Score:1

Does it make sense to augment WAF (Web Application Firewall) with an IPS (Intrusion Prevention System)?

cn flag

Following scenario:

  • Web application, only HTTP/S traffic
  • Firewall in place to only allow traffic on port 80/443 in
  • WAF is in place, set to deny malicious traffic

Question: Is there any added value in this scenario to also have an IPS / Deep Package Inspection solution in place? From all I understand: No. But I didn't find any clear answer out there.

Ron Trunk avatar
in flag
Questions that generate mostly opinions are discouraged here.
cn flag
@RonTrunk I'm not looking for an opinion. I'm am actually curious if there would be any real reason in using both.
Ron Trunk avatar
in flag
Well, it depends on how well you believe the WAF reduces your risk, and what additional risks the IPS would protect you against. Contrast those against the cost and time to install and maintain both systems. The answers are unique to every organization.
Score:2
nl flag

Question: Is there any added value in this scenario to also have an IPS / Deep Package Inspection solution in place? From all I understand: No. But I didn't find any clear answer out there.

To answer the question, first let's unpack they key term "value". What we're doing here is asking "what's the value of a security control?".

Security controls (WAFs, IPSs, SPI firewalls being examples of technical security controls) are put in place to manage risk. Security controls that cost more than the expected loss over time of not having the control would not typically be put in place, and ones that cost less than the expected loss over time would be put in place.

Whether there's any value in putting an IPS in when a firewall limited to one port and a WAF is in place is really asking this question: Is the expected loss based on how everything is set up at the moment minus the expected loss after the IPS has been put in place greater than the cost of the IPS. If the answer is yes then there's no value in putting in an IPS, since the cost of putting it in is greater than the benefit it provides. This is an example of the risk management process in action.

When it comes to this particular situation, there is not enough information to definitively answer the question. Any technical answer given is not going to do it. Even if we had all the information, which would be extensive, there are enough variations in how people calculate risk that we'd definitely not be able to do anything beyond giving "a way of doing it", and possibly the longest Serverfault answer ever :-)

In general terms though, these are areas where an IPS (we'll conflate HIPS and NIPS here for simplicity) provides opportunity for value when implemented along with the existing solutions:

  1. For cases where there's crossover in functionality, as a secondary control if the firewall or WAF was misconfigured or compromised, does not pick up the threat, or detects the threat by a different method, thus increasing the probability of detecting detection evasion techniques.
  2. For cases where the IPS provides additional protection not already provided. This is product and implementation dependent but may include things like...
    • Blocking known-malicious IP addresses
    • Blocking based on event correlation - eg. IPs that have been seen to be port scanning prior to sending the HTTP requests
    • Preventing / detecting file modifications by unauthorized processes
    • Many others
  3. For increased visibility. The IPS will generally be able to give you more visibility into the threat landscape since it's looking at a lot more of what's going on in the environment, not just the web traffic.

In summary, whether an IPS is of value will depend on risk. There are certainly scenarios where one would choose to put in an IPS in this scenario even if it provided only redundancy and no additional functionality - the "belt and braces" approach. If protecting a personal website, probably not going to be worth it, if protecting billions of dollars worth of intellectual property, more likely to be of value.

Score:0
sg flag

You can setup the WAF in DMZ to protect internet traffic. Also, IDS/IPS plus DPI can be use in the internal network, active or passive(inline or not).

Score:0
jp flag

You don't need to use packet-inspection if you setup your firewall correctly. but you still need IPS/IDS and integrity check even though you have only one simple server with minimum services.
consider these situations :

  • if there is an unknown method/signature of attack to your WAF, practically your WAF is useless against that kind of threat (specially zero day vulnerabilities). in this situation monitoring activity of users and checking integrity of system is an smart move. using auditing tools may help and warn you suspicious (but not known) threats. however it needs more resources, customized audit rules and constantly checking.
  • bypassing WAF is not imaginary. in this one, IPS/IDS or any other scanning mechanism increase your security level as the second layer of defence. Even if your WAF fails.

    if you have concern about your setting, but you don't want to use a complicated or expensive solution, you can combine very basic tools like "iptables" customized rules with "SElinux" and "AIDE" for stronger security plan.
Ron Trunk avatar
in flag
If the WAF can't detect a zero day, what makes you think the IPS would?
Hamid Farahani avatar
jp flag
@RonTrunk IPS/IDS detects any system file change (Horse Pill malware for instance), but WAF is focusing on web application. this is different than attack signatures. in "zero day attacks" WAF dose NOT recognized affected files! IPS/IDS Does.
mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.