RFC 3871           Operational Security Requirements      September 2004

   Warnings.

      Offline copies of configurations should be well protected as they

      often contain sensitive information such as SNMP community

      strings, passwords, network blocks, customer information, etc.

      "Well defined" and "textual" are open to interpretation.  Clearly

      an ASCII configuration file with a regular, documented command

      oriented syntax would meet the definition.  These are currently in

      wide use.  Future options, such as XML based configuration may

      meet the requirement.  Determining this will require evaluation

      against the justifications listed above.

2.5.  IP Stack Requirements

2.5.1.  Ability to Identify All Listening Services

   Requirement.

      The vendor MUST:

      *  Provide a means to display all services that are listening for

         network traffic directed at the device from any external

         source.

      *  Display the addresses to which each service is bound.

      *  Display the addresses assigned to each interface.

      *  Display any and all port(s) on which the service is listing.

      *  Include both open standard and vendor proprietary services.

   Justification.

      This information is necessary to enable a thorough assessment of

      the security risks associated with the operation of the device

      (e.g., "does this protocol allow complete management of the device

      without also requiring authentication, authorization, or

      accounting?").  The information also assists in determining what

      steps should be taken to mitigate risk (e.g., "should I turn this

      service off ?")

Jones                        Informational                     [Page 29]