IPS vs WAF (or Four Things Your WAF Can’t Do)
A few days back someone tweeted a link to this blog post “WAF vs IPS (or Four Things Your IPS Can’t Do)“, and it waved a little red flag at me. Sorry bmestep (I didn’t see your full-name on your blog), you requested no flames but your post was begging for some follow-up. I will however try my best to make sure it’s not all flame and include some content as well.
“I see this often and I am always amused at the topic. I have worked with IDS/IPS for 8 years, so I know IPS when it was just a flavor of IDS that no one wanted to enable for fear of blocking access to users and customers. I chuckle at the thought of WAF being a glorified IPS.”
Err, yeah, me too i guess.
In fact I have work in a world where marketing spin and the FUD from *some* technology vendors has forced confusion between complementary technologies available on the market. Those who know me are most likely aware that I work for Sourcefire, so I guess I could be seen as part of the vendor problem but lets ignore that fact for the moment.
If you’re unlucky enough to walk around security trade-show floors, you’ll see a lot of similar messaging all around. Every year the message changes to what’s hot right now, but you can guarantee that most will be selling the same message with vastly different products.
This “me too” is where the pain comes from and Leon gets angry, let me spell things out.
- An IPS is not a WAF
- A WAF is not an IPS
- A Firewall is not an AV
- A BMW is not a DVR
- And to badly quote Mark Watson “I’m not interested in watching TV on my mobile phone, in the same way I’m not interested in taking a sh*t in my tumble dryer”
Maybe I should have titled this post “WAF vs Lawn Mower (or Four Things A WAF Can’t Do, That Your Lawn Mower Can).”
I don’t fancy sitting here tapping out a list of things that an IPS does that a WAF doesn’t because I don’t see that it has ANY relevance. Oh, and one last comment.
“As packets are inspected by an IPS, they are often discarded to improve performance. This is a key differentiator, because a WAF must retain packets in order to keep the context of a client web request and the subsequent server response.”
If there is anyone out there who wants to know how a good IPS works, you know, one that *doesn’t* discard packets to improve performance go grab the latest Snort tarball and start reading the source.
Anyway, I think it’s time I climb down off my soap-box.
 On a closing note, I feel that must mention that I think Sourcefire does a good job at marketing its IPS product. As a company we are not one to jump on the latest hype-cycle with some vapour-ware. Take a look at sourcefire.com, there’s no mention of our IPS being able to mow lawns.