures that time synchronization data is received from a legitimate source and has not been modified in transit.

This TOI describes a set of enhancements made to the existing Port Security: Protect Mode (PortSec-Protect) feature. Please see the existing TOI for this feature here:Port Security: Protect Mode

Secure boot is a security feature available in Aboot (Arista bootloader) that verifies the cryptographic signature of the EOS SWI (software image) before it is booted. Aboot embeds certificates that allow it to recognize and validate official EOS releases from Arista. If the signature verification is successful, the secure boot check passes and Aboot proceeds to boot the SWI. If the signature verification fails, the boot is aborted.

Prior to 4.32.2F, the “reset system storage secure” CLI command can be used to perform a best-effort storage device wipe of all sensitive data. However, this command has the limitation that it wipes EOS from the storage device, leaving the system “stuck” in Aboot. The “reset system storage secure rollback” command provides the same secure erase functionality, but additionally allows the user to preserve a subset of files on the main flash device by copying them into RAM during the secure erase procedure. The set of files that are preserved is configurable. After a successful wipe, the system will return to EOS after the erase is complete if the EOS SWI image and adequate configuration files are preserved (such as boot-config and startup-config).

The Linux audit system provides the ability to record security events on the switch. Audit rules must be configured and enabled at the CLI. Audit rules can be configured in different groups to assist with organization and maintenance.

EOS provides a way to extend its capabilities through the installation of extensions. An extension is a pre packaged

This supports checking that the value of a given x509 certificate OID matches a user-provided value during the TLS handshake in OpenConfig. If the value does not match, no connection will be established.

This feature adds TLS support to the existing syslog logging mechanism. With the new added CLI commands, the user can

Secure boot is a security feature available in Aboot (Arista bootloader) that verifies the cryptographic signature of the EOS SWI (software image) before it is booted. Aboot embeds certificates that allow it to recognize and validate official EOS releases from Arista. If the signature verification is successful, the secure boot check passes and Aboot proceeds to boot the SWI. If the signature verification fails, the boot is aborted.

Port wide port security: Port security with address limit on the port configured by the existing shutdown mode port

The ZTX Session Table Archive feature provides local storage of historical session data on the appliance's SSD, enabling local forensic analysis and troubleshooting. This capability is essential for investigating security incidents, meeting compliance requirements, and analyzing traffic patterns that occurred hours or days in the past.