What’s the difference between Intrusion Prevention Systems and(IPS) and Web Application Firewall?

I was asked a few times what is the difference between HIPS, NIPS, IPS, Application Firewall.  I did research a bit about this and started to write something.

But, then I found this great article (see below at the resources) which describes everything perfect. Also read my own conclusions at the end of the article.



We are all somewhat familiar with Intrusion Prevention Systems (IPSs). But what is all this talk of Web Application Firewalls (WAFs)? What is a Web Application Firewall and how does it differ from an IPS? First, let’s take a quick look at Intrusion Prevention, its benefits and some short-comings. Then we will discuss WAFs and how they differ from and augment IPSs.

Intrusion Prevention System (IPS)

An IPS generally sits in-line and watches network traffic as the packets flow through it. It acts similarly to an Intrusion Detection System (IDS) by trying to match data in the packets against a signature database or detect anomalies against what is pre-defined as “normal” traffic. In addition to its IDS functionality, an IPS can do more than log and alert. It can be programmed to react to what it detects. The ability to react to the detections is what makes IPSs more desirable than IDSs.

There are still some drawbacks to an IPS. IPSs are designed to block certain types of traffic that it can identify as potentially bad traffic. IPSs do not have the ability to understand web application protocol logic. Hence, IPSs cannot fully distinguish if a request is normal or malformed at the application layer (OSI Layer 7). This short coming could potentially allow attacks through without detection or prevention, especially newer attacks without signatures.

Being there is a large number of web applications in existence, both commercial and home grown, there will tend to be a lot of different types of vulnerabilities available for attackers to exploit. IPSs cannot effectively cover all the potential vulnerabilities and in actuality may end up producing more false positives. False positives are very bad because they make already busy security analysts even busier. An overload of false positives can delay response to actual attacks or cause attacks to get accepted as normal because of an analyst trying to reduce the noise.

Host IPSs (HIPS) are a little more granular than network IPSs (NIPS). HIPS can monitor the application layer (OSI Layer 7), a little closer to the logic delivered to the web application. But HIPS still lacks some understanding of web application languages and logic. In response to these shortcomings, we are presented the Web Application Firewall.

Web Application Firewall (WAF)

WAFs are designed to protect web applications/servers from web-based attacks that IPSs cannot prevent. In the same regards as an IPS, WAFs can be network or host based. They sit in-line and monitor traffic to and from web applications/servers. Basically, the difference is in the level of ability to analyze the Layer 7 web application logic.

Where IPSs interrogate traffic against signatures and anomalies, WAFs interrogate the behavior and logic of what is requested and returned. WAFs protect against web application threats like SQL injection, cross-site scripting, session hijacking, parameter or URL tampering and buffer overflows. They do so in the same manner an IPS does, by analyzing the contents of each incoming and outgoing packet.

WAFs are typically deployed in some sort of proxy fashion just in front of the web applications, so they do not see all traffic on our networks. By monitoring the traffic before it reaches the web application, WAFs can analyze requests before passing them on. This is what gives them such an advantage over IPSs. Because IPSs are designed to interrogate all network traffic, they cannot analyze the application layer as thoroughly.

WAFs not only detect attacks that are known to occur in web application environments, they also detect (and can prevent) new unknown types of attacks. By watching for unusual or unexpected patterns in the traffic they can alert and/or defend against unknown attacks. For example- if a WAF detects that the application is returning much more data than it is expected to, the WAF can block it and alert someone.


Web Applications Firewalls are a special breed of product used to detect attacks against web applications in more depth than an Intrusion Prevention System. WAFs can be used in our environments to provide enhanced protection to web applications/servers. Using a WAF is a good way to augment our IPSs and provide another layer of protection for our Defense-In-Depth architecture.

My own recommendations for classical antivirus vendors

The antivirus producers can’t use their scanners to scan the traffic going in and getting out the applications protected by a WAF. They are used to scan files and we don’t have here even the concept of a file. It relates mostly to a stream scanning technology (something that scans the payload in each TCP/IP frame) but because of the fact that it has to scan each byte, it might prove challenging to create something like this in real-time. The future will tell us.

The only opportunity here for a classical engine is to refocus on attack patterns instead of files.

This means that you have to enhance the detection from “only files” into “Attack Patterns”.

What is an attack pattern?
It is the trace created by a web-based attack before, during and after it “attacks” its victim.
It is a combination of actions such as brute-force login attacks, DDOS, exploitation of web vulnerabilities (SQL injections, etc.) and in the end, even downloading executables. It requires intimate knowledge of the attacks and a framework that collects the pieces and puts them together in order to determine if the traffic is an attack pattern.




Author: Jim McMillan, November 2009

AppliCure Technologies (n.d.). The Role of each technology in the security environment. Retrieved fromhttp://www.applicure.com/answers/Web_Application_Security/Avoiding-web-attacks

Citrix (2007). Application security: Why network firewalls and intrusion prevention systems aren’t enough. Retrieved fromhttp://whitepapers.techrepublic.com.com/abstract.aspx?docid=295292

Mikko, C. (2009, May 15). The next Layer of desktop security host-based intrusion prevention systems. Retrieved fromhttp://www.productivecorp.com/p-guide/-next-layer-desktop-security-host-based-intrusion-prevention-systems

Jahchan, GJ. (n.d.). Introduction to web application firewalls. Retrieved fromhttp://www.infosectoday.com/Articles/Web_Application_Firewalls/Web_Application_Firewalls.htm

Brandel, M. (2009, June 09). Web application firewalls: how to evaluate, purchase and implement. Retrieved fromhttp://www.csoonline.com/article/494587/Web_Application_Firewalls_How_to_Evaluate_Purchase_and_Implement

Beechey, J. (2009, March). Web application firewalls: defense in depth for your web infrastructure. Retrieved fromhttp://www.sans.edu/resources/student_projects/200904_01.doc

Jacobs, D. (2009, August 17). Web application firewalls: how they can help protect customers. Retrieved fromhttp://searchsecuritychannel.techtarget.com/tip/0,289483,sid97_gci1365019,00.html#

SecureWorks, . (2009, April 20). Secureworks, inc. launches managed web application firewall service. Retrieved fromhttp://www.secureworks.com/media/press_releases/20090420-waf

© Copyright Sorin Mustaca, All rights Reserved. Written For: Sorin Mustaca on Cybersecurity

Check www.endpoint-cybersecurity.com for seeing the consulting services we offer.

Visit www.itsecuritynews.info for latest security news in English
Besuchen Sie de.itsecuritynews.info für IT Sicherheits News auf Deutsch

About the Author

Sorin Mustaca
Sorin Mustaca, (ISC)2 CSSLP, CompTIA Security+ and Project+, is working since over 20 years in the IT Security industry and worked between 2003-2014 for Avira as Product Manager for the known products used by over 100 million users world-wide. Today he is CEO and owner of Endpoint Cybersecurity GmbH focusing on Cybersecurity, secure software development and security for IoT and Automotive. He is also running his personal blog Sorin Mustaca on Cybersecurity and is the author of the free eBook Improve your security .
%d bloggers like this: