RFC 3871           Operational Security Requirements      September 2004

   Justification.

      The purpose of having the console interface is to have a

      management interface that can be made to work quickly at all

      times.  Requiring complex or nonstandard behavior on the part of

      attached devices reduces the likelihood that the console will work

      without hassles.

   Examples.

      If the console is supplied via an RS232 interface, then it should

      function with an attached device that only implements a "dumb"

      terminal.  Support of "advanced" terminal features/types should be

      optional.

   Warnings.

      None.

2.3.4.  'Console' Supports Fall back Authentication

   Requirement.

      The 'console' SHOULD support an authentication mechanism which

      does not require functional IP or depend on external services.

      This authentication mechanism MAY be disabled until a failure of

      other preferred mechanisms is detected.

   Justification.

      It does little good to have a console interface on a device if you

      cannot get into the device with it when the network is not

      working.

   Examples.

      Some devices which use TACACS or RADIUS for authentication will

      fall back to a local account if the TACACS or RADIUS server does

      not reply to an authentication request.

   Warnings.

      This requirement represents a trade off between being able to

      manage the device (functionality) and security.  There are many

      ways to implement this which would provide reduced security for

      the device, (e.g., a back door for unauthorized access).  Local

      policy should be consulted to determine if "fail open" or "fail

Jones                        Informational                     [Page 20]