The article compares and analyzes the differences between IPS, IDS, Firewalls and WAF because they are very popular solutions used in networks to protect network security.
Terminology IPS, IDS, WAF
First let’s look at the meaning of each acronym:
IPS = Intrusion Prevention System
IDS = Intrusion Detection System
WAF = Web Application Firewall
How they work in a network (Networking)
For a quick idea of how these solutions/devices can be used in a network design, see the topology below that includes all the security solutions in the network (firewalls, IPS, IDS, WAF ).
The purpose of the diagram below is to illustrate how security devices This is usually located in the network.
Let’s now briefly describe each security device and then compare them further below in this article.
Firewall
There are several types of firewalls but the most common are hardware network firewall. As you can see from all the network diagrams in this article, network firewall found in all network designs as it is the foundation of network security.
Core function of firewall is to allow or block traffic between source hosts/networks and destination hosts/networks.
Firewall basically operate at Layer 3 and Layer 4 of the OSI model, i.e. they can allow or block IP packets based on source/destination IP address and source/destination TCP/UDP ports.
Furthermore, a network firewall is stateful. This means that the firewall monitors the status of connections passing through it.
For example: If an internal machine successfully accesses an Internet site through a firewall, the latter server will keep the connection inside its connection table so that reply packets from the external web server will be allowed to pass to the server. internal because they already belong to a relationship.
Nowadays, Next Generation Firewall according to operations up to Layer 7 of the OSI models, which means they can inspect and control traffic at the application level.
IPS (Intrusion Prevention System)
As the name suggests, an Intrusion Prevention System (IPS) is one security device whose main task is to prevent network intrusions.
That’s why the IPS is connected in-line to the packet stream. As shown from the above network topology (Firewall with IPS), the IPS device is usually connected behind the firewall but is in the communication path transmitting packets to/from the internal network.
The above location is required for the IPS device to block malicious traffic immediately before reaching internal servers.
Typically, IPS is signature-based which means it has a database of known malicious traffic, attacks and exploits and if it sees packets that match the signature then it blocks the flow of traffic. .
Additionally, IPS can work with statistical anomaly detection, rules set by administrators, etc.
IDS (Intrusion Detection System)
IDS (Intrusion Detection System) is the predecessor of IPS and is passive in nature. As shown from the network above (Firewall with IDS), this device is not put in the same stream as the traffic but is placed out-of-band.
Traffic passes through switching are also sent at the same time to the IDS for checking. If a security anomaly is detected in network traffic, the IDS will only alert (to the administrator) but it will not be able to block that traffic.
Similar to IPS, IDS devices also use most of the signatures of known security attacks and exploits to detect an intrusion attempt.
To send traffic to the IDS, switching equipment There must be a SPAN port configured to replicate traffic and send it to the IDS node.
Although an IDS is passive in the network (i.e. it cannot actively block traffic), there are several models that can cooperate with firewall to prevent a security attack.
For example, an IDS can send a command to firewall to block specific packets if the IDS detects an attack.
WAF (Web Application Firewall)
WAF (Web Application Firewall) focuses on protecting websites (or web applications in general).
It works at the Application Layer to inspect HTTP web traffic to detect malicious attacks against websites.
For example, a WAF will detect SQL Injection attacks, Cross Site Scripting attacks, Javascript attacks, RFI/LFI attacks, etc.
Since most websites today use SSL (HTTPS), a WAF can also provide SSL acceleration and SSL inspection by terminating the SSL session and inspecting the traffic inside the connection on the WAF itself.
As shown from the network above (Firewall with WAF), it is placed in front of a Web server (usually) in the firewall’s DMZ zone.
With WAF, administrators have the flexibility to restrict web access to specific parts of the site, provide strong authentication, audit or limit file uploads to the site, etc.
Now let’s take a look at some quick comparison tables for the above security solutions.
IPS vs IDS
Firewall vs IPS/IDS
WAF vs IPS/IDS
Hope you make the right choice!
Xem tiếp...