Ë
By Mariann Utrosa • November 9, 2015

Firewall? IDS? IDP? WAF?

What does it all mean?

Firewalls typically sit on the perimeter of a network and are the most common means of protecting an IT environment. A firewall has the ability to filter or block access, but it's a simple administrative tool and is not a physical or magical barrier, so it can not actually block the attackers themselves. Traditional packet filter firewalls are quite effective and "just work" because they are straightforward to configure while almost impossible to mess up. Of course, this assumes that the person configuring the firewall does not make any erroneous or deliberate errors during setup or ongoing maintenance.

An Intrusion Detection System (IDS) sits in-line watching network traffic and is a step up from a firewall. An IDS matches data within packets against a signature database while simultaneously searching for and detecting anomalies against a pre-defined "normal" traffic profile. An Intrusion Protection System (IPS), is similar to an IDS but goes even further by reacting or responding to what it detects. Both technologies are complementary but share the same inherent shortcoming, as they operate on known signatures and therefore have trouble with newer attacks and unknown signatures.

Like an IPS, a Web Application Firewall (WAF) sits in-line, but monitors network traffic to and from a specific web application or server. A WAF can provide protection against threats like Cross-Site-Scripting or SQL injection, but can only detect an attack when it looks like a pattern that the WAF is configured to expect. There are many vulnerabilities which do NOT resemble expected patterns.

A multi-layered approach to data security, including all of the components listed above, is the new 'minimum standard'. Anything less is simply not good enough.