An alchemists view from the bar

Network Security Alchemy

IPS vs WAF (or Four Things Your WAF Can’t Do)

with 5 comments

A few days back someone tweeted a link to this blog post “WAF vs IPS (or Four Things Your IPS Can’t Do)“, and it waved a little red flag at me.  Sorry bmestep (I didn’t see your full-name on your blog), you requested no flames but your post was begging for some follow-up. I will however try my best to make sure it’s not all flame and include some content as well.

“I see this often and I am always amused at the topic. I have worked with IDS/IPS for 8 years, so I know IPS when it was just a flavor of IDS that no one wanted to enable for fear of blocking access to users and customers. I chuckle at the thought of WAF being a glorified IPS.”

Err, yeah, me too i guess.

In fact I have work in a world where marketing spin and the FUD from *some* technology vendors has forced confusion between complementary technologies available on the market. Those who know me are most likely aware that I work for Sourcefire, so I guess I could be seen as part of the vendor problem but lets ignore that fact for the moment[1].

If you’re unlucky enough to walk around security trade-show floors, you’ll see a lot of similar messaging all around. Every year the message changes to what’s hot right now, but you can guarantee that most will be selling the same message with vastly different products.

This “me too” is where the pain comes from and Leon gets angry, let me spell things out.

  • An IPS is not a WAF
  • A WAF is not an IPS
  • A Firewall is not an AV
  • A BMW is not a DVR
  • And to badly quote Mark Watson “I’m not interested in watching TV on my mobile phone, in the same way I’m not interested in taking a  sh*t in my tumble dryer”

Maybe I should have titled this post “WAF vs Lawn Mower (or Four Things A WAF Can’t Do, That Your Lawn Mower Can).”

I don’t fancy sitting here tapping out a list of things that an IPS does that a WAF doesn’t because I don’t see that it has ANY relevance. Oh, and one last comment.

“As packets are inspected by an IPS, they are often discarded to improve performance. This is a key differentiator, because a WAF must retain packets in order to keep the context of a client web request and the subsequent server response.”

If there is anyone out there who wants to know how a good IPS works, you know, one that *doesn’t* discard packets to improve performance go grab the latest Snort tarball and start reading the source.

Anyway, I think it’s time I climb down off my soap-box.

[1] On a closing note, I feel that must mention that I think Sourcefire does a good job at marketing its IPS product. As a company we are not one to jump on the latest hype-cycle with some vapour-ware. Take a look at, there’s no mention of our IPS being able to mow lawns.



Written by leonward

January 7, 2010 at 10:37 pm

Posted in Uncategorized

5 Responses

Subscribe to comments with RSS.

  1. […] This post was mentioned on Twitter by Martin Roesch, Leon Ward. Leon Ward said: IPS vs WAF (or Four Things Your WAF Can’t Do): […]

  2. WOW… You make it down okay from that soap-opera-box?

    I guess I’m guilty of the reacting just like you did, because after I’d attended yet another meeting where someone said, “a WAF is just an IPS”, you might say I got a little frustrated.

    I did try to channel my frustration a little differently though. Watson’s stinky tumble dryer joke? Really?

    I’d never confuse Snort or SourceFire as being one, of course I’d never expect a blog entry of mine to spark such *interest*

    Hi Marty!
    I miss the pig calendars…


    January 8, 2010 at 1:06 am

    • Yeah, I made it down Okay 🙂

      It wasn’t directed as a personal attack apologies if it sounded like one. I keep reading articles about how some IDS/IPS technology doesn’t work well at doing “X”, and your post just nudged me closer to the edge.

      Unfortunately it’s true that some IDP technology doesn’t work as well as others. Recent independent tests by NSS and ICSA show that fact.

      I have had people say to me in a meeting “We already have a IPS & RNA like product, ours is made by Apple”. Okay, so using Apple’s name as an example is a little of an exaggeration, but the point is the same. When we start a conversation with less educated security practitioners (to put it polity), they may just not “get it” right away. They may not understand the problem-space that the suggest product addresses. This is where our skill and experience must kick in to correctly differentiate and educate.

      The Mark Watson reference was for humour, he’s a funny guy and ill try to find the mobile phone gag on youtube later.

      If you’re based in Europe and want a 2010 Snort calendar, mail me your contact details and Ill get one sent out.


      January 8, 2010 at 11:24 am

      • No worries, I didn’t intend to push anyone’s buttons. I didn’t take your response personally; it just caught me completely off-guard. It is indeed frustrating herding cats! As Tatter says, “You can’t fix stupid”.

        Sourcefire is one of my favorite IPS/IDS platforms, and Snort is the granddaddy of them all. Any company that releases an IDS/IPS product compares themselves to Sourcefire or Snort — imitation is the sincerest form of flattery. This should help push you back from the edge a little 😉

        Those recent NSS tests were earth shattering for some IDS/IPS vendors. The rants and disrespect shoveled towards NSS after the results were released was flat out wrong, those guys go a great job.


        January 8, 2010 at 2:59 pm

  3. Leon, as usual, great job.

    Disclosure — I work for Sourcefire too.

    Joel Esler

    January 9, 2010 at 2:00 pm

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: