Hello guys! In this article we will be learning what are WAF, IDS and IPS, how they work and how they differ from each other.
Before you begin to read this article I would suggest you to read these articles so you can build a good base:
So lets begin with IDS.
Intrusion Detection System (IDS)
A Intrusion Detection System (IDS) is a technology (either hardware or software) which is deployed within a network to detect attacks. It waits for an attack to happen and then just sends an alert to the network administrator. It doesn’t try to stop or block the block the attack, its job is just to raise an alert when an attack is executed against the network.
IDS have a signature database which tells it how an attack looks like. So whenever the network receives a data packet, the IDS looks it up in the signature database and if a match is found, it raises an alert. It also has a database of how normal traffic looks like so it can detect attacks better.
Intrusion Prevention System (IPS)
Working on of an Intrusion Prevention System (IPS) is similar to the IDS, the only difference is that an IPS can monitor attacks as well as react to them. For example, you can configure your IPS in such a way that whenever a someone tries to DOS your server or sends malicious packets, it detects the attack and blocks attacker’s IP Address. An IPS can also control information leak, like it can detect whether any spyware or keylogger is sending out information. It can also tamper the response header of your server to protect against attacks like banner grabbing.
Web Application Firewall (WAF)
As its name suggests, a WAF is dedicated to webapp security. A WAF doesn’t monitor the server, its only job is to monitor user activity at the application layer or Layer 7. So if you deploy a WAF on your website, it will protect your website and not your server. A WAF can detect most of the major web app vulnerabilities such as SQL injection, parameter tampering, buffer overflow, cross site scripting (XSS), cookie poisoning etc.
How to bypass IDS/IPS?
- Send fragmented packets to evade signature matching.
- IDS relies on pattern matching so if you change how your attack executes, you will probably go undetected.
- By performing a coordinate attack. For example, if you run a port scan against an IDS protected server, the IDS will detect it. To bypass the IDS, you can scan different ports from different IP Addresses.
How to bypass WAF?
- If you are using a program to exploit/scan a WAF protected website, make sure your HTTP headers looks like a legitimate browser.
- Limit the rate of your requests.
- Obfuscate your payloads so they don’t match the attack patterns stored in the WAF or violate the rules.
Your house and the thief
Here’s my not so accurate analogy of IDS,IPS and WAF. Its not that technically correct but whenever you will think of this analogy, you will be able to recall everything you learned today.
Lets say you have a house which is surrounded by high walls and has just one entrance. The main building has a beautiful lawn around it. In one room of your house, lot of gold is stored.. A thief challenged you that he will steal the gold at any cost. Now you have three options to choose from:
- Sensors and Cameras: Deploy sensors and cameras wherever you want to. They will raise an alert if the thief tries to sneak in your house but they can’t stop the thief.
- Gatekeeper: You can hire a gatekeeper and tell him how a thief looks and what he carries, like a lock pick, hammer etc.. The gatekeeper will not let anyone enter who looks like a thief and carries those items.
- Commando: You can hire a commando which will sit in the room and will kill anyone who tries to do something harmful.
You know I am talking about IDS, IPS and WAF right? Great.
Well for those who didn’t understand what is what, here’s a translation:
- House: Server/Network
- Sensor : IDS
- Gatekeeper : IPS
- Gold : Website
- Commando: WAF
- Thief : Attacker
Now take a look at this table:
|Does it monitor who enters the house?||Yes||Yes||No|
|Can it stop the thief from entering your house?||No||Yes but it depends on what you told him about the thief.||No|
|Can it stop the thief if he gets caught?||No||Yes||Yes|
|Where it relies?||Wherever you deploy it||Entrance*||Inside the gold room|
|Why you should choose him/it?||To monitor who tries to enter your house||To stop the thief from entering the house||To protect the gold|
|Can it stop the thief if he is Superman?||No||No||No|
Thats all folks! I hope you enjoyed this article and learned something new.
Also Read: Solution of Google’s XSS Challenge [Explained]