RFC 3871           Operational Security Requirements      September 2004

      example is the ability to control what services are allowed in/out

      of a network.  It may be desirable to only allow inbound

      connections on port 80 (HTTP) and 443 (HTTPS) to a network hosting

      web servers.

   Warnings.

      None.

2.8.4.  Ability to Filter Inbound and Outbound

   Requirement.

      It MUST be possible to filter both incoming and outgoing traffic

      on any interface.

   Justification.

      This requirement allows flexibility in applying filters at the

      place that makes the most sense.  It allows invalid or malicious

      traffic to be dropped as close to the source as possible.

   Examples.

      It might be desirable on a border router, for example, to apply an

      egress filter outbound on the interface that connects a site to

      its external ISP to drop outbound traffic that does not have a

      valid internal source address.  Inbound, it might be desirable to

      apply a filter that blocks all traffic from a site that is known

      to forward or originate lots of junk mail.

   Warnings.

      None.

2.9.  Packet Filtering Counter Requirements

2.9.1.  Ability to Accurately Count Filter Hits

   Requirement.

      The device MUST supply a facility for accurately counting all

      filter hits.

Jones                        Informational                     [Page 43]