WAF vs. IPS – What’s the Difference?

If you’ve been around the security space for a while, you’ve for sure heard the terms “WAF” and “IPS.” Those two terms, while often used interchangeably, are not the same. A WAF stands for Web Application Firewall and an IPS stands for Intrusion Prevention System. These two software solutions are both used to protect web applications from harm – however, they both do different things. A WAF shields web applications from the most frequent attacks targeting them including SQL injection (SQLi), Cross-site Scripting (XSS), Cross-site Request Forgery (CSRF), and the like, while an IPS is used to prevent intrusions into a system it’s deployed on. In this blog, we dive deeper into those two software solutions.

WAF Explained

A WAF, as previously explained, stands for a Web Application Firewall. Its core purpose is to protect a given web application from attacks like:

• SQL Injection (frequently shortened to SQLi) that targets the most important information held in our database infrastructure.
• XSS (short for Cross-site Scripting) – such an attack occurs when malicious javascript code is being injected into a website through a form that may be relayed through GET or POST requests. Such an attack has two types – stored (sometimes also called persistent), and reflected. A stored XSS attack differs from a reflected attack in the fact that when a website is vulnerable to stored XSS, it stores the input of a user inside of a database of some sort, while when a website is vulnerable to reflected XSS, it doesn’t store the input and instead usually “reflects” it back to a specific user (hence the title.)
• CSRF (short for Cross-site Request Forgery) – such an attack is made possible when an authenticated user clicks a link forged by an attacker and as a result, is forced to perform unwanted actions (for example, transfer money, change his or her password, etc.)
• DoS and DDoS (Denial of Service and Distributed Denial of Service attacks) that are used to disrupt the performance of a web application and cause downtime. As a result of downtime, businesses lose customers, providers of critical services (for example, healthcare) cannot provide services to patients, etc.

IPS Explained

An IPS, as previously explained, stands for an Intrusion Prevention System. Differently from a WAF, an IPS monitors a network for malicious activity and takes predefined action (frequently reporting and / or blocking the attack) to prevent it.

An IPS is also very similar to an IDS – an IDS simply detects malicious activity, but does not act on it in any way. While an IDS cannot take any action other than detecting and logging the attack, IPS can.

An IPS can have three types – it can either be signature-based, anomaly-based, or policy-based. These three types have their own distinct advantages:

• A signature-based IPS detects threats based on predefined “signatures.” This method has a drawback in that only signatures that are added to a blacklist will be identified, so caution (and frequent updates to the list) is advised.
• An anomaly-based IPS monitors a network for abnormal behavior – it works by comparing random samples of network activity against its “standard” behavior.
• A policy-based IPS uses policies defined by the administrator (or whoever implemented the IPS) in order to block any activity violating those policies.

The most frequent type of IPS out there are signature-based intrusion prevention systems, which, as already explained, work on a signature-based principle. As such, signatures need to be very frequently updated to avoid them being bypassed by an attacker, but while doing so administrators need to be aware that the “harsher” their security policies are, the tougher work for ordinary users becomes. The key here, as you can probably already tell, is fending off attackers while keeping the inconvenience created for users to a minimum. That way we will reach the golden medium.

Core Appliances – WAF vs. IPS

Depending on the requirements of the organization, both a WAF and an IPS can be applied differently as well. A WAF is usually applied at the application layer (the network layer 7), while the IPS is usually applied to the third network layer, which means that both systems can function together in a friendly manner.

A WAF is usually applied to an entire web application as a whole, and an IPS is usually applied on the third network layer to protect the network. As such, when deciding what and when to use, keep the following questions in mind:

• What are you protecting in the first place? Do you need detection, prevention, or both at once?
• How many users does your application have?
• What kind of threats is your application facing (or what kind of threats do you think it will face in the future?)
• Did you study the options already available on the market?

After you’ve decided what you need, choose an appropriate WAF or an IPS. There are a couple of reliable vendors including CloudFlare, Imperva, and others, and the price will also fluctuate depending on your requirements. Contrary to popular belief, though, both systems can also be self-made and on the basic level they will function very well, though be aware that doing so would require a lot of work – that probably goes without saying.

Lastly, keep in mind that a WAF or an IPS alone won’t get you very far – to strengthen the security of your organization even further, consider employing services provided by BreachDirectory or other vendors to ensure that all of your employees are safe from identity theft attacks at any given moment.

Summary

In this blog, we’ve helped you figure out the differences between a Web Application Firewall (frequently shortened to WAF) and an Intrusion Prevention System (an IPS.) Both appliances have their own distinct advantages and disadvantages – we hope that this blog has helped you figure out when should you use them.

Combine those appliances together with services provided by BreachDirectory, and you will certainly reach the security heaven you dream of – while a WAF and an IPS will help secure your application against all possible threats, services provided by BreachDirectory will provide you with access to an API appliance that will allow you to query a list of extensive data breaches all at once to secure yourself, your organization, and your employees.

We hope you’ve enjoyed reading this blog – search yourself through BreachDirectory, and come back to this blog a little later to read up on news in the cyber security space.