IPS: essential protection for your client workstations

Viruses, spyware, Trojans, malicious codes of all kinds ... Their number continues to grow, the Internet being their main vector of propagation. The Google search engine alone would account for several million infected web pages. Nothing surprising when the sale of kits allowing anyone to develop and launch their own attack proliferates. Becoming a cybercriminal is now within everyone's reach…


Workstation security has for a long time been limited to the use of an antivirus and a firewall. But today, this level of protection is far from sufficient to effectively secure the workstation and the data it contains. Based on signature databases, antivirus systems do not evolve at the same rate as the creation of new malicious programs. Hackers adapt and use variants of viruses that go beyond these traditional protections. Increasingly complex Internet browsers and office software are subject to exploitable security vulnerabilities. Computer threats are everywhere.

In the event of successful attacks, the harmful effects on the company are multiple: lower productivity, lower turnover, loss of credibility, affected image ... Not to mention the fact that the time spent eradicating this malware has a cost .

Only intrusion detection and prevention systems (Host-based Intrusion Prevention System or H-IPS) can effectively protect client workstations from unknown threats, targeted attacks or zero-day attacks. Unlike the antivirus, the performance of the HIPS is not based on signature databases but on an intelligent detection mechanism. It will thus detect any program with abnormal behavior on the workstation and block it instantly, even before it runs. Your computers and the critical data they contain are secure, financial losses and potential damage to the reputation of your business are limited.

Read More:  ips security

choosing an IDS / IPS solution for PCI DSS

Whether you opt for an NIDS or NIPS solution in an appliance, as a software or as a firewall module, a series of criteria that must be taken into account when choosing and deploying a solution are described below. Incident monitoring in a PCI DSS compliance environment:

• You must have signature-based detection, anomaly analysis and support for state inspection (stateful protocol analysis)
• It should be able to analyze the perimeter of the PCI DSS network and the segments that are considered critical. In this case, analyze the option of deploying different sensors in the critical areas to be monitored
• The solution should allow customization of alerts and detection criteria, in order to manage false positives and add new detection / prevention controls additional to those provided by the manufacturer
• The solution must allow to be updated on a regular basis, both for its components and for its signatures. Keep in mind that rebooting of the equipment is often required to finalize the updates, so it is essential to manage your updates based on what is described in requirement 6.4.5 to avoid unavailability of the control that can lead to a vulnerability in the environment
• In the case of appliances, keep in mind the scalability of the device and the density of network ports, including management ports

Likewise, it is recommended:

• Before putting an IDS / IPS solution into production, define a “learning” period in which the device can capture, analyze and obtain statistical information on the normal behavior of the network in order to establish thresholds for anomaly detection
• If an inline IDS / IPS solution is deployed, keep in mind that this equipment can become a single point of failure, so it may be necessary to install devices in high availability in case of failures and perform periodic analyzes of equipment performance to prevent bottlenecks
• When monitoring traffic coming from open public networks, ensure that the IDS / IPS sensor can access the traffic in clear text, otherwise it will not be possible to monitor encrypted traffic
• Ideally, the solution should be able to link to the centralized event registration system (req. 10.5.3 and 10.5.4) and send alerts using different channels (email, SMS, etc.)
• It is recommended to validate if the solution allows integration with other security devices, such as the reconfiguration of rules in firewalls and switches in response to the detection of an intrusion
• Analyze the security features of the solution for self-defense in case of targeted attacks
• If virtualization solutions are available, consider the need to monitor the network segments on this type of platform (including virtual switch)