1

Following scenario:

  • Web application, only HTTP/S traffic
  • Firewall in place to only allow traffic on port 80/443 in
  • WAF is in place, set to deny malicious traffic

Question: Is there any added value in this scenario to also have an IPS / Deep Package Inspection solution in place? From all I understand: No. But I didn't find any clear answer out there.

silent
  • 432
  • 4
  • 19
  • Questions that generate mostly opinions are discouraged here. – Ron Trunk Dec 06 '21 at 14:05
  • @RonTrunk I'm not looking for an opinion. I'm am actually curious if there would be any real reason in using both. – silent Dec 06 '21 at 14:06
  • Well, it depends on how well you believe the WAF reduces your risk, and what additional risks the IPS would protect you against. Contrast those against the cost and time to install and maintain both systems. The answers are unique to every organization. – Ron Trunk Dec 06 '21 at 14:58

3 Answers3

2

Question: Is there any added value in this scenario to also have an IPS / Deep Package Inspection solution in place? From all I understand: No. But I didn't find any clear answer out there.

To answer the question, first let's unpack they key term "value". What we're doing here is asking "what's the value of a security control?".

Security controls (WAFs, IPSs, SPI firewalls being examples of technical security controls) are put in place to manage risk. Security controls that cost more than the expected loss over time of not having the control would not typically be put in place, and ones that cost less than the expected loss over time would be put in place.

Whether there's any value in putting an IPS in when a firewall limited to one port and a WAF is in place is really asking this question: Is the expected loss based on how everything is set up at the moment minus the expected loss after the IPS has been put in place greater than the cost of the IPS. If the answer is yes then there's no value in putting in an IPS, since the cost of putting it in is greater than the benefit it provides. This is an example of the risk management process in action.

When it comes to this particular situation, there is not enough information to definitively answer the question. Any technical answer given is not going to do it. Even if we had all the information, which would be extensive, there are enough variations in how people calculate risk that we'd definitely not be able to do anything beyond giving "a way of doing it", and possibly the longest Serverfault answer ever :-)

In general terms though, these are areas where an IPS (we'll conflate HIPS and NIPS here for simplicity) provides opportunity for value when implemented along with the existing solutions:

  1. For cases where there's crossover in functionality, as a secondary control if the firewall or WAF was misconfigured or compromised, does not pick up the threat, or detects the threat by a different method, thus increasing the probability of detecting detection evasion techniques.
  2. For cases where the IPS provides additional protection not already provided. This is product and implementation dependent but may include things like...
    • Blocking known-malicious IP addresses
    • Blocking based on event correlation - eg. IPs that have been seen to be port scanning prior to sending the HTTP requests
    • Preventing / detecting file modifications by unauthorized processes
    • Many others
  3. For increased visibility. The IPS will generally be able to give you more visibility into the threat landscape since it's looking at a lot more of what's going on in the environment, not just the web traffic.

In summary, whether an IPS is of value will depend on risk. There are certainly scenarios where one would choose to put in an IPS in this scenario even if it provided only redundancy and no additional functionality - the "belt and braces" approach. If protecting a personal website, probably not going to be worth it, if protecting billions of dollars worth of intellectual property, more likely to be of value.

jotap
  • 711
  • 3
  • 8
0

You don't need to use packet-inspection if you setup your firewall correctly. but you still need IPS/IDS and integrity check even though you have only one simple server with minimum services.
consider these situations :

  • if there is an unknown method/signature of attack to your WAF, practically your WAF is useless against that kind of threat (specially zero day vulnerabilities). in this situation monitoring activity of users and checking integrity of system is an smart move. using auditing tools may help and warn you suspicious (but not known) threats. however it needs more resources, customized audit rules and constantly checking.
  • bypassing WAF is not imaginary. in this one, IPS/IDS or any other scanning mechanism increase your security level as the second layer of defence. Even if your WAF fails.

    if you have concern about your setting, but you don't want to use a complicated or expensive solution, you can combine very basic tools like "iptables" customized rules with "SElinux" and "AIDE" for stronger security plan.
H. Far
  • 21
  • 5
  • If the WAF can't detect a zero day, what makes you think the IPS would? – Ron Trunk Dec 09 '21 at 14:44
  • @RonTrunk IPS/IDS detects any system file change (Horse Pill malware for instance), but WAF is focusing on web application. this is different than attack signatures. in "zero day attacks" WAF dose NOT recognized affected files! IPS/IDS Does. – H. Far Dec 09 '21 at 14:56
0

You can setup the WAF in DMZ to protect internet traffic. Also, IDS/IPS plus DPI can be use in the internal network, active or passive(inline or not).

borcan22
  • 11
  • 2