IPS vs WAF (or Four Things Your WAF Can’t Do)

A few days back someone tweeted a link to this blog post “WAF vs IPS (or Four Things Your IPS Can’t Do)“, and it waved a little red flag at me.  Sorry bmestep (I didn’t see your full-name on your blog), you requested no flames but your post was begging for some follow-up. I will however try my best to make sure it’s not all flame and include some content as well.

“I see this often and I am always amused at the topic. I have worked with IDS/IPS for 8 years, so I know IPS when it was just a flavor of IDS that no one wanted to enable for fear of blocking access to users and customers. I chuckle at the thought of WAF being a glorified IPS.”

Err, yeah, me too i guess.

In fact I have work in a world where marketing spin and the FUD from *some* technology vendors has forced confusion between complementary technologies available on the market. Those who know me are most likely aware that I work for Sourcefire, so I guess I could be seen as part of the vendor problem but lets ignore that fact for the moment[1].

If you’re unlucky enough to walk around security trade-show floors, you’ll see a lot of similar messaging all around. Every year the message changes to what’s hot right now, but you can guarantee that most will be selling the same message with vastly different products.

This “me too” is where the pain comes from and Leon gets angry, let me spell things out.

  • An IPS is not a WAF
  • A WAF is not an IPS
  • A Firewall is not an AV
  • A BMW is not a DVR
  • And to badly quote Mark Watson “I’m not interested in watching TV on my mobile phone, in the same way I’m not interested in taking a  sh*t in my tumble dryer”

Maybe I should have titled this post “WAF vs Lawn Mower (or Four Things A WAF Can’t Do, That Your Lawn Mower Can).”

I don’t fancy sitting here tapping out a list of things that an IPS does that a WAF doesn’t because I don’t see that it has ANY relevance. Oh, and one last comment.

“As packets are inspected by an IPS, they are often discarded to improve performance. This is a key differentiator, because a WAF must retain packets in order to keep the context of a client web request and the subsequent server response.”

If there is anyone out there who wants to know how a good IPS works, you know, one that *doesn’t* discard packets to improve performance go grab the latest Snort tarball and start reading the source.

Anyway, I think it’s time I climb down off my soap-box.

[1] On a closing note, I feel that must mention that I think Sourcefire does a good job at marketing its IPS product. As a company we are not one to jump on the latest hype-cycle with some vapour-ware. Take a look at, there’s no mention of our IPS being able to mow lawns.



An update on the whole “car hits house” thing.

It’s been a while since I posted any updates to this blog, 2009 was a busy year both at work and at home.

For those of you who follow me on Twitter (@leonward) you may know of the great-crash of 2009. I’m not talking about Wall St here, I’m talking about when the front of my house met a car that somehow managed to drive off a straight road, across my neighbours garden, bounced off my wife’s car, and ended up partly in my lounge. At the time many people requested pictures and more info (“pics or it didn’t happen” springs to mind) but due to insurance claims and the police being involved I thought it best to keep things off the internet at the time.

As things are now on their way to being sorted out and yes, it has taken a while, I thought it safe to share a few of the pics of the carnage. Looking on the bright(er) side of things, at least we hadn’t completed the  decorating / remodelling of the room (hence the awful original curtains, woodwork colour, no carpet etc).  I also purchased a new amp and speaker package three days previous, but the shop didn’t have one of the items in stock so I didn’t pick it up. If it had come home with me the sub-woofer and a couple of speakers would have been a right-off. Annoyingly the re-plastering and painting of the walls was only completed two days before the crash.

So enjoy some Shadenfreude.

