RFC 3871           Operational Security Requirements      September 2004

   Justification.

      Accurate counting of filter rule matches is important because it

      shows the frequency of attempts to violate policy.  This enables

      resources to be focused on areas of greatest need.

   Examples.

      Assume, for example, that a ISP network implements anti spoofing

      egress filters (see [RFC2827]) on interfaces of its edge routers

      that support single homed stub networks.  Counters could enable

      the ISP to detect cases where large numbers of spoofed packets are

      being sent.  This may indicate that the customer is performing

      potentially malicious actions (possibly in violation of the ISPs

      Acceptable Use Policy), or that system(s) on the customers network

      have been "owned" by hackers and are being (mis)used to launch

      attacks.

   Warnings.

      None.

2.9.2.  Ability to Display Filter Counters

   Requirement.

      The device MUST provide a mechanism to display filter counters.

   Justification.

      Information that is collected is not useful unless it can be

      displayed in a useful manner.

   Examples.

      Assume there is a router with four interfaces.  One is an up link

      to an ISP providing routes to the Internet.  The other three

      connect to separate internal networks.  Assume that a host on one

      of the internal networks has been compromised by a hacker and is

      sending traffic with bogus source addresses.  In such a situation,

      it might be desirable to apply ingress filters to each of the

      internal interfaces.  Once the filters are in place, the counters

      can be examined to determine the source (inbound interface) of the

      bogus packets.

   Warnings.

      None.

Jones                        Informational                     [Page 44]