RFC 3871           Operational Security Requirements      September 2004

   Examples.

      If the device is listening for SNMP traffic from any source

      directed to the IP addresses of any of its local interfaces, then

      this requirement could be met by the provision of a command which

      displays that fact.

   Warnings.

      None.

2.5.2.  Ability to Disable Any and All Services

   Requirement.

      The device MUST provide a means to turn off any "services" (see

      Section 1.8).

   Justification.

      The ability to disable services for which there is no operational

      need will allow administrators to reduce the overall risk posed to

      the device.

   Examples.

      Processes that listen on TCP and UDP ports would be prime examples

      of services that it must be possible to disable.

   Warnings.

      None.

2.5.3.  Ability to Control Service Bindings for Listening Services

   Requirement.

      The device MUST provide a means for the user to specify the

      bindings used for all listening services.  It MUST support binding

      to any address or net block associated with any interface local to

      the device.  This must include addresses bound to physical or

      non physical (e.g., loopback) interfaces.

   Justification.

      It is a common practice among operators to configure "loopback"

      pseudo interfaces to use as the source and destination of

      management traffic.  These are preferred to physical interfaces

Jones                        Informational                     [Page 30]