Predefined quarantine responses

For Network IPS appliances, use predefined quarantine responses to manage intruders, Trojans, Worms, and DDOS attacks.

Table 1. Predefined quarantine responses
Response Description
Quarantine Intruder Stops inbound network traffic to a target from a specific intruder.

This response adds a quarantine rule that blocks the matching protocol traffic from the intruder IP address to the target IP address.

Use this response to prevent a known malicious intruder from establishing communication with a server.

This response is not suitable for blocking network sweep security events. If enabled, a sweep of a subnet by an intruder adds so many quarantine rules that the response does not effectively block the sweep.

Quarantine Trojan Provides a method to stop all network communication for a potentially infected host.

This response adds a quarantine rule that blocks traffic to a certain TCP or UDP port on a single victim for the specified duration of time.

Before you use this option, consider the false positive risks. Use this option for times when zero-day or high impact Trojans are spread across the Internet.

Note: This response does not apply to ICMP traffic.
Quarantine Worm Provides a method to minimize the spread of a network worm that is attempting to propagate itself.

This response adds a quarantine rule that blocks traffic to a certain TCP or UDP port from a single intruder for the specified duration of time.

It is suitable for blocking a BotNet that is attempting to establish a conversation with a zombie or a potential vulnerable network service.

Note: This response does not apply to ICMP traffic.
Quarantine DDOS (Distributed Denial-of-Service) Blocks traffic from an intruder that is related to a specific attack.

This response is suitable for blocking DDOS events while it reduces the reporting load. The matching events from the same intruder are silently blocked and are not reported again while the quarantine rule is active.

Note: The Quarantine DDOS (Distributed Denial-of-Service) predefined response functions for security events only and not for any other type of event.