What IPS engines and Layer 2 Firewalls do

An IPS engine or a Layer 2 Firewall picks up and examines network traffic in real time. Layer 2 Firewalls and IPS engines perform event correlation and analysis for traffic they inspect.

Layer 2 Firewalls and IPS engines detect known attacks using attack signatures that are augmented with protocol awareness to form attack fingerprints. Protocol awareness decreases the number of false positives compared to simple signatures. Each pattern is applied only to the correct type of traffic. For example, an attack that uses HTTP can be detected when the pattern is seen in HTTP traffic. The HTTP pattern does not falsely match an email message header transported over SMTP.

While fingerprinting accurately detects known attacks, it does not detect attacks that are not yet known. IPS and Layer 2 Firewall engines provide two types of anomaly detection to complement fingerprinting:

• Protocol analysis identifies violations in network communications, such as unexpected data, incorrect connection states, and additional or invalid characters. Detecting such violations is useful because many attacks purposely violate standards to trigger abnormal operating responses in vulnerable target systems.
• Statistical anomaly detection gathers traffic statistics to detect events such as slow scans and unusual number of connections. This method tracks patterns based on frequency and sequence of events, or the occurrence of sets of related events within a specified time range. For example, many connection attempts from one host to many ports and IP addresses indicates a network scan.

Layer 2 Firewalls and IPS engines can also initiate immediate responses to any threats that they detect. Depending on how they are installed, engines can also block traffic based on commands that other components send.