RFC 3871 Operational Security Requirements September 2004
Justification.
This prevents the flow, intentional or unintentional, of
management traffic to/from places that it should not be
originating/terminating (e.g., anything beyond the customer facing
interfaces).
Examples.
Implementing separate forwarding tables for management plane and
non management plane interfaces that do not propagate routes to
each other satisfies this requirement.
Warnings.
None.
2.4. Configuration and Management Interface Requirements
This section lists requirements that support secure device
configuration and management methods. In most cases, this currently
involves some sort of command line interface (CLI) and configuration
files. It may be possible to meet these requirements with other
mechanisms, for instance SNMP or a script able HTML interface that
provides full access to management and configuration functions. In
the future, there may be others (e.g., XML based configuration).
2.4.1. 'CLI' Provides Access to All Configuration and Management
Functions
Requirement.
The Command Line Interface (CLI) or equivalent MUST allow complete
access to all configuration and management functions. The CLI
MUST be supported on the console (see Section 2.3.1) and SHOULD be
supported on all other interfaces used for management.
Justification.
The CLI (or equivalent) is needed to provide the ability to do
reliable, fast, direct, local management and monitoring of a
device. It is particularly useful in situations where it is not
possible to manage and monitor the device in band via "normal"
means (e.g., SSH or SNMP [RFC3410], [RFC3411]) that depend on
functional networking. Such situations often occur during
security incidents such as bandwidth based denial of service
attacks.
Jones Informational [Page 22]
Unlimited Web Hosting
|
|
TotalRoute.net Business web hosting division of Vision Web Hosting Inc. All rights reserved. |