WAF vs IPS: What’s The Difference?WAF和IPS的区别是什么?
Why do we need WAF and IPS security systems?为什么我们需要WAF和IPS安全系统?
One of the most valuable assets (if not the most) of a company is its data. People who are dedicated to being “computer thieves” also know this, so they try different methods to attack a company network and access their valuable information.公司最宝贵的资产之一(如果不是最宝贵的话)是其数据。致力于成为“电脑窃贼”的人也知道这一点,因此他们尝试不同的方法来攻击公司网络并访问他们的宝贵信息。
The new types of sophisticated “hacking weapons” that carry out cyber-attacks have diversified so much that it is no longer enough to put a Firewall or just any NGFW (Next-Generation Firewall) at the edge of our network. Antiviruses have also played a key role in security for a long time, especially on the users’ workstations, but in the same case, they are not enough to stop crafty attacks.实施网络攻击的新型尖端“黑客武器”已经多样化,已经不足以在我们的网络边缘设置防火墙或任何NGFW(下一代防火墙)。长期以来,抗病毒药物在安全方面也发挥了关键作用,特别是在用户的工作站上,但在同样的情况下,它们还不足以阻止狡猾的攻击。
A network administrator knows that this would be like locking the front door of our house but leaving all the windows and the back door open. Now that the attacks occur in different “layers” in the network protocols, for which we need different defense systems for each type of traffic. The fact that more and more companies have their permanent business in web applications can make them even more vulnerable.一位网络管理员知道,这就像锁上我们家的前门,但让所有的窗户和后门都开着。现在,攻击发生在网络协议的不同“层”,为此,我们需要针对每种类型的流量使用不同的防御系统。越来越多的公司在web应用程序中拥有永久性业务,这一事实可能使它们更加脆弱。
According to the following chart from Statista, RIA’s companies are putting lots of investments in Cybersecurity. These companies manage assets of high net worth, so they need extra help in security.根据Statista的下表,RIA的公司在网络安全方面投入了大量投资。这些公司管理高净值资产,因此他们需要额外的安全帮助。
In an ideal world, the code of our web applications should not have any security “gaps” that can put us or our data on risk. But in reality, it is impossible to have 100% secured apps, so it is necessary to have external applications. Definitely, the more security barriers between ourselves and a hacker, the more peace of mind will be felt by business owners and website owners.在理想情况下,我们的web应用程序的代码不应该有任何安全“漏洞”,这会使我们或我们的数据面临风险。但实际上,不可能有100%安全的应用程序,因此有必要有外部应用程序。毫无疑问,我们和黑客之间的安全屏障越多,企业主和网站所有者就会感到越安心。
What options exist today to protect the servers (and even the data centers) of our companies from a large number of threats to our data?目前有哪些选项可以保护我们公司的服务器(甚至数据中心)免受大量数据威胁?
Let’s talk about two options: Web Application Firewall (WAF) and the Intrusion Prevention System (IPS). What are the characteristics of each one? What do they have in common and what differentiates them? Which of the two gives more security to the network?让我们讨论两个选项:Web应用程序防火墙(WAF)和入侵防御系统(IPS)。每一个的特点是什么?它们有什么共同点和区别?这两个选项中,哪一个为网络提供了更多的安全性?
Web Application Firewall (WAF)Web应用程序防火墙(WAF)
Web Application Firewall (WAF) is a solution (hardware or software) that works as an intermediary between external users and web applications. This means all HTTP communication (request-response) is analyzed by the WAF before reaching the web apps or users.Web应用程序防火墙(WAF)是一种解决方案(硬件或软件),充当外部用户和Web应用程序之间的中介。这意味着在到达web应用程序或用户之前,WAF将分析所有HTTP通信(请求-响应)。
In order to perform the HTTP traffic monitoring and analysis, the WAF applies a set of previously defined rules that make possible the detection of malicious HTTP requests such as Cross-Site Scripting (XSS), SQL Injection, Dos or DDoS attacks, cookie manipulation, and many others.为了执行HTTP流量监控和分析,WAF应用了一组先前定义的规则,这些规则使检测恶意HTTP请求成为可能,例如跨站点脚本(XSS)、SQL注入、Dos或DDoS攻击、cookie操纵以及许多其他攻击。
Once the WAF detects a threat, it blocks the traffic and rejects the malicious web request or response with sensitive data. If there are no threats or attacks all your traffic should flow normally, in a way that all the inspection and protection are transparent to the users.一旦WAF检测到威胁,它将阻止流量并拒绝带有敏感数据的恶意web请求或响应。如果没有威胁或攻击,您的所有流量都应该正常流动,所有检查和保护对用户都是透明的。
WAF recognizes legitimate web traffic and lets it through. It does not affect any day to day business web application operations.WAF识别合法的网络流量并允许其通过。它不会影响任何日常业务web应用程序操作。
Intrusion Prevention System (IPS)入侵防御系统(IPS)
In the case of the Intrusion Prevention System (IPS) is a more general-purpose protection appliance or software. It provides protection from traffic from a wide variety of protocol types, such as DNS, SMTP, TELNET, RDP, SSH, and FTP among others.就入侵防御系统(IPS)而言,它是一种更通用的保护设备或软件。它提供保护,防止来自各种协议类型的流量,如DNS、SMTP、TELNET、RDP、SSH和FTP等。
IPS detects malicious traffic using different methods, for instance:IPS使用不同的方法检测恶意流量,例如:
- Signature-based detection: IPS uses signature-based detection just as an antivirus does. A firm can recognize a threat and send an alert to the administrator. For this method to work correctly, all signatures must be with the latest update.基于特征的检测:IPS使用基于特征的检测,就像防病毒一样。公司可以识别威胁并向管理员发送警报。要使此方法正常工作,所有签名必须具有最新更新。
- Policy-based detection: IPS requires that security policies be declared very specifically. The IPS recognizes the traffic that is outside of these policies and automatically rejects abnormal behavior or unusual traffic.基于策略的检测:IPS要求非常明确地声明安全策略。IPS识别这些策略之外的流量,并自动拒绝异常行为或异常流量。
- Detection based on anomalies: According to the pattern of normal traffic behavior, this method can be used in two ways, either automatic or manual. The IPS automatically performs statistical analysis and establishes a comparison standard. When the traffic moves too far from this standard, it sends out an alert. The other way is by manually setting the normal behavior of the traffic so that alerts are sent when the traffic, again, moves away from this rule. The disadvantage of the manual way is that being less flexible and dynamic, it can send false alerts.基于异常的检测:根据正常交通行为的模式,此方法可用于两种方式,自动或手动。IPS自动执行统计分析并建立比较标准。当流量偏离此标准太远时,它会发出警报。另一种方法是手动设置流量的正常行为,以便在流量再次偏离此规则时发送警报。手动方式的缺点是灵活性和动态性较差,可能会发送错误警报。
- Honey Pot Detection: Works using a computer that is configured to call the attention of hackers without compromising the security of the real systems. Using this bait, the attacks can be monitored and analyzed so that, once identified, they can be used to establish new policies.蜜罐检测:使用配置为在不损害真实系统安全的情况下引起黑客注意的计算机进行工作。使用这种诱饵,可以监控和分析攻击,以便一旦发现,就可以使用它们来制定新的策略。
An IPS device can be used to improve security and support a firewall. As shown in the picture below, it blocks all abnormal traffic from the Internet, that wasn’t blocked by the first line of defense or the firewall.IPS设备可用于提高安全性并支持防火墙。如下图所示,它阻止了来自互联网的所有异常流量,这些流量没有被第一道防线或防火墙阻止。
Which one is my best option?哪一个是我最好的选择?
It is obvious that even both solutions add an extra security layer for our network, they work on different types of traffic. So, instead of competing, they mostly complement each other. Despite IPS seems to protect a wider type of traffic, there is a very specific one that only a WAF can work with. So, we highly recommended having both solutions, especially if your environment systems work closely with the web.很明显,即使这两种解决方案都为我们的网络添加了额外的安全层,它们也适用于不同类型的流量。因此,它们不是相互竞争,而是相互补充。尽管IPS似乎可以保护更广泛类型的流量,但有一种非常特殊的流量只有WAF才能使用。因此,我们强烈建议使用这两种解决方案,特别是如果您的环境系统与web密切配合的话。
The below chart shows a quick comparison of both solutions.下图显示了两种解决方案的快速比较。
Fortunately, nowadays there is the full package solution that gives you the best of both worlds.幸运的是,现在有一套完整的解决方案,可以让您两全其美。
The challenge is to select the right WAF hardware system to run software-based security mechanisms effectively. The most practical way to protect the enterprise data center from hackers is to implement a software-hardware or hybrid solutions.挑战在于选择合适的WAF硬件系统来有效运行基于软件的安全机制。保护企业数据中心免受黑客攻击的最实用的方法是实施软件-硬件或混合解决方案。
When going for a web application firewall, consider the following requirements:在访问Web应用防火墙时,考虑以下要求:
- SSL Acceleration: SSL is critical to WAF, as it is a CPU offloading method for the heavy-duty public key encryption. For optimal performance in your security implementations, it is recommended to have a hardware accelerator.SSL加速:SSL对WAF至关重要,因为它是一种用于重载公钥加密的CPU卸载方法。为了在安全实现中获得最佳性能,建议使用硬件加速器。
- DPI: Since the WAF is deployed between the enterprise server and the users, one of the major missions of the WAF is to monitor the traffic and block any malicious attempts. This requires an efficient DPI (Deep Packet Inspection) backed up by powerful hardware.DPI:由于WAF部署在企业服务器和用户之间,WAF的主要任务之一是监视流量并阻止任何恶意尝试。这需要有强大硬件支持的高效DPI(深度数据包检查)。
- High-performance and high-throughput: As DPI and SSL are both CPU-intensive, the required hardware architecture for WAF deployments must offer dedicated processing capability to run software securities.高性能和高通量:由于DPI和SSL都是CPU密集型的,WAF部署所需的硬件体系结构必须提供专用的处理能力来运行软件安全。
- High-availability: WAF runs on a 24/7 basis and therefore, high-availability regarding power supply is critical to the optimization of WAF.高可用性:WAF全天候运行,因此,电源的高可用性对于WAF的优化至关重要。
- Scalability: Since web application services may expand as the customer base grows, enterprise WAFs must be scaled up by hardware means in order to boost performance and accelerate critical applications in the simplest way.可扩展性:由于web应用程序服务可能随着客户群的增长而扩展,因此必须通过硬件手段扩展企业WAF,以便以最简单的方式提高性能和加速关键应用程序。
来自:https://www.lanner-america.com/blog/waf-vs-ips-whats-difference/
