WAF vs IPS

Organizations are wondering whether IDS/IPS is enough for protecting their services or it’s much better to deploy a Web Application Firewall (WAF) solution. They are always wondering if deploying a WAF solution, they’ll able to save money because IDS/IPS infrastructure will not be necessary. However, attacks occur at different layers thus web application protection is not enough for network attacks. For instance, malicious intruders may start with DoS attacks, and later, launch a layer 7 attack like SQLi or XSS attack. Therefore, we should provide security at all layers. Otherwise organizations have a closed gate with no fence around it.

IDS were developed in the mid-80s by the U.S. Air Force because they needed a behavioral analysis to increased computer security awareness. First, they only analysed system logs to detect anomalies and attacks. Next, they started analysing network traffic as well. However, IDS was improved to IPS in the 90s which was also able to find and stop attacks in real time. Snort was one of the first open source IDS/IPS available. Today, most NGFW have built-in IDS/IPS based on signature attacks, which are able to intercept files and network activity for preventing malicious attacks.

As web applications became publishing to Internet, secure internet gateways and network firewalls became more used in the late 90s because web applications were designed without thinking about security and most of them had serious vulnerabilities. WAFs have greatly matured since then. Today, WAFs can understand the web application logic to block everything which not match the application logic. Therefore, WAFs can block malicious attacks matching traffic against signature attacks (negative security) but WAFs can also block malicious traffic matching the application logic (positive security).

IPS don’t understand underlying applications thus they don’t know about entities like parameters, URLs, file types, cookies or redirections. However, WAFs can protect entities to block sophisticated attacks like web-scraping attack, SQLi, XSS, CSRF, etc, etc. For instance, IPS can analyse HTTP traffic to look for most common web application vulnerabilities but WAFs can also analyse HTTP traffic to look for parameters value, parameters size, cookies signatures, etc.

The best security protection involve both an IPS and a WAF. Although some commercial WAFs like F5 BIG-IP WAF or Imperva WAF have IPS features, it’s much better to deploy both separately for a comprehensive protection because IPS are going to protect the most commonly used Internet protocols, such as DNS, SMTP, SSH, Telnet and FTP, while WAFs are going to protect applications against web-based threats.

WAFs solutions are mainly designed to prevent attacks against web applications while IPS are purely designed to inspect network traffic. Therefore, both may block known and common attacks. However, if we want to protect companies from sophisticated attacks, we’ll have to deploy IPS and WAFs, as well as IDS. This is a best practice of layered defenses. Nevertheless, if your company has neither, the WAF would provide the best application protection overall.

Regards my friends. Let me know what you are wondering!!