Both WAF and IPS are security solutions that aim to secure the connection between a client and a server (web application). Both monitor traffic to and from web applications or servers. The main difference is that an Intrusion Prevention System (IPS) is fundamentally based on signatures and is unaware of the sessions and users attempting to access a web application. The Web Application Firewall (WAF), on the other hand, is aware of sessions, users and applications that are trying to access a web app.
The main gap between these two technologies is the level of intelligence for Layer 7 traffic analysis.
Why do we need WAF and IPS security systems?
One of a company’s most valuable assets (if not the most) is its data. Therefore, attackers often try different methods to attack a corporate network and access their valuable information.
The new types of “hacking weapons” that carry out cyber attacks have become so diversified that it is no longer enough to put a Firewall or any NGFW (Next-Generation Firewall) on the edge of our network. Antivirus has also long played a key role in security, but they are not enough to stop major attacks.
Now the attacks happen in different “layers” in the network protocols, and for this we need different defense systems for each type of traffic. The fact that more and more companies have their permanent business in web applications can make them even more vulnerable.
In an ideal world, the code of our web applications should have no security “gaps” that could put us or our data at risk. But it’s actually impossible to have 100% protected apps, so you need to have external apps. The greater the security barriers between us and a hacker, the more peace of mind we will have.
What options exist today to protect our companies’ servers (and even data centers) from a large number of threats to our data?
Let’s talk about two options: Web Application Firewall (WAF) and Intrusion Prevention System (IPS) . Let’s see them in detail
Web Application Firewall (WAF)
Web Application Firewall (WAF) is a solution (hardware or software) that acts as an intermediary between external users and web applications. This means that all HTTP (request-response) communications are analyzed by the WAF before reaching web apps or users.
To perform monitoring and analysis of HTTP traffic, the WAF applies a set of previously defined rules that make it possible to detect malicious HTTP requests such as Cross-Site Scripting (XSS), SQL Injection, Dos or DDoS attacks, cookie manipulation , and many others.
Once the WAF detects a threat, it blocks traffic and rejects the malicious web request or response with sensitive data. If there are no threats or attacks, all your traffic should flow normally, so that all inspections and protection are transparent to users.
WAF recognizes legitimate web traffic and lets it through. It does not affect the day-to-day operations of corporate web applications.
Intrusion Prevention System (IPS)
In the case of the Intrusion Prevention System (IPS), this is a more generic security device or software. It provides protection from traffic from a wide variety of protocol types, such as DNS, SMTP, TELNET, RDP, SSH, and FTP, among others.
IPS detects malicious traffic using different methods, for example:
- Signature-based detection: IPS uses signature-based detection just like antivirus does. A company can recognize a threat and notify the administrator. For this method to work correctly, all signatures must be with the latest update.
- Policy-Based Detection : IPS requires that security policies be declared very specifically. IPS recognizes traffic outside of these criteria and automatically rejects abnormal behavior or unusual traffic.
- Anomaly-based detection : According to the model of normal traffic behavior, this method can be used in two ways, automatic or manual. The IPS automatically performs statistical analyzes and establishes a standard of comparison. When traffic strays too far from this standard, it sends an alert. The other way is to manually set the normal traffic behavior so that alerts are sent when the traffic, once again, strays from this rule. The disadvantage of the manual mode is that being less flexible and dynamic, it can send false alarms.
- Honey Pot Detection : Works by using a computer configured to get hackers’ attention without compromising the security of real systems. Using this decoy, attacks can be monitored and analyzed so that, once identified, they can be used to establish new policies.
An IPS device can be used to enhance security and support a firewall. As shown in the image below, it blocks all anomalous traffic from the internet, which has not been blocked by the first line of defense or the firewall.
What’s my best option?
It goes without saying that both solutions also add an extra layer of security to our network, they work on different types of traffic. So instead of competing, they complement each other. While IPS appears to protect a broader type of traffic, there is a very specific one that only a WAF can work with. Therefore, we highly recommend having both solutions, especially if the systems in your environment work closely with the web.
The chart below shows a quick comparison of both solutions.
The challenge is to select the right WAF hardware system to effectively execute software-based security mechanisms. The most practical way to protect the corporate data center from hackers is to implement software-hardware or hybrid solutions.
When choosing a web application firewall, consider the following requirements:
- SSL Acceleration : SSL is critical to WAF, as it is a CPU offloading method for heavy public key cryptography. For best performance in security implementations, a hardware accelerator is recommended.
- DPI : Since the WAF is distributed between the corporate server and the users, one of the main missions of the WAF is to monitor the traffic and block any malicious attempts. This requires efficient Deep Packet Inspection (DPI) supported by powerful hardware.
- High Performance : Because DPI and SSL both require CPU intensive use, the hardware architecture required for WAF deployments must offer dedicated processing capabilities to run software titles.
- High Availability : WAF operates 24/7, so high availability for power is critical to optimizing WAF.
- Scalability : As web application services can expand as the customer base grows, enterprise WAFs must be scaled through hardware to increase performance and accelerate critical applications in the simplest way.
Choosing tiered protection should give you more confidence and peace of mind.
In conclusion, WAF is great for security in HTTP applications and is generally used to secure servers. It is aware of web traffic such as HTTP GET, POST, URL, SSL and more. IPS, on the other hand, provides protection for a wide range of network protocols and can perform raw protocol decryption and find abnormal behavior, but is unaware of sessions (GET / POST), users, or even apps .
Integrated solutions can be hardware, software or hybrid based. These solutions give you the best of both worlds.