Home     Free Vulnerability Scan (IVS)     About     Security Blogs     Contact Us

Just what is the difference between WAF, IPS and IDS?

Modern-day Cyberattacks make it even more important not to just rely on traditional static Firewall rules. A solid Intrusion System will enable automated dynamic defence techniques that support multi-layered security.

A Web Application Firewall (WAF), Intrusion Detection System (IDS) and Intrusion Prevention System (IPS) are all forms of intrusion systems with subtle differences. First let's cover the IDS and IPS.

An IDS is where attacks are logged for manual analysis and defence (ie detection only), whereas an IPS is where attacks are logged but also automatically blocked.

IDS will only provide value if a team, often referred to as a Security Operations Centre (SOC), continuously monitor the logs and react appropriately. The SOC could be an internal team, or an external provider. This provides reassurance that all actions are governed by human-intervention which will help prevent false negatives of legitimate traffic being blocked. The disadvantage includes potential human-error, and having the manpower and skills to be able to make the judgement and react.

Outsourcing a SOC is an option, however can be very expensive and the duration required for human intervention to monitor, discover, analyse, approve and block an attack can cause delays; by which time the attack could already have caused damage.

IPS monitors for attacks via an algorithm which baselines good against bad traffic patterns and signatures. It’s capable of blocking an attack almost immediately preventing damage, and requires far less human resource to maintain. The disadvantage is that on very rare occasions, it is potentially possible that IPS could block legitimate traffic.

Right, onto WAF's. This is similar to IPS (and automatically block), however designed specifically for web application protection (more often than not, Internet facing web applications). Therefore it will focus on the types of exploits which are common to web applications such as SQL injection, buffer overflow, weak password attacks. Although an IPS may also protect against some of these, an IPS is broader and designed to protect internal systems as well - such as file servers, Active Directory.

If an IPS does similar to WAF, but covers more - why not just have an IPS? It's like running across a muddy field in shoes (ie IPS) - your feet will have some protection, but boots (ie WAF) are designed to fully protect. Therefore there's clear overlap of duties, however having both can complement each other.