RFC 3871           Operational Security Requirements      September 2004

   These requirements assume two different possible Out of Band

   topologies:

   o  serial line (or equivalent) console connections using a CLI,

   o  network interfaces connected to a separate network dedicated to

      management.

   The following assumptions are made about out of band management:

   o  The out of band management network is secure.

   o  Communications beyond the management interface (e.g., console

      port, management network interface) is secure.

   o  There is no need for encryption of communication on out of band

      management interfaces, (e.g., on a serial connection between a

      terminal server and a device's console port).

   o  Security measures are in place to prevent unauthorized physical

      access.

   Even if these assumptions hold it would be wise, as an application of

   defense in depth, to apply the in band requirements (e.g.,

   encryption) to out of band interfaces.

2.3.1.  Support a 'Console' Interface

   Requirement.

      The device MUST support complete configuration and management via

      a 'console' interface that functions independently from the

      forwarding and IP control planes.

   Justification.

      There are times when it is operationally necessary to be able to

      immediately and easily access a device for management or

      configuration, even when the network is unavailable, routing and

      network interfaces are incorrectly configured, the IP stack and/or

      operating system may not be working (or may be vulnerable to

      recently discovered exploits that make their use impossible/

      inadvisable), or when high bandwidth paths to the device are

      unavailable.  In such situations, a console interface can provide

      a way to manage and configure the device.

Jones                        Informational                     [Page 17]