RFC 3871           Operational Security Requirements      September 2004

3.  Documentation Requirements

   The requirements in this section are intended to list information

   that will assist operators in evaluating and securely operating a

   device.

3.1.  Identify Services That May Be Listening

   Requirement.

      The vendor MUST provide a list of all services that may be active

      on the device.  The list MUST identify the protocols and default

      ports (if applicable) on which the services listen.  It SHOULD

      provide references to complete documentation describing the

      service.

   Justification.

      This information is necessary to enable a thorough assessment of

      the potential security risks associated with the operation of each

      service.

   Examples.

      The list will likely contain network and transport protocols such

      as IP, ICMP, TCP, UDP, routing protocols such as BGP and OSPF,

      application protocols such as SSH and SNMP along with references

      to the RFCs or other documentation describing the versions of the

      protocols implemented.

      Web servers "usually" listen on port 80.  In the default

      configuration of the device, it may have a web server listening on

      port 8080.  In the context of this requirement "identify ...

      default port" would mean "port 8080".

   Warnings.

      There may be valid, non technical reasons for not disclosing the

      specifications of proprietary protocols.  In such cases, all that

      needs to be disclosed is the existence of the service and the

      default ports (if applicable).

3.2.  Document Service Defaults

   Requirement.

      The vendor MUST provide a list of the default state of all

      services.

Jones                        Informational                     [Page 67]