We are all somewhat familiar with Intrusion Prevention Systems (IPS). But what is all this talk of Web Application Firewalls (WAF)? What is a Web Application Firewall and how does it differ from an IPS? First, let’s take a quick look at Intrusion Prevention, its benefits and some short-comings. Then we will discuss WAF and how they differ from and augment IPSs.
Intrusion Prevention System (IPS)
An IPS generally sits in-line and watches network traffic as the packets flow through it. It acts similarly to an Intrusion Detection System (IDS) by trying to match data in the packets against a signature database or detect anomalies against what is pre-defined as “normal” traffic. In addition to its IDS functionality, an IPS can do more than log and alert. It can be programmed to react to what it detects. The ability to react to the detections is what makes IPS more desirable than IDSs.
There are still some drawbacks to an IPS. IPS are designed to block certain types of traffic that it can identify as potentially bad traffic. IPS do not have the ability to understand web application protocol logic. Hence, IPS cannot fully distinguish if a request is normal or malformed at the application layer (OSI Layer 7). This short coming could potentially allow attacks through without detection or prevention, especially newer attacks without signatures.
Being there is a large number of web applications in existence, both commercial and home grown, there will tend to be a lot of different types of vulnerabilities available for attackers to exploit. IPS cannot effectively cover all the potential vulnerabilities and in actuality may end up producing more false positives. False positives are very bad because they make already busy security analysts even busier. An overload of false positives can delay response to actual attacks or cause attacks to get accepted as normal because of an analyst trying to reduce the noise.
Host IPS (HIPS) are a little more granular than network IPS (NIPS). HIPS can monitor the application layer (OSI Layer 7), a little closer to the logic delivered to the web application. But HIPS still lacks some understanding of web application languages and logic. In response to these shortcomings, we are presented the Web Application Firewall.
Web Application Firewall (WAF)
WAF are designed to protect web applications/servers from web-based attacks that IPS cannot prevent. In the same regards as an IPS, WAF can be network or host based. They sit in-line and monitor traffic to and from web applications/servers. Basically, the difference is in the level of ability to analyze the Layer 7 web application logic.
Where IPS interrogate traffic against signatures and anomalies, WAF interrogate the behavior and logic of what is requested and returned. WAF protect against web application threats like SQL injection, cross-site scripting, session hijacking, parameter or URL tampering and buffer overflows. They do so in the same manner an IPS does, by analyzing the contents of each incoming and outgoing packet.
WAF are typically deployed in some sort of proxy fashion just in front of the web applications, so they do not see all traffic on our networks. By monitoring the traffic before it reaches the web application, WAF can analyze requests before passing them on. This is what gives them such an advantage over IPS. Because IPS are designed to interrogate all network traffic, they cannot analyze the application layer as thoroughly.
WAF not only detect attacks that are known to occur in web application environments, they also detect (and can prevent) new unknown types of attacks. By watching for unusual or unexpected patterns in the traffic they can alert and/or defend against unknown attacks. For example- if a WAF detects that the application is returning much more data than it is expected to, the WAF can block it and alert someone.