New to -02: Software/OS Install, Authorized Access Recovery

[George Jones <gmj@pobox.com>]

2.4.5 Support Software Installation

   Requirement. The device MUST provide a means to install new software
      versions. It MUST be possible to install new software while the
      device is disconnected from all public IP networks. This MUST NOT
      rely on previous installation and/or configuration.

   Justification.

      *  Vulnerabilities are often discovered in the base software
         (operating systems, etc.) shipped by vendors. Often mitigation

         of the risk presented by these vulnerabilities can only be
         accomplished by updates to the vendor supplied software (e.g.
         bug fixes, new versions of code, etc.). Without a mechanism to
         load new vendor supplied code, it may not be possible to
         mitigate the risk posed by these vulnerabilities.

      *  It is also conceivable that malicious behavior on the part of
         hackers or unintentional behaviors on the part of operators
         could cause software on devices to be corrupted or erased.   In
         these situations, it is necessary to have a means to (re)load
         software onto the device to restore correct functioning.

      *  It is important to be able to load new software while
         disconnected from all public IP networks because the device may
         be vulnerable to old attacks before the update is complete.

   Examples.

      RS-232 The device could support uploading new code via an RS232
         console port.

      CD-ROM The device could support installing new code from a locally
         attached CD-ROM drive.

      NETWORK The device could support installing new code via a network
         interface, assuming that (a) it is disconnected from all public
         networks and (b) the device can boot an OS and IP stack from
         some read-only media with sufficient capabilities to load new
         code  from the network.

   Warnings. None.

2.12.15 Support Recovery Of Privileged Access

   Requirement. The device MUST support a mechanism to allow authorized
      individuals to recover full privileged administrative access in
      the event that access is lost. Use of the mechanism MUST require
      physical access to the device. There MAY be a mechanism for
      disabling the recovery feature.

   Justification. There are times when local administrative passwords
      are forgotten, when the only person who knows them leaves the
      company, or when hackers set or change the password.   In all
      these cases, legitimate administrative access to the device is
      lost.  There should be a way to recover access.  Requiring
      physical access to invoke the procedure makes it less likely that
      it will be abused.  Some organizations may want an even higher
      level of security and be willing to risk total loss of authorized
      access by disabling the recovery feature, even for those with
      physical access.

   Examples. Some examples of ways to satisfy this requirement are to
      have the device give the user the chance to set a new
      administrative password when:

         The user sets a jumper on the system board to a particular
         position.

         The user sends a special sequence to the RS232 console port
         during the initial boot sequence.

         The user sets a "boot register" to a particular value.

   Warnings. This mechanism, by design,  provides a "back door" to
      complete administrative control of the device and may not be
      appropriate for environments where those with physical access to
      the device can not be trusted.