Who is WAF and IPS more suitable for protecting Web applications?

Source: Internet
Author: User

Who is the best choice?

Web application protection is undoubtedly a hot topic. Because of the maturity of technologies and the increasing expectation of convenience, Web applications have become the mainstream carrier of business systems. The data value contained in the key business systems of "anjia" on the Web has aroused the favor of attackers. The Web vulnerability mining and attack tools circulating on the Internet have lowered the attack threshold, it also makes many attacks blind and random. For example, you can use the GoogleHacking principle to batch find applications with known vulnerabilities, as well as SQL batch injection and Trojan Horse mounting. However, for important Web applications (such as operators or financial institutions), hackers who are always driven by interests are constantly tracking.

If the traditional "Big and comprehensive" security protection products can defend against most attacks generated by tools, targeted attacks will not be sufficient. WAF is a high-end professional security product born on demand, which is also an inevitable trend of market demand refinement. However, since its deployment and functions are similar to those of IPS, some people may wonder why IPS cannot be used, or what are the similarities and differences between WAF and IPS? Who is better suited to protect Web servers?

These questions are actually justified. The difference is that the high-end needs are different, so we need to refine the functions to fit the specific needs and meet the application status of the product, this is also determined by the user requirements with the development of the business itself.

Bodyguard and security guard

To better understand the differences between the two products, we first use this guard (WAF) and security (IPS) to describe.

The building's security guards need to inspect all personnel entering and exiting the building. Once a suspicious person is found, he is prohibited from entering the building. However, if the "seemingly loyal" bad guy is involved in cracking the safe and other destructive activities, building security is powerless.

Private Guard refers to high-level and more "close-fitting" protection. He usually only protects specific people, so he needs to understand the identity, habits, preferences, work schedules, and weaknesses of the protected person in advance, because the work of the protected person needs to face different people, on different occasions, the responsibilities of a bodyguard cannot stop or change his behavior because of danger. Instead, they can only predict possible risks and then customize appropriate protection solutions.

The difference between the two roles is that the security guards protect the entire building, and they do not need to know who is the most important person to be protected. The guard defines the list of protected objects, a deep understanding of the individual characteristics of the protected person is required.

Figure 1.1 bodyguard and security guard

Through the above metaphor, we should understand that the two feel similar because their responsibilities are protected, but the difference lies in their different functional positioning. In terms of technical principles, it will be implemented based on positioning. The similarities and differences between WAF and IPS are analyzed in the following aspects.

Event timeline

There are three time points for the occurrence of Security Events: beforehand, during, and afterwards. Traditional IPS are only valid for attack detection and protection. The other two time points are unique to WAF.

Figure 1.2 event timeline

As shown in, vulnerabilities can be detected by actively scanning and Detecting Web servers before an event occurs, you can take proactive measures such as fixing Web server vulnerabilities or adding protection rules on front-end protection devices to prevent incidents. After the event, the website must be tamper-resistant even if the Web server is attacked, so that attackers cannot destroy website data.

Why cannot I have the 100% protection capability? In fact, we know from the following aspects that we can only achieve relatively optimal protection in the process, but not absolute, because:

1. Software is inherently flawed, including components and function libraries applied to third parties that cannot control their security;

2. The application is being updated, and the business is continuously developing and dynamic. If you do not continuously monitor and adjust security policies, there will also be omissions;

3. attackers are always in the dark. They can track and study the business system, find vulnerabilities and protective defects, and use various deformation techniques to detect and use them for attacks;

4. It is difficult for any protection device to eliminate any defects. Various algorithms and rules minimize the impact of attacks.

Therefore, a closed-loop and cyclical approach is required to reduce potential threats. For such attacks, pre-detection and post-event compensation can be used to form dynamic security protection. In advance, the website is actively inspected by scanning and a new protection rule is formed based on the results to be added to the protection policy in the event, the post-event tamper-proofing ensures that even omissions stop the attack and the website files cannot be further modified or damaged. This is especially important for users with high credibility and integrity.


Figure 1.3 WAF security closed loop

If there is only a difference in the timeline of an event, you can still use other products for assistance. However, the key thing is that there is also a deep difference in protection, now let's talk about the differences in things.

In the event, that is, real-time protection, the difference between the two lies in the aspect and depth. The advantage of IPS lies in its aspect, that is, its monitoring of all traffic in the network. It faces massive data volumes, in the TCP/IP model, network traffic is submitted layer by layer from the physical layer to the application layer. IPS mainly analyzes the data at the transmission and network layers, and then goes up to the complex application layer protocol packets, WAF only provides supervision on all aspects of Web application traffic.


Figure 1.4 Data Structure

At different regulatory levels, IPS can defend against the same attacks, such as SQL injection, but the protection principles are different. IPS relies on static signatures for identification, that is, attack features. This is just a passive security model. The following is an Snort alarm rule:

Alert tcp $ EXTERNAL_NET any-> $ HTTP_SERVERS $ HTTP_PORTS (msg: "SQL Injection-Paranoid"; flow: to_server, established; uricontent: ". asp "; pcre:"/(\ % 27) | (\ ') | (\-) | (% 23) | (#)/I "; classtype: web-application-attack; sid: 9099; rev: 5 ;)

Here we mainly check the metacharacters submitted in SQL injection, including single quotes (') and dual horizontal (--), to avoid injection attacks such as '1 or 1 = 1, however, we also need to consider converting these metacharacters into Hex values to escape the filtering check, and then add the corresponding Hex encoded string to the rule.

Of course, there are still many things to consider from the signature features to identify attacks, not only metacharacters but also SQL keywords, including: select insert update, and the case-sensitive deformation and splicing of these keywords, escape filtering by using annotations, as shown in the following example:

Use case-insensitive characters: SeLecT fRom"

Replace the space character with a TAB character or carriage return character: select [TAB] from

Multiple spaces are used between keywords: select from

String Value encoding: 0x414141414141 or 0x41004100410041004100

Insert comment strings ignored by the database: sel/**/ect fr/**/om select/**/from

Use some string conversion functions supported by the database: char (65) or chr (65)

Use the String concatenation operations supported by data: 'sel '+ 'ect' + 'Fr '+ 'om' and 'sel '| 'ect' | 'Fr '| 'om, if you want to detect the attack after the deformation characters above, you need to add the corresponding signature features, but more importantly, you need to fully consider the type of conversion encoding, the snort rules in the above example put the suspicious characters and their converted Hex values in the same rule for check. If there are many types of attacks after deformation, this is lagging behind and will cause a bloated signature.

Both of them can defend against relatively superficial attacks, but most IPS on the market cannot perform multiple conversions on message encoding, therefore, attackers only need to construct data packets such as conversion encoding, splicing attack statements, and case-sensitivity conversion to bypass the input check and directly submit the data to the application.

This is exactly the advantage of WAF. It can force Multiple conversions to different encoding methods to restore them to attack plain text, and combine the characters after deformation before analysis. Why can't IPS achieve this level? Also, encryption and decryption for HTTPS are explained in the product architecture in the next section.

Product Architecture

We all know that IPS and WAF are usually deployed on the front-end of Web servers in tandem. They are transparent to servers and clients and do not require any configuration. They all seem to be the same networking mode. In fact, there is a big difference. First, let's take a look at the deployment modes supported by mainstream WAF in the market:

L Bridge Mode

L routing Mode

L reverse proxy

L bypass mode (non-series)

When the two are deployed in tandem at the front-end of the Web server, most IPS on the market adopt the bridge mode, while WAF adopts the reverse proxy mode. IPS need to process all the traffic on the network, WAF only processes Web Application-related protocols, and others forward data, such:


Paranoid "; flow: to_server, established; uricontent:". asp "; pcre:"/(\ % 27) | (\ ') | (\-) | (% 23) | (#)/I ";

Figure 1.5 multi-protocol Diagram

The difference between the bridge mode and the reverse proxy mode is that the bridge mode is packet forwarding based on the network layer, and there is basically no protocol stack, or only some protocol stacks can be simply simulated, the analysis of network packet traffic is based on a single packet. Therefore, it is not advantageous to handle fragmented packets, data stream reorganization, out-of-order packets, packet retransmission, and packet loss. At the same time, there are many protocol types in network traffic. Each application layer protocol has its own unique protocol characteristics and format requirements, such as Ftp, SSH, Telnet, SMTP, etc, various application traffic cannot be processed on the application layer protocol stack.

The protocol stack embedded in WAF is modified and optimized to fully support Http application protocol processing. This means that Http packets must be processed according to the RFC standard (Internet Requests For Comments, it includes the following major RFC:

L RFC 2616 HTTP syntax definition

L definition of RFC 2396 URL syntax

L how does RFC 2109 Cookie work?

L RFC 1867 how to post http and the format of POST

The request line length, URL length, protocol name length, and header value length of Http in RFC are strictly required, as well as the transmission sequence and application format, for example, Html parameter requirements, Cookie versions and formats, File Upload encoding multipart/form-data encoding, etc, these application layer content can be correctly identified and controlled only when it has a complete application layer protocol stack. For incomplete packet loss, both retransmission packets and forged malformed packets are processed through protocol verification.

The WAF encryption and decryption for Https and multi-encoding decoding mentioned in the previous section are precisely because the packets must be processed by the application layer protocol stack. Why can't IPS do this? Because of its own bridge-mode architecture, the Http session is broken into multiple data packets for analysis at the network layer, rather than processing and combining multiple packets from the application layer perspective, in addition, there are many application-layer protocols, and it is unrealistic to support all of them. This is not required for product positioning. The Learning Model in the next section is a completely different protection mechanism between the two. This mechanism also depends on the WAF product architecture.

Learning-based Active Model

As mentioned above, the IPS security model applies the passive mode of static signature, and vice versa. The WAF defense model supports both. The active mode is that WAF is a device that effectively verifies the input. All data streams are verified and then forwarded to the server, it can add rules for logical combinations at the application layer, and more importantly, it can actively learn Web applications.

Learning functions include:

1. Monitor and learn the inbound and outbound Web traffic, learn the Link parameter types and lengths, and form parameter types and lengths;

2. crawler function. crawlers take the initiative to analyze the entire Web site and establish a normal state model;

3. The scan function takes the initiative to scan and generate protection rules based on the results.

The objective of the learning-based Active model is to establish a security protection model. Once there is a difference in behavior, we can find that, for example, the hidden form, the restricted Listbox value is tampered with, and the input parameter type is invalid, in this way, the security protection model can be used to dynamically adjust the protection policy in the face of changing attack methods and unknown attack types.


More features of WAF, including Secure delivery capabilities, cache-based application acceleration, trojan detection, anti-DDOS attacks, and compliance with PCIDSS's anti-leak requirements all indicate that this is not only an attack protection, at the same time, professional products must be highly integrated to meet the customer experience and protect confidential data. This article only analyzes some technical principles of WAF from the perspective of product features comparison, but does not deny the value of IPS. After all, the two have great differences in deployment scenarios and functions.

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.