What is WAF and IPS (Intrusion Prevention System & Web Application Firewall)

IPS (Intrusion Prevention System) and WAF (Web Application Firewall) are among the most well-known acronyms in the world of network security, which novice security professionals may have trouble understanding. This article was written to dispel any doubts and delve a little deeper into the topic.

How WAF works

WAF is a hardware or software solution that serves as an intermediary between the client and the application. This means that all HTTP communication is analyzed before it reaches the application or user.

To monitor HTTP traffic, the Web Application Firewall applies a set of predefined rules that ultimately detect attack attempts such as XSS, SQL injection, DoS / DDoS and more. In the event of a threat, the WAF blocks malicious requests and responses containing sensitive data.

There are three different types of WAF:

• hardware-based - deployed with a physical device, installed locally on a local area network (LAN). A configurable operating system is installed inside the device.
• software-based - a software-based firewall that is installed in a virtual machine.
• cloud-based - as the name implies, all WAF components are located in the cloud, so that the user (as in the case of software-based) does not have to install anything locally and on virtual machines.

Naxsi

To bite a little more into the topic, let's look at the configuration of NAXSI, the free WAF module of the Nxinx web server. NAXSI provides several configuration files. One of them includes the /etc/nginx/naxsi.rules file, which defines the main actions taken by the module. An example file could look as follows:

# config mode section
LearningMode;
SecRulesEnabled;
#SecRulesDisabled;
DeniedUrl "/RequestDenied";
#
# check rules section
CheckRule "$SQL >= 8" BLOCK;
CheckRule "$RFI >= 8" BLOCK;
CheckRule "$TRAVERSAL >= 4" BLOCK;
CheckRule "$EVADE >= 4" BLOCK;
CheckRule "$XSS >= 8" BLOCK;

What does the inside of the file mean? Let's take a look at each element in turn.

• LearningMode - NAXSI can operate in two modes, i.e. NormalMode and LearningMode. The former redirects malicious requests to a specific location and, since we do not block these requests, we can return a static page presenting an error message. LearningMode, on the other hand, causes malicious requests to be copied (instead of redirected) to a specific location on the page and then processed by the application,
• SecRulesEnabled / SecRulesDisabled - enables or disables NAXSI for that location,
• DeniedURL - defines the endpoint to which blocked requests will be redirected,
• CheckRule - defines actions when a given result is met.

How IPS works

As for the Intrusion Prevention System, it is a device or software with a slightly more general purpose. This is because instead of focusing on a single protocol as in the case of WAF, IPS provides protection against traffic coming from protocols such as DNS, SMTP, TELNEM, SSH, FTP and RDP. The main threats the IPS is designed to prevent are denial of service (DoS) attacks, DDoS attacks and exploits.

To this end, the IPS inspects the packets being sent to the server, carefully analyzing each one. If a suspicious or malicious packet is detected, the IPS system can react in several different ways, including:

• by terminating the TCP session and blocking the IP address or account of the user sending the malicious packets,
• by reprogramming or reconfiguring the firewall to prevent similar attacks in the future,
• removing or replacing malicious content.

WAF vs IPS

Let's do a very general comparison of which protocols and what min. methods, attacks and requests both of the solutions can cover, so we can better visualize the differences between the two.

+------------------------------------+------------------------------------+
|                 WAF                |                 IPS                |
+------------------------------------+------------------------------------+
|    7 layer ISO OSI (HTTPS/ HTTP)   |         3 / 4 layer ISO OSI        |
+------------------------------------+------------------------------------+
|         SSL (decryption)           |                 DNS                |
|         JavaScript                 |                SMTP                |
|         Ajax                       |               TELNET               |
|         Active X                   |                 RDP                |
|         Session management         |                 SSH                |
|         GET, POST, HEAD            |                 FTP                |
|         URL                        |                                    |
|         SQL Injection              |                                    |
|         Cookie Manipulation        |                                    |
|         XSS                        |                                    |
+------------------------------------+------------------------------------+

Sources

https://www.lanner-america.com/blog/waf-vs-ips-whats-difference/
http://it.wip.pw.edu.pl/data/uploads/uskom/uskom_zapory_ogniowe.pdf
https://www.pentasecurity.com/blog/3-types-web-application-firewalls/
https://ipwithease.com/how-is-ips-ids-different-from-waf/
https://github.com/nbs-system/naxsi
https://www.proteansec.com/application-security/naxsi/