Does it make sense to augment WAF (Web Application Firewall) with an IPS (Intrusion Prevention System)?
Question: Is there any added value in this scenario to also have an IPS / Deep Package Inspection solution in place? From all I understand: No. But I didn't find any clear answer out there.
To answer the question, first let's unpack they key term "value". What we're doing here is asking "what's the value of a security control?".
Security controls (WAFs, IPSs, SPI firewalls being examples of technical security controls) are put in place to manage risk. Security controls that cost more than the expected loss over time of not having the control would not typically be put in place, and ones that cost less than the expected loss over time would be put in place.
Whether there's any value in putting an IPS in when a firewall limited to one port and a WAF is in place is really asking this question: Is the expected loss based on how everything is set up at the moment minus the expected loss after the IPS has been put in place greater than the cost of the IPS. If the answer is yes
then there's no value in putting in an IPS, since the cost of putting it in is greater than the benefit it provides. This is an example of the risk management process in action.
When it comes to this particular situation, there is not enough information to definitively answer the question. Any technical answer given is not going to do it. Even if we had all the information, which would be extensive, there are enough variations in how people calculate risk that we'd definitely not be able to do anything beyond giving "a way of doing it", and possibly the longest Serverfault answer ever :-)
In general terms though, these are areas where an IPS (we'll conflate HIPS and NIPS here for simplicity) provides opportunity for value when implemented along with the existing solutions:
- For cases where there's crossover in functionality, as a secondary control if the firewall or WAF was misconfigured or compromised, does not pick up the threat, or detects the threat by a different method, thus increasing the probability of detecting detection evasion techniques.
- For cases where the IPS provides additional protection not already provided. This is product and implementation dependent but may include things like...
- Blocking known-malicious IP addresses
- Blocking based on event correlation - eg. IPs that have been seen to be port scanning prior to sending the HTTP requests
- Preventing / detecting file modifications by unauthorized processes
- Many others
- For increased visibility. The IPS will generally be able to give you more visibility into the threat landscape since it's looking at a lot more of what's going on in the environment, not just the web traffic.
In summary, whether an IPS is of value will depend on risk. There are certainly scenarios where one would choose to put in an IPS in this scenario even if it provided only redundancy and no additional functionality - the "belt and braces" approach. If protecting a personal website, probably not going to be worth it, if protecting billions of dollars worth of intellectual property, more likely to be of value.