Does it make sense to augment WAF (Web Application Firewall) with an IPS (Intrusion Prevention System)?

networking ips web-application-firewall deep-packet-inspection

Question: Is there any added value in this scenario to also have an IPS / Deep Package Inspection solution in place? From all I understand: No. But I didn't find any clear answer out there.

To answer the question, first let's unpack they key term "value". What we're doing here is asking "what's the value of a security control?".

Security controls (WAFs, IPSs, SPI firewalls being examples of technical security controls) are put in place to manage risk. Security controls that cost more than the expected loss over time of not having the control would not typically be put in place, and ones that cost less than the expected loss over time would be put in place.

Whether there's any value in putting an IPS in when a firewall limited to one port and a WAF is in place is really asking this question: Is the expected loss based on how everything is set up at the moment minus the expected loss after the IPS has been put in place greater than the cost of the IPS. If the answer is yes then there's no value in putting in an IPS, since the cost of putting it in is greater than the benefit it provides. This is an example of the risk management process in action.

When it comes to this particular situation, there is not enough information to definitively answer the question. Any technical answer given is not going to do it. Even if we had all the information, which would be extensive, there are enough variations in how people calculate risk that we'd definitely not be able to do anything beyond giving "a way of doing it", and possibly the longest Serverfault answer ever :-)

In general terms though, these are areas where an IPS (we'll conflate HIPS and NIPS here for simplicity) provides opportunity for value when implemented along with the existing solutions:

  1. For cases where there's crossover in functionality, as a secondary control if the firewall or WAF was misconfigured or compromised, does not pick up the threat, or detects the threat by a different method, thus increasing the probability of detecting detection evasion techniques.
  2. For cases where the IPS provides additional protection not already provided. This is product and implementation dependent but may include things like...
    • Blocking known-malicious IP addresses
    • Blocking based on event correlation - eg. IPs that have been seen to be port scanning prior to sending the HTTP requests
    • Preventing / detecting file modifications by unauthorized processes
    • Many others
  3. For increased visibility. The IPS will generally be able to give you more visibility into the threat landscape since it's looking at a lot more of what's going on in the environment, not just the web traffic.

In summary, whether an IPS is of value will depend on risk. There are certainly scenarios where one would choose to put in an IPS in this scenario even if it provided only redundancy and no additional functionality - the "belt and braces" approach. If protecting a personal website, probably not going to be worth it, if protecting billions of dollars worth of intellectual property, more likely to be of value.

Related

Answering a question with another question when the answer is obviously 'Yes'
What's this gesture called?
What does the phrase "stone-gloved first baseman" mean?
Why is the past tense of vomit generally spelled 'vomited' rather than 'vomitted'? [duplicate]
Antonym of "deepen"
In what dialects does "often" rhyme with "soften"?
What is a "street address"?
When should I use archaic and obsolete words?
Why are you a plonker?
Two and a half kids
What’s the origin and history of the phrase “ten foot pole”?
What article do we use before a symbol? Is it "an @" or "a @"?