E-mail traffic from the Internet is routed via firewall-1 to the mail gateway. Mail is routed from the
mail gateway, via firewall-2, to the mail recipients in the internal network. Other traffic is not allowed.
For example, the firewalls do not allow direct traffic from the Internet to the internal network.
The intrusion detection system (IDS) detects traffic for the internal network that did not originate
from the mail gateway. The FIRST action triggered by the IDS should be to:
alert the appropriate staff.
create an entry in the log.
Traffic for the internal network that did not originate from the mail gateway is a sign that firewall-1
is not functioning properly. This may have been be caused by an attack from a hacker. Closing
firewa!l-2 is the first thing that should be done, thus preventing damage to the internal network.
After closing firewall-2, the malfunctioning of firewall-1 can be investigated. The IDS should trigger
the closing of firewall-2 either automatically or by manual intervention. Between the detection by
the IDS and a response from the system administrator valuable time can be lost, in which a hacker
could also compromise firewall-2. An entry in the log is valuable for later analysis, but before that,
the IDS should close firewall-2. If firewall-1 has already been compromised by a hacker, it might
not be possible for the IDS to close it.