1. Obtain a technology that will be able to see the attacker trying to communicate with the attack software(malware etc) in your network.
This system should have the capability to remove network traffic if it does not pass your rules. The NGFW Next Generation FireWall with an included Intrusion Prevention System(IPS) can get this job done.
2. Hire resources to review your IPS and continually change the rules in your network as your needs change.
Example: you buy some new software and it needs to communicate in a special way to the Internet. This software will need a port to be opened on the NGFW.
IPS explained: A technology that can prevent network traffic from operating. First it detects network traffic that is flagged for potential action. The action is predicated on the threat of the traffic. Let’s take a step back and discuss network traffic.
All Network traffic consists of the following:
1. Source IP address
2. Source port number
3. Destination IP address
4. Destination port number
Each packet of network traffic has some information which tells us where it is going and where it came from.
An example is if you go to Google as you start your favorite browser.
The source IP is your computer, source port is usually 80 for web, the destination IP is a Google server, and the destination IP is 80.
Another reason to get this “IPS” system is that PCI compliance recommends it as a best practice
#1 Monitoring of security controls—such as firewalls, intrusion-detection systems/intrusion-prevention systems (IDS/IPS), file-integrity monitoring (FIM), anti-virus, access controls, etc.—to ensure they are operating effectively and as intended.
What is the difference between an IDS and IPS? an Intrusion Detection System(IDS) only detects traffic, wheras an Intrusion Prevention System (IPS) can delete traffic (stop or reset).
The technical reasons are straight forward, in that the network connection is broken since the connection has to travel across the IPS/IDS. the difficulty is in knowing what to stop and what to leave alone. Also there are some applications that are very sensitive to anything that is inbetween the client and server, although rare. Most applications (web, email, file share, remote connections, can operate with an IPS inbetween.
Before one turns on the destructive nature of the IPS it is important to know what is present first as a baseline. So initially the IPS acts like an IDS, then as one knows what is actually running on the network an initial Block/No Block list can be created.
The idea is to find the systems that have incorrect traffic on them, investigate the systems, decide what to do with them (place in Block or No Block) so that in the future as malware gets installed it has to go through this additional layer of defense.
Here is an image of malware contacting it’s Command and Control server:
The idea is for the IDS/IPS to detect and delete this traffic.
It is a simple idea, yet difficult to implement correctly. Which is why I have 2 steps and the second step is just as important as there need to be the people behind the machines to review the traffic and ensure the system is running correctly.
contact us to help you become PCI compliant