The difference between IPS (intrusion prevention system) and WAF (Web Application Protection System)

IPS (Intrusion prevention system) and WAF (Web Application Protection system) Two products have different usage scenarios, with the complexity of web application development, security requirements are increasing, the emergence of WAF is in compliance with the needs of the market and technology.

Web application protection is undoubtedly a hot topic. Due to the development of technology and people's expectation of convenience, Web application becomes the mainstream business system carrier. The value of the data contained in the key business systems of "home" on the web has been favored by attackers, and web-based vulnerability mining and attack tools have reduced the threshold for attacks, and have led to many attacks with blindness and randomness. For example, the use of googlehacking principle of bulk search for applications with known vulnerabilities, as well as SQL batch injection and hanging horse. But for important web applications, such as operators or finance, there is always an ongoing track by a profit-driven hacker.

If the traditional "chatty" security protection products can withstand most of the attack by the tool, then the targeted attack behavior is inadequate. The WAF is a high-end professional security product that needs to be born, which is also the inevitable trend of market demand refinement. But because of its deployment and functional aspects and IPs have similar, some people ask questions, why not use IPs, or what are the similarities and differences between WAF and IPs? Who is better at protecting Web servers?

These questions actually make sense, the result of differentiation is that the high-end demand is different, which needs to refine the function to meet the specific needs and the application of the current situation of the product, which is the user needs are determined by the development of the business itself.

Bodyguards and security.

In order to better understand the two product differences, we first use this bodyguard (WAF) and security (IPS) analogy to describe.

Building security needs to check all the personnel in and out of the building, once the suspect is found to forbid him to enter, but if the "seemingly Zhong Liang" the bad guys to pry into the safe and other destructive behavior, building security is powerless.

Private bodyguards refer to high-level, more "personal" protection. He usually only protects specific personnel, so in advance need to understand the identity of protected persons, habits, preferences, routines, weaknesses, etc., because the work of the protected person needs to face different people, to different occasions, the role of the bodyguard can not because of danger to stop, change his behavior, only to foresee the possible risks, Then tailor the appropriate protection plan.

The difference between the two roles is that the security is the entire building, he does not need to know who is the most need to protect the person, the bodyguard is clear the list of protected objects, need to deeply understand the personality characteristics of protected persons.

Through the above analogy, we should understand that the reason why they feel similar is because the responsibility is to protect, but the difference lies in the different functions. From the technical principle will be based on positioning to achieve. Here are a few layers to analyze the similarities and differences between WAF and IPs.

Timeline for events

For the occurrence of security incidents, there are three time points: beforehand, in the matter, afterwards. Traditional IPs are usually only effective in things, that is, checking and defending attack events, and the other two time points are unique to WAF.

In advance, you can detect a vulnerability by proactively scanning the Web server before an event occurs, and proactively prevent it by repairing Web server vulnerabilities or by adding protection rules on the front-end protection devices. The latter means that even if the Web server is attacked, there must be a tamper-proof web page that will allow the attacker to destroy the website data.

Why can't I have 100% of the protective power? In fact, from the following aspects know that only the relatively best protection in the matter can not be absolute, because:

1. Software is inherently flawed, including components and libraries that are applied to third parties that cannot control its security;

2. The application is updated, the business is continuous development, dynamic, if you do not continuously monitor and adjust the security policy, there will be omissions;

3. Attackers are always in the dark, you can track research on business systems, find vulnerabilities and protection flaws, detect them with various variants and use them to attack;

4. Any protective equipment is difficult to 100% without any defects, whether it is a variety of algorithms or rules, is to minimize the impact of attack.

Therefore, it is necessary to use a closed-loop and recyclable way to reduce the potential threat, for the omission of the attack, can be pre-discovered beforehand and the subsequent repair, the formation of interlocking dynamic security protection. Prior to the use of scanning to proactively check the site and the results of the formation of new protection rules added to the protection of the strategy, and the subsequent anti-tamper can ensure that even if the omission also let the pace of attack stop here, can not further modify and damage to the website files, for the credibility of high and integrity of users, this is particularly important link.

If there is only a difference in the timeline of the event, then other products can be used to assist, but the key thing is that the protection is also a deep difference, then let's talk about the difference in the matter.

Longitudinal depth Difference

In the case of real-time protection, the difference is that one is the aspect degree, the other is the depth. IPS highlights the advantage is the aspect, that is, for all traffic in the network supervision, it is facing a large amount of data, processing TCP/IP model in the network traffic from the physical layer to the application layer is submitted by layer, the IPs is mainly located in the analysis of the transport layer and the network layer of data, and then up is a complex application layer protocol message , WAF provides only the full level of monitoring of web application traffic.

The regulatory level is different, if the same attacks, such as SQL injection, they can be protected, but the principle of protection differs, the IPs basically rely on static signatures to identify, that is, attack characteristics, this is a passive security model. The following is a snort alert rule:

Alert TCP $EXTERNAL _net any, $HTTP _servers $HTTP _ports (msg: "SQL injection-paranoid"; Flow:to_server,established;uricontent: ". asp";p CRE: "/(\%27) | (') | (-) | (%23) | (#)/I"; Classtype:web-application-attack; sid:9099; Rev:5;

This is mainly to check the meta-characters submitted in SQL injection, including single quotes () and double horizontal (--), so as to avoid the injection of 1 or 1=1-attacks, but also to consider the conversion of these metacharacters to hex value to escape the filtering check, and then added in the rules of its corresponding hexadecimal encoded string.

Of course, there are many things to consider in order to identify attacks from signature signatures, not only metacharacters but also SQL keywords, including: Select Insert Update, and so on, as well as the case variants and stitching of these keywords, using annotations to escape filtering, as in the following example:

Use mixed-case characters: Selectfrom "

Replace the space character with the TAB or carriage return: select[tab]from

Use multiple spaces between keywords: select from

Numeric encoding of the string: 0x414141414141 or 0x41004100410041004100

Insert comment string ignored by database: Sel/**/ectfr/**/om select/**/from

Use some of the string conversion features supported by the database: char (65) or CHR (65)

string concatenation operation using data support: Sel+ect +fr+om ' "," ' sel| | ECT | | fr| | Om

It can be imagined that if you want to detect the above deformation character after the attack will need to add the corresponding signature features, but more importantly, to fully consider the type of conversion encoding, the above example of the snort rule put the suspect Word utilises and its converted hex value into the same rule check, if for a variety of attacks after deformation, This is lagging and can cause a bloated signature.

For the more superficial attack mode both can be protected, but most of the market IPs is unable to do multiple conversion of the message encoding, so this will lead to the attacker only need to build such as conversion coding, splicing attack statements, case transform and other packets can bypass the input check and directly submitted to the application.

And this is exactly the advantage of WAF, can be different encoding method to do a forced multi-conversion to reduce the attack plaintext, the deformed character after the analysis of the combination. So why can't IPs do this? There is also encryption and decryption for HTTPS

Product architecture

As you know, IPs and WAF are usually deployed in tandem in the front of the Web server, are transparent to the server and client, do not need to do any configuration, it seems to be the same way of networking, in fact, there is a big difference. Let's start by looking at the deployment methods supported by mainstream WAF:

L Bridge mode

L Route mode

L Reverse Proxy

L Bypass Mode (non-tandem)

The two are deployed in tandem in the Web server front-end, most IPs in the market use bridge mode, and WAF is in reverse proxy mode, the IPs need to deal with all traffic in the network, and WAF only deal with the protocol related to Web application, the other give forwarding, such as:

Bridge mode and reverse proxy mode difference is: Bridge mode is based on the network layer of packet forwarding, there is no protocol stack, or only a simple simulation of some protocol stack, the analysis of network message traffic is based on a single packet, so to deal with fragmented messages, data flow reorganization, chaotic message, message retransmission, packet loss has no advantage. At the same time the network traffic includes a lot of protocols, each application layer protocol has its own unique protocol features and format requirements, such as FTP, SSH, Telnet, SMTP, etc., can not put a variety of application traffic to the application layer protocol stack to deal with.

The protocol stack embedded in the WAF system is modified and optimized to fully support the processing of HTTP application protocols, which means that HTTP messages must be handled in accordance with the RFC standard (Internet requests for Comments), including the following major RFCs:

L RFC 2616 Definition of HTTP protocol syntax

L definition of RFC 2396 URL syntax

L RFC 2109 How cookies work

L RFC 1867 http How to post, and the format of post

In the RFC, the request number of HTTP, URL length, protocol name length, head value length and so on are strict requirements, as well as the transmission sequence and application format, such as the requirements of HTML parameters, cookie version and format, file upload encoding multipart/ Form-data encoding and so on, these application layer content can only be correctly identified and controlled with the full application layer protocol stack, for incomplete packet loss, retransmission packets and fake malformed packets will be handled by the Protocol check mechanism.

The WAF that was mentioned in the previous section decodes HTTPS and the decoding of multiple encodings is precisely because the message must be processed by the Application layer protocol stack. Conversely, why can't IPs do it? is due to its own bridge mode architecture, the HTTP session "Smash" into multiple packets in the network layer analysis, and can not be completely from the application layer angle to process and combine multiple messages, and Application layer protocol, all to support is unrealistic, product positioning does not need this. The next section of the learning model is a very different defense mechanism for both, and this mechanism is also dependent on the WAF's product architecture.

Learning-based Active mode

In the previous talk about the security model of IPS is the passive mode with static signature applied, then the reverse is the active mode. The WAF defense model is supported by both, the so-called active mode is that the WAF is a valid authentication input device, all traffic is verified and then forwarded to the server, can increase the application layer logic combination rules, more importantly, with the Web application of active learning capabilities.

Learning features include:

1. Monitor and learn the web traffic in and out, learn the link parameter type and length, form parameter type and length, etc.

2. Crawler function, the crawler actively to analyze the entire Web site, and establish a normal state model;

3. Scan function, proactively scan and generate protection rules based on the results.

Based on learning

The difference between IPS (intrusion prevention system) and WAF (Web Application Protection System)