IPS vs WAF

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

[Music] hey everybody john wagon on here with dev central and we are coming to you with another light board lesson video and today we're going to talk about the difference between an IPS and a waffe an IPS is an intrusion prevention system and a wife as a web application firewall so i'll draw just a really quick representation up here you have a client who wants to access your web application so client over here web app over here and then you put the security you know solution in the middle so maybe this is an IPS or maybe this is a web application firewall so as a client request your application it's going to come through one of these security products and then this one of these things is going to check it before it you know allows access to your web application so again the question is you know what's the difference between the IPS and the laughs a couple of things I'll note about an IPS intrusion prevention system these are very typically signature-based so I'll say sig based and and with signature based products the signatures are going to check for well known vulnerabilities well-known attack vectors that kind of thing so if something's out there in the wild already then it'll you know take its signatures and it will you know check it against that request and if it matches then it's going to block if it matches a threat or vulnerability it's gonna block that and if it doesn't then it's gonna let it on through the signature database this database of all these different known signatures is typically going to grow over time which you kind of want it to because it's you know just checking for anything and everything out there that it should as these things grow it could affect performance in the sense that any request that comes in to the IPS is going to need to be checked against all the different signatures that it has so you got to keep kind of got to keep that in mind as as you look at signature based products or if there are certainly things that are they're strictly signature based so that's one thing another thing that i'ma put is is no awareness of awareness of a session or say user so what I mean by that is it doesn't necessarily know the IPS doesn't necessarily know which user specifically is requesting access to your web application so it's not going to be able to track like hey this is the session for that specific user or hey I know that user maybe from a previous request or whatever and then it's going to be able to track or make decisions based on you know that specific session or that specific user it's just simply gonna say is this a valid request regardless of who it's from if it's valid let's let it throw if it's not valid based on you know some of the signatures and all that then it's going to block it so it does it you know it does a good job of blocking the request based on known signatures this is a what I'll call maybe a wider focused you know security product as it were in the sense that it's not really going to be able to dive deep into you know this is the the very specific user request to this very specific application or this very specific service that you're trying to provide it's just going to take a wider focus and say you know is is any request at all regardless of who it's from we're ghosts of where it's going - does it match my criteria or not and then it's going to take action based on that okay so that's kind of a very brief overview of IPs a waffe is Web Application Firewall this thing is is typically user and session and I'm gonna even put application aware aware and basically what I mean by that is this typically a laugh and I can talk about the f5 laughs which by the way or f5 laugh is the ASM application security manager or we have a new advanced laugh both laughs from f5 and these things are going to be able to track each session each client or each each user I should say that's we're questing' access to your web application beyond that it's going to be very aware of the web applications behind it that it is protecting you know what are they built out of what are they looking to do what services do they offer all of those different things and so because of that intelligence that's built in it can make a little bit more intelligent decisions based on the request that comes in so so it's very important for it to be or that it is application aware user session aware the laughs in general so going back to sort of a general view of laughs are built I'll say primarily or built to defend against this Oh wasp top ten list all right the OS top 10 is a the top 10 list of security risks that are out there in the Internet today it's based on various things that the organization does surveys and other things to figure out hey what are the top 10 security risks that we collectively face in the world today and they make a list of the top 10 these are things like injection attacks cross-site scripting you know there's a new and unsecure deserialization is on the list there's a there's ten of them so anyway laughs are traditionally built in order to protect against these top ten security risks so that's that's one of the things that the the wife does the f5 laughs specifically has some really cool things like proactive bot defense I'll just put a couple of things here pbd product about defense credential credential protection and then I'll also list I pee I'm gonna say IP I that's IP intelligence these without going into the details of all those things these are some very sophisticated bita defense mechanisms credential stuffing or credential theft is a big deal today and there's protections built into to the laughs on the f5 side and then this IP intelligence as well we basically the idea is we we can track the IP addresses that out there in the world and if one is known to be bad then we'll know that you know and if if a request comes in from well as bad ones we can take action on that okay so that's that is a very high overview of kind of the laughs but one of the one of the things I wanted to highlight as well today is the protocol support so I'm going to put protocol support then a wife is going to give you maybe that's beyond what an IPS would be able to do so of course we look at HTTP traffic so I'm just gonna list some of the protocols here HTTP and then of course HTTP traffic and you know I mean that's that's you know most of the web traffic that we see today or most of the traffic we see today is web it's HTTP HTTP it's port 80 it's all that stuff right so that's the primary focus on a lot of our traffic that we need to look at to protect but beyond that there are certainly threats and problems that could happen outside of just the that protocol or those protocols so things like FTP while not used maybe as much as HTTP it's still a potential problem so one of the things that the wife can do is look for things like port scanning anonymous requests that come in via an FTP request command line length you know of limits that would be put on those or on an FTP request excessive logins that might come in via FTP request so it can look at things from an FTP protocol specific perspective to to guard to guard your web applications or guard your network frankly from some of these what would be malicious FTP you know or would be malicious FTP traffic so so it's very important to have protocol support beyond just HTTP another one that I'll just mention here SMTP this is our email stuff the the wife can do things like validate incoming and outgoing email it can it can check for viruses on on email itself or maybe an attachment has a problem with it it can you know it can can get into the SMTP request and check for things like that it can do things like rate limit the number of messages that come in so let's say someone tries to just overwhelm your your email inbox your email servers with just tons and tons of just junk emails it can rate limit that it can do things like disallow or even allow certain certain methods or certain requests from an SMTP protocol perspective so there's some security built in or there's some configurability built in around the SMTP protocol specifically another one that I'll list here is DNS so the DNS protocol the domain name system is of course where you type in a web address and it translates it to an IP address and just that whole thing we've got a lot of like board lessons on that if you wanna check it out but things that one of the interesting things about DNS is that if an attacker comes in to try to attack your web application or your network let's say then you know it'll launch all different kinds of attacks and one of the things that that some attackers will try to do is they'll try to somehow get a malicious payload into your network via any number of ways you know whether it's an email or a link that someone clicks on or whatever but a lot of times when that malicious payload enters your network it by itself sometimes can do a lot of damage of course but a lot of times it's gonna need to it's going to need to phone back to a command-and-control node or a command and control center as it were in order to download updates or download even more malware and so when it does that there is this there's this idea that you internally need to be checking requests that go from inside your network back out to what would be one of these come in and control nodes well a lot of times this might this malware will look for open ports on your network and certainly HTTP is open HPS this is 80 443 but those are very closely monitored for stuff like this one that is not quite as closely monitored as DNS port 53 and so one of the things that our wife and and maybe other laughs as well can do is they can log request from DNS and our specifically can do per request DNS law which is really cool so that you can so that you can keep a very close eye on what would be a callback to a command-and-control you know malware node as it were so you can you can you know look for that DNS exfiltration or that DNS callback action which could be very problematic for your network and you want to be able to protect against that so you know so as we look at the as we look at the the protocol support around a whaff it is it's much more it's much more robust than anything that an IPS would do so well on IPS is not inherently a bad thing it's going to obtain a block malicious traffic from accessing your web application a whaff is going to dig much deeper and much broader in terms of protocol support for for what it will give you to keep your web application secure so so anyway so I hope you've learned a couple of things here on some of the differences this is by no means an exhaustive discussion over IPS or wack but I wanted to get into a few things and then and then really highlight this protocol support so so hey man if you've liked this light board lesson you can click up here on our DC ball and subscribe to our youtube channel and we will see you guys out there in the community you

Info

Channel: F5 DevCentral

Views: 73,315

Rating: undefined out of 5

Keywords: f5, devcentral, ips, waf, security, web, application, firewall, intrusion, prevention, detection

Id: jGrYZ5ptSXU

Channel Id: undefined

Length: 12min 33sec (753 seconds)

Published: Mon Sep 10 2018