What An Intrusion Prevention System (IPS) Is & What It Isn’t

I recently discovered how, on the cyber front, people frequently misunderstand what an Intrusion Prevention System (IPS) is and isn’t.  What it can and can’t do.  The level of protection it affords them.  And in fact, it made me realize why so many companies do not have a Web Application Firewall (WAF) when they so badly need it.

For starters, IPS is a layer 3 tool.  It monitors packets inbound and outbound, one packet at a time.  That’s very useful for deep packet inspection, but it does have limitations with the primary one being that it is what it is – a layer 3 tool.  It only understands packets, single packets.  Not transactions.  Not layer 7 protocols (i.e., HTTP), and definitely not applications.

But most importantly, what an IPS isn’t is equally as important as what an IPS is.

And IPS is NOT a proxy.

It can’t intercept traffic for proper scanning.  It scans “on the fly“. Meaning it can’t decrypt encrypted traffic ergo it can’t really protect your server if port 443 is open.

When a browser connects to a server, the first thing that happens is the server issues a key for that session.  If the same user, from the same workstations, from the same browser even, opens a new session (new tab, new window), and connects to the same server, the encryption of that new session is different from the encryption of the previous session.  Each session is encrypted with its own key.  Issued by the server.  Every time a new session is initiated.

Therefore, an IPS won’t be able to read inside an HTTPS transaction. For that matter, it’ll never be able to read inside an properly encrypted stream either. It’s the nature of encryption to be that way.  Designed to be protected in this manner.  Otherwise, what would be the point of having encryption if any tool out there could break it?

So, your IPS cannot scan incoming encrypted traffic “attacking” your server. It can’t scan such traffic even if you’re the client and the server is outside of your network. But for that, most of us (hopefully all) already have what we call an outbound proxy. We use it for policy enforcement.  And if we have an updated one, we have a vendor-provided public certificate which is installed on our client, allowing the proxy to make outbound HTTPS connections on our behalf.

And scan that traffic.

But for inbound traffic (when you have a server that’s yours and it needs protection against  internet attacks), that’s a different story.  A regular proxy can’t protect you since it’s built to protect the client’s browser from infections on the server.  Here, we’re talking about quite the opposite.  Protecting a server from attacks coming from a client.  For this, you will need what is called an inbound proxy.  Or what’s most commonly known as a WAF (Web Application Firewall).

So what is a WAF?

It’s a layer 7 tool.  A proxy that understands HTTP protocol.  It’s able to intercept browser calls to a web server in order to protect it from things like SQL Injections.  A recent example is Citrix Vulnerability – CVE-2019-19781.

Citrix uses HTTPS.  An IPS that has the proper signature to block exploits to this vulnerability can’t do its job properly because the traffic’s encrypted.  A WAF would intercept those calls, decrypt the traffic, pass it to the IPS, and this blocks the attacks.  Major difference, as you can see.

A WAF does a whole lot more to protect your servers.

But the main idea here is that most traffic is encrypted.

And in order to scan for attacks, you’d need to decrypt it.  And only a layer 7 tool like the WAF can do that.  A WAF would be doing HTTPS offloading meaning you’d install the web server private CA, Certs and Keys on the WAF, and your remote browsers would be talking to the WAF.

Never to the server.  The WAF would then be able to decrypt the traffic, and analyze it for threats.  If the traffic’s deemed safe, then it’d re-encrypt it and pass it on to the server (actually, if the server’s locally connected to the WAF, this second encryption may not even be necessary).

So next time you’re installing a web server and someone says just an IPS is sufficient to protect it, you know now that is completely not true.

If you really want to protect a web server, you need a tool which understands the layer 7 protocols that server is using, and can decrypt the traffic in order to scan for threats.

And that tool is the WAF.