WAF vs IPS: What’s The Difference?

Whats the difference between WAF vs IPS

One of the most valuable assets (if not the most) of a company is its information and also its systems. People who are dedicated to being “computer thieves” also know this, so they try different methods to attack our company networks and access our valuable information. The types of “weapons” to carry out cyber-attacks have diversified so much that it is no longer enough to put a Firewall or just any NGFW at the entrance of our network and an antivirus on the users’ computers. A network administrator knows that this would be like locking the front door of our house but leaving all the windows and the back door open. Now that the attacks occur in different “layers” in the network protocols, for which we need different defense systems for each type of traffic. The fact that more and more companies have their permanent business in web applications can make them even more vulnerable.

Top 5 web application attacks rates

In an ideal world the code of our web applications should not have any security “gap” that can put our in risk our data but, in reality this is unlikely so it is necessary to have external applications. Definitely, the more security barriers exist, the more peace of mind will be felt by business owners and website owners. What options exist today to protect the servers (and even the data centers) of our companies from the large number of threats to our data? Let’s talk about two options: Web Application Firewall (WAF) and on the other hand the Intrusion Prevention System. What are the characteristics of each one? What do they have in common and what differentiates them? Which of the two gives more security to the network? 

Web Application Firewall (WAF)

Web Application Firewall (WAF) is a solution (hardware or software) that works as an intermediary between external users and web applications. This means all HTTP communication (request-response) are analyzed by the WAF before reaching the web apps or users.

In order to perform the HTTP traffic monitoring and analysis, the WAF applies a set of previously defined rules that make possible the detection of malicious HTTP requests such as Cross-Site Scripting (XSS), SQL Injection, Dos or DDos attacks, cookie manipulation and many others. Once the WAF detects a thread or attack it blocks the traffic to reject the malicious request or a response with sensitive data. If there no threads or attacks all your traffic should flow normally, in a way that all the inspection and protection its transparent to the users and it shouldn’t affect any day to day business web applications operations.

Intrusion Prevention System (IPS)

In the case of the Intrusion Prevention System (IPS) is a more general purpose protection appliance. It provides protection on traffic of a wide variety of protocol types, such as DNS, SMTP, TELNET, RDP, SSH, FTP among others. IPS detects malicious traffic using different methods, for instance:

Signature-based detection:

Signature based detection as an antivirus does. A firm can recognize a threat and send an alert to the administrator. For this method to work correctly all signatures must be with the latest update.

Policy-based detection:

IPS requires that security policies to be declared very specifically. The IPS recognizes the traffic that is outside of these policies and automatically discarding it.

Detection based on anomalies:

According to the pattern of normal traffic behavior. This method can be used in two ways, automatic or manual. On the one hand, the IPS automatically performs a statistical analysis and establishes a comparison standard. When the traffic moves too far from this standard, it sends out an alert. The other way is by default manually setting the normal behavior of the traffic so that alerts are sent when the traffic, again, moves away from this rule. The disadvantage of the manual way is that being less flexible and dynamic it can send false alerts.

Honey Pot Detection:

Works using a computer that is configured to call the attention of hackers without compromising the security of the real systems. Using this bait, the attacks can be monitored and analyzed so that, once identified, they can be used to establish new policies.

WAF vs IPS protection comparison

Which one is my best option?

After our comparison, is obvious that, even that both solutions are an extra security layer for our network, they work on different types of traffic. So, instead of competing which other they mostly complement with each other. Despite IPS seems to protect a wider type of traffic, there is a very specific one that only a WAF can work with. So highly recommended to have both solutions, especially if your environment systems work closely with the web.

Fortunately, nowadays there are full package solution that gives you the best of both worlds.

The challenge is to select the right WAF hardware system to run software-based security mechanisms effectively. In other words, the most practical way to protect enterprise data center is to implement software-hardware hybrid solution in order to protect networks from cyber criminals.

There are several requirements in the making of web application firewall:

SSL Acceleration:

SSL is critical to WAF as a CPU offloading method for the heavy-duty public key encryption. For optimal performance, it is recommended to have a hardware accelerator.


Since the WAF is deployed between the enterprise server and the users, one of the major missions of the WAF is to monitor the traffic and block the malicious attempts. This requires an efficient DPI (Deep Packet Inspection) backed up by powerful hardware.

High-performance and high-throughput:

As DPI and SSL are both CPU-intensive, the required hardware architecture for WAF deployments must offer dedicated processing capability to run software securities.


WAF runs on a 24/7 basis and therefore, high-availability regarding power supply is critical to the optimization of WAF.


Since web application services may expand as customer base grows, enterprise WAFs must be scaled up by hardware means in order to boost performance and accelerate critical applications in the simplest way.

For example, Lanner’s FW-8759 is a main stream 1U rackmount network security system utilizing the cutting edge capabilities of the Intel Denlow platform (Based on Intel Haswell CPU and C226 PCH). Featuring 8 built-in Intel GbE LAN ports and 1 NIC module slot, this appliance can support maximum port density up to 16 GbE port, making it perfect for cyber security applications such as UTM, Firewall, VPN, IPS and WAN optimization. It is, indeed, powerful enough to be your company security shield at all levels.

1U rackmount network security

In conclusion, despite all the threads out there, choosing the best layered protection should give you more security and (why not) peace of mind.

Update (11/06/2019): There is an update of this post at https://www.lanner-america.com/blog/waf-vs-ips-whats-difference/

Related Posts