WAF vs IPS

I see this often and I am always amused at the topic. I have worked with IDS/IPS for 8 years, so I know IPS when it was just a flavor of IDS that no one wanted to enable for fear of blocking access to users and customers. I chuckle at the thought of WAF being a glorified IPS. My how times have changed.
Here are four things that your WAF can do that your IPS can’t. I tried to keep this vendor agnostic.

Please feel free to pile on or comment, just no flames please!

WAF vs IPS?

Intrusion Prevention Systems, as the name implies, inspect packets in an attempt to prevent attacks and therefore intrusions. IPS, which evolved from Intrusion Detection Systems, are packet inspection systems that analyze traffic for signatures or policy violations. These all-purpose devices typically do not decrypt encrypted traffic but instead apply a predefined policy or signature set across all network traffic presented to the IPS.

Four Key DifferencesAs packets are inspected by an IPS, they are often discarded to improve performance. This is a key differentiator, because a WAF must retain packets in order to keep the context of a client web request and the subsequent server response. Thus you could say that IPS’s deal with packets, while WAF’s work within sessions.

WAFs must understand not just protocol behavior, like HTTP GET, POST, HEAD, etc, but also JavaScript, SQL, HTML, XML, Cookies, etc. This application layer logic is fundamental to the operation of a WAF but not required for IPS functionality, and therefore not typically implemented on an IPS.

Baselining is available on IPS and WAF, but the similarity stops with the name. IPS baselining consists of statistical deviations in throughput and traffic flows. WAF baselining involves URL, Parameter, HTTP

Method, Session, and Cookie mapping. A WAF knows no concept of bandwidth utilization for baselining, just an IPS doesn’t know if a given URL is supposed to accept HTTP POSTs or GETs.

IPS signatures are looked at by companies as a means to virtually patch their PC’s ahead of an actual being patch or update being available or fully rolled out. This level of protection isn’t available on an IPS when specific application-layer vulnerabilities exist or when custom written web-application code has some new vulnerability. This is where the WAF provides a measure of protection not available on an IPS, due to the application-awareness of the WAF.

Wrap Up

These are complimentary technologies, just as traditional firewalls and IPS compliment one-another. See Akamai announcement of new WAF service that compliments existing IPS features.

WAF deployments are focused on web applications and web application traffic, while IPS deployments are typically done at the network level inspecting all packets. I’ll grant you that there are Host-based protections are blur the lines of IPS and WAF, but these don’t qualify as IPS or WAF and probably won’t be living in large multi-OS datacenters or deployed across the tiers of your n-tiered applications.Web Application Firewalls, as the name implies, work with web applications almost exclusively. Most WAF are often not best-of-breed traditional firewalls, and should not be implemented in place of a traditional network firewall. Typical WAF deployments feature SSL decryption of web application traffic and blocking of web-based threats after the WAF reassembles each web session. This is possible because the WAF operates at the application layer where HTML, XML, Cookies, Javascript, ActiveX, Client requests, and Server responses live.