WAF vs IPS (or Four Things Your IPS Can’t Do)
I see this often and I am always amused at the topic. I have worked with IDS/IPS for 8 years, so I know IPS when it was just a flavor of IDS that no one wanted to enable for fear of blocking access to users and customers. I chuckle at the thought of WAF being a glorified IPS. My how times have changed.
Here are four things that your WAF can do that your IPS can’t. I tried to keep this vendor agnostic.
Please feel free to pile on or comment, just no flames please!
WAF vs IPS?
Intrusion Prevention Systems, as the name implies, inspect packets in an attempt to prevent attacks and therefore intrusions. IPS, which evolved from Intrusion Detection Systems, are packet inspection systems that analyze traffic for signatures or policy violations. These all-purpose devices typically do not decrypt encrypted traffic but instead apply a predefined policy or signature set across all network traffic presented to the IPS.
Four Key Differences
As packets are inspected by an IPS, they are often discarded to improve performance. This is a key differentiator, because a WAF must retain packets in order to keep the context of a client web request and the subsequent server response. Thus you could say that IPS’s deal with packets, while WAF’s work within sessions.
Baselining is available on IPS and WAF, but the similarity stops with the name. IPS baselining consists of statistical deviations in throughput and traffic flows. WAF baselining involves URL, Parameter, HTTP Method, Session, and Cookie mapping. A WAF knows no concept of bandwidth utilization for baselining, just an IPS doesn’t know if a given URL is supposed to accept HTTP POSTs or GETs.
IPS signatures are looked at by companies as a means to virtually patch their PC’s ahead of an actual being patch or update being available or fully rolled out. This level of protection isn’t available on an IPS when specific application-layer vulnerabilities exist or when custom written web-application code has some new vulnerability. This is where the WAF provides a measure of protection not available on an IPS, due to the application-awareness of the WAF.
WAF deployments are focused on web applications and web application traffic, while IPS deployments are typically done at the network level inspecting all packets. I’ll grant you that there are Host-based protections are blur the lines of IPS and WAF, but these don’t qualify as IPS or WAF and probably won’t be living in large multi-OS datacenters or deployed across the tiers of your n-tiered applications.
These are complimentary technologies, just as traditional firewalls and IPS compliment one-another. See Akamai announcement of new WAF service that compliments existing IPS features.