How IPS engines and Layer 2 Firewalls respond to incidents

There are various responses that an IPS engine and a Layer 2 Firewall can take when it detects traffic of interest. For example, they can log the connection or actively filter out the traffic.

Several responses are available:

  • As the mildest response, an event can be logged. The log entries can be used, for example, for generating statistical reports. Generating statistical reports might be appropriate, for example, for tracking trends in normal network traffic patterns.
  • A step up from a log entry is to generate an alert entry that can be escalated to administrators through multiple configurable alert channels. Alert channels include email, mobile phone text messaging (SMS), and SNMP, in addition to being used like log entries.
  • Also, logs and alerts can record the full packet headers and data payload for further analysis.
Note: Storing or viewing the packets’ payload can be illegal in some jurisdictions due to laws related to the privacy of communications.
  • Blacklisting makes it possible to block unwanted network traffic for a specified time. IPS engines and Layer 2 Firewalls can add entries to their own blacklists based on events in the traffic they inspect. They can also send blacklist requests to other NGFW Engines. Connections that match the blacklist are mainly stopped (depending on the enforcing component’s policy).

The available responses on an IPS engine or Layer 2 Firewall depend on the engine’s physical configuration.