RFC 3871           Operational Security Requirements      September 2004

      *  which network element received the packet (interface, MAC

         address or other layer 2 information that identifies the

         previous hop source of the packet).

         Logging of filter actions is subject to the requirements of

         Section 2.11.

   Justification.

      Logging is essential for auditing, incident response, and

      operations.

   Examples.

      A desktop network may not provide any services that should be

      accessible from "outside."  In such cases, all inbound connection

      attempts should be logged as possible intrusion attempts.

   Warnings.

      None.

2.8.  Packet Filtering Criteria

2.8.1.  Ability to Filter on Protocols

   Requirement.

      The device MUST provide a means to filter traffic based on the

      value of the protocol field in the IP header.

   Justification.

      Being able to filter on protocol is necessary to allow

      implementation of policy, secure operations and for support of

      incident response.

   Examples.

      Some denial of service attacks are based on the ability to flood

      the victim with ICMP traffic.  One quick way (admittedly with some

      negative side effects) to mitigate the effects of such attacks is

      to drop all ICMP traffic headed toward the victim.

   Warnings.

      None.

Jones                        Informational                     [Page 41]