blank.gif (43 bytes)

Church Of The
Swimming Elephant

10.4.2 Configuration Control Connected: An Internet Encyclopedia
10.4.2 Configuration Control

Up: Connected: An Internet Encyclopedia
Up: Requests For Comments
Up: RFC 1812
Up: 10.4 Security Considerations
Prev: 10.4.1 Auditing and Audit Trails

10.4.2 Configuration Control

10.4.2 Configuration Control

A vendor has a responsibility to use good configuration control practices in the creation of the software/firmware loads for their routers. In particular, if a vendor makes updates and loads available for retrieval over the Internet, the vendor should also provide a way for the customer to confirm the load is a valid one, perhaps by the verification of a checksum over the load.


Many vendors currently provide short notice updates of their software products through the Internet. This a good trend and should be encouraged, but provides a point of vulnerability in the configuration control process.

If a vendor provides the ability for the customer to change the configuration parameters of a router remotely, for example through a Telnet session, the ability to do so SHOULD be configurable and SHOULD default to off. The router SHOULD require valid authentication before permitting remote reconfiguration. This authentication procedure SHOULD NOT transmit the authentication secret over the network. For example, if telnet is implemented, the vendor SHOULD IMPLEMENT Kerberos, S-Key, or a similar authentication procedure.


Allowing your properly identified network operator to twiddle with your routers is necessary; allowing anyone else to do so is foolhardy.

A router MUST NOT have undocumented back door access and master passwords. A vendor MUST ensure any such access added for purposes of debugging or product development are deleted before the product is distributed to its customers.


A vendor has a responsibility to its customers to ensure they are aware of the vulnerabilities present in its code by intention - e.g., in-band access. Trap doors, back doors and master passwords intentional or unintentional can turn a relatively secure router into a major problem on an operational network. The supposed operational benefits are not matched by the potential problems.


Connected: An Internet Encyclopedia
10.4.2 Configuration Control


Protect yourself from cyberstalkers, identity thieves, and those who would snoop on you.
Stop spam from invading your inbox without losing the mail you want. We give you more control over your e-mail than any other service.
Block popups, ads, and malicious scripts while you surf the net through our anonymous proxies.
Participate in Usenet, host your web files, easily send anonymous messages, and more, much more.
All private, all encrypted, all secure, all in an easy to use service, and all for only $5.95 a month!

Service Details

Have you gone to church today?
All pages ©1999, 2000, 2001, 2002, 2003 Church of the Swimming Elephant unless otherwise stated
Church of the Swimming Elephant©1999, 2000, 2001, 2002, 2003 is a wholly owned subsidiary of Packetderm, LLC.

Packetderm, LLC
210 Park Ave #308
Worcester, MA 01609