WAF vs IPS vs FW vs Zero day attack
Before we dive into this topic, let’s first briefly cover types of cyber threats these technologies can detect and prevent.
- Firewall is like a doorman; sits at the perimeter, he keeps everyone out who tries to sneak in via open basement-windows-roof etc, but once someone enters through the official door, he lets everybody in, esp. when the house-owner brings guests in; it just allows or blocks traffic, based on port/ip and source and destination allowed. To elaborate further in technical terms, firewall analyzes packet headers and enforces policy based on protocol type, source address, destination address, source port, and/or destination port. Packets that do not match policy are rejected. In this day and age, most firewall vendors offer IPS module along with a regular Firewall functionality as well as application control +URL filtering or proxy service on top of it.
- IPS : the guy who searches guests for weapons or thieves etc; while he cannot run around and prevent people from sneaking in, he’s able to search what people are bringing in and also run background checks on visitors and detect if they have any known bad or good history, also looks at anomalies based on signatures it has in its database.
- A WAF is a security camera with alarm and two way audio and video and calls law enforcement when it sees bad behavior within certain areas. Only looks at certain movements within certain perimeter. A WAF or Web Application Firewall helps protect web applications by filtering and monitoring HTTP traffic between a web application and the Internet. It typically protects web applications from attacks such as cross-site forgery, cross-site-scripting (XSS), file inclusion, and SQL injection, among others. A WAF is a protocol layer 7 defense (in the OSI model), and is not designed to defend against all types of attacks. This method of attack mitigation is usually part of a suite of tools which together create a holistic defense against a range of attack vectors.
- A zero-day attack could be very simple or sophisticated: it’s the exploitation of a vulnerability before there’s a fix for it.
As web applications became publishing to Internet, secure internet gateways and network firewalls became more used in the late 90s because web applications were designed without thinking about security and most of them had serious vulnerabilities. WAFs have greatly matured since then. Today, WAFs can understand the web application logic to block everything which not match the application logic. Therefore, WAFs can block malicious attacks matching traffic against signature attacks (negative security) but WAFs can also block malicious traffic matching the application logic (positive security).
Basically, a WAF checks and inspects, it mainly looks at the web application layer behavior and logic of what is requested and returned.
WAF can prevent unknown attacks while IPS can only protect against known host and application based attacks and exploits.
IPS and WAF are similar in that they analyze traffic but WAF mainly looks inside the web application layer deeper than IPS does.
WAFs can block well-known attacks and they can also detect and potentially prevent unknown attacks. For instance, a WAF may observe an unusually large amount of traffic coming from the web application. The WAF can flag it as unusual or unexpected traffic, and can block that data.
WAF and FW+IPS are complimentary security protection technologies.
IPS inspects traffic against signatures and anomalies, it does cover broad spectrum of attack types, most of them signature based.
A signature-based IPS has very little understanding of the underlying application. It cannot protect URLs or parameters. It does not know if an attacker is web-scraping, and it cannot mask sensitive information like credit cards and Social Security numbers. It could protect against specific SQL injections, but it would have to match the signatures perfectly to trigger a response, and it does not normalize or decode obfuscated traffic. One advantage of IPS is that it can protect the most commonly used Internet protocols, such as DNS, SMTP, SSH, Telnet, and FTP. The best security implementation will likely involve both an IPS and a WAF, but organizations should also consider which attack vectors are getting traction in the malicious hacking community. An IPS has only one solution to those problems: signatures. Signatures alone can’t protect against zero-day attacks for example; proactive URLs, parameters, allowed methods, and deep application knowledge are essential to this task. And if a zero-day attack does occur, an IPS’s signatures can’t offer any protection. Most zero-day attacks can be stopped by deploying a Sandboxing solution at the network layer and endpoint layer. This is another topic I discussed in one of my other articles on Medium.
Once the WAF detects a threat, it blocks the traffic and rejects the malicious web request or response with sensitive data. If there are no threats or attacks all your traffic should flow normally, in a way that all the inspection and protection are transparent to the users.
IPS don’t understand underlying applications thus they don’t know about entities like parameters, URLs, file types, cookies or redirections. However, WAFs can protect entities to block sophisticated attacks like web-scraping attack, SQLi, XSS, CSRF, etc, etc. For instance, IPS can analyse HTTP traffic to look for most common web application vulnerabilities but WAFs can also analyse HTTP traffic to look for parameters value, parameters size, cookies signatures, etc.
Bottomline, Web Applications Firewalls are a special breed of product used to detect attacks against web applications in more depth than an Intrusion Prevention System. WAF can be used in any enterprise environment to provide enhanced protection to web applications/servers. Using a WAF is a good way to augment IPS and provide another layer of protection for our Defense-In-Depth architecture.