Higher Ed IT Pros: Take the SANS Survey & Enter to Win iPad
< Previous Question | Back to Intrusion Detection FAQ Home | Next Question >

Intrusion Detection FAQ: What is the difference between an IPS and a Web Application Firewall?

Jim McMillan
November 2009

Introduction

We are all somewhat familiar with Intrusion Prevention Systems (IPSs). But what is all this talk of Web Application Firewalls (WAFs)? What is a Web Application Firewall and how does it differ from an IPS? First, let's take a quick look at Intrusion Prevention, its benefits and some short-comings. Then we will discuss WAFs and how they differ from and augment IPSs.

Intrusion Prevention System (IPS)

An IPS generally sits in-line and watches network traffic as the packets flow through it. It acts similarly to an Intrusion Detection System (IDS) by trying to match data in the packets against a signature database or detect anomalies against what is pre-defined as "normal" traffic. In addition to its IDS functionality, an IPS can do more than log and alert. It can be programmed to react to what it detects. The ability to react to the detections is what makes IPSs more desirable than IDSs.

There are still some drawbacks to an IPS. IPSs are designed to block certain types of traffic that it can identify as potentially bad traffic. IPSs do not have the ability to understand web application protocol logic. Hence, IPSs cannot fully distinguish if a request is normal or malformed at the application layer (OSI Layer 7). This short coming could potentially allow attacks through without detection or prevention, especially newer attacks without signatures.

Being there is a large number of web applications in existence, both commercial and home grown, there will tend to be a lot of different types of vulnerabilities available for attackers to exploit. IPSs cannot effectively cover all the potential vulnerabilities and in actuality may end up producing more false positives. False positives are very bad because they make already busy security analysts even busier. An overload of false positives can delay response to actual attacks or cause attacks to get accepted as normal because of an analyst trying to reduce the noise.

Host IPSs (HIPS) are a little more granular than network IPSs (NIPS). HIPS can monitor the application layer (OSI Layer 7), a little closer to the logic delivered to the web application. But HIPS still lacks some understanding of web application languages and logic. In response to these shortcomings, we are presented the Web Application Firewall.

Web Application Firewall (WAF)

WAFs are designed to protect web applications/servers from web-based attacks that IPSs cannot prevent. In the same regards as an IPS, WAFs can be network or host based. They sit in-line and monitor traffic to and from web applications/servers. Basically, the difference is in the level of ability to analyze the Layer 7 web application logic.

Where IPSs interrogate traffic against signatures and anomalies, WAFs interrogate the behavior and logic of what is requested and returned. WAFs protect against web application threats like SQL injection, cross-site scripting, session hijacking, parameter or URL tampering and buffer overflows. They do so in the same manner an IPS does, by analyzing the contents of each incoming and outgoing packet.

WAFs are typically deployed in some sort of proxy fashion just in front of the web applications, so they do not see all traffic on our networks. By monitoring the traffic before it reaches the web application, WAFs can analyze requests before passing them on. This is what gives them such an advantage over IPSs. Because IPSs are designed to interrogate all network traffic, they cannot analyze the application layer as thoroughly.

WAFs not only detect attacks that are known to occur in web application environments, they also detect (and can prevent) new unknown types of attacks. By watching for unusual or unexpected patterns in the traffic they can alert and/or defend against unknown attacks. For example- if a WAF detects that the application is returning much more data than it is expected to, the WAF can block it and alert someone.

Conclusion

Web Applications Firewalls are a special breed of product used to detect attacks against web applications in more depth than an Intrusion Prevention System. WAFs can be used in our environments to provide enhanced protection to web applications/servers. Using a WAF is a good way to augment our IPSs and provide another layer of protection for our Defense-In-Depth architecture.

Resources

AppliCure Technologies (n.d.). The Role of each technology in the security environment. Retrieved from http://www.applicure.com/answers/Web_Application_Security/Avoiding-web-attacks

Citrix (2007). Application security: Why network firewalls and intrusion prevention systems aren't enough. Retrieved from http://whitepapers.techrepublic.com.com/abstract.aspx?docid=295292

Mikko, C. (2009, May 15). The next Layer of desktop security host-based intrusion prevention systems. Retrieved from http://www.productivecorp.com/p-guide/-next-layer-desktop-security-host-based-intrusion-prevention-systems

Jahchan, GJ. (n.d.). Introduction to web application firewalls. Retrieved from http://www.infosectoday.com/Articles/Web_Application_Firewalls/Web_Application_Firewalls.htm

Brandel, M. (2009, June 09). Web application firewalls: how to evaluate, purchase and implement. Retrieved from http://www.csoonline.com/article/494587/Web_Application_Firewalls_How_to_Evaluate_Purchase_and_Implement

Beechey, J. (2009, March). Web application firewalls: defense in depth for your web infrastructure. Retrieved from http://www.sans.edu/resources/student_projects/200904_01.doc

Jacobs, D. (2009, August 17). Web application firewalls: how they can help protect customers. Retrieved from http://searchsecuritychannel.techtarget.com/tip/0,289483,sid97_gci1365019,00.html#

SecureWorks, . (2009, April 20). Secureworks, inc. launches managed web application firewall service. Retrieved from http://www.secureworks.com/media/press_releases/20090420-waf

< Previous Question | Back to Intrusion Detection FAQ Home | Next Question >