RFC 3871           Operational Security Requirements      September 2004

1.  Introduction

1.1.  Goals

   This document defines a list of operational security requirements for

   the infrastructure of large IP networks (routers and switches).  The

   goal is to provide network operators a clear, concise way of

   communicating their security requirements to equipment vendors.

1.2.  Motivation

   Network operators need tools to ensure that they are able to manage

   their networks securely and to insure that they maintain the ability

   to provide service to their customers.  Some of the threats are

   outlined in section 3.2 of [RFC2196].  This document enumerates

   features which are required to implement many of the policies and

   procedures suggested by [RFC2196] in the context of the

   infrastructure of large IP based networks.  Also see [RFC3013].

1.3.  Scope

   The scope of these requirements is intended to cover the managed

   infrastructure of large ISP IP networks (e.g., routers and switches).

   Certain groups (or "profiles", see below) apply only in specific

   situations (e.g., edge only).

   The following are explicitly out of scope:

   o  general purpose hosts that do not transit traffic including

      infrastructure hosts such as name/time/log/AAA servers, etc.,

   o  unmanaged devices,

   o  customer managed devices (e.g., firewalls, Intrusion Detection

      System, dedicated VPN devices, etc.),

   o  SOHO (Small Office, Home Office) devices (e.g., personal

      firewalls, Wireless Access Points, Cable Modems, etc.),

   o  confidentiality of customer data,

   o  integrity of customer data,

   o  physical security.

   This means that while the requirements in the minimum profile (and

   others) may apply, additional requirements have not be added to

   account for their unique needs.

Jones                        Informational                      [Page 5]