RFC 3871           Operational Security Requirements      September 2004

2.7.  Basic Filtering Capabilities

2.7.1.  Ability to Filter Traffic

   Requirement.

      The device MUST provide a means to filter IP packets on any

      interface implementing IP.

   Justification.

      Packet filtering is important because it provides a basic means of

      implementing policies that specify which traffic is allowed and

      which is not.  It also provides a basic tool for responding to

      malicious traffic.

   Examples.

      Access control lists that allow filtering based on protocol and/or

      source/destination address and or source/destination port would be

      one example.

   Warnings.

      None.

2.7.2.  Ability to Filter Traffic TO the Device

   Requirement.

      It MUST be possible to apply the filtering mechanism to traffic

      that is addressed directly to the device via any of its interfaces

        including loopback interfaces.

   Justification.

      This allows the operator to apply filters  that protect the device

      itself from attacks and unauthorized access.

   Examples.

      Examples of this might include filters that permit only BGP from

      peers and SNMP and SSH from an authorized management segment and

      directed to the device itself, while dropping all other traffic

      addressed to the device.

Jones                        Informational                     [Page 37]