I had some very interesting and very interactive customer visits lately and some questions came up about IDS/IPS vs AppFW.  I think we could have talked all day about if I didn’t have other meetings to attend.  So, then why not blog about it 🙂

Deep Packet Inspection (DPI) is best for non-web protocols where it isn’t necessary to be a proxy to make it work.

  • Intrusion Detection Systems (IDS) normally are passive systems that detect problems and alert user Admins about them
  • Intrusion Prevention Systems (IPS) has features like IDS, but normally sits inline with the traffic flows and can also be active by stopping the attacks.

When you are dealing with the web, application firewalls are necessary because …

  1. You need to be able to parse through the HTTP requests, normalize inputs, and in some cases do calculations like credit card numbers, etc.
  2. You need context sensitivity to know when to allow something vs. block it. E.g., “O’Brien” is a valid name, but ‘;select 1=1; ‘ is not.
  3. You require flexibility by having signatures for well-known exact patterns in addition to white list to really provide full protections such as Hybrid model that NetScaler AppFW can provide.  See Hybrid blog for details.
  4. You need specific actions such as stripping comments in every response vs. matching attack signatures against traffic coming exactly as the patterns.
  5. You may care about preventions such as Cross Site Request Forgeries (CSRF), XSS and SQL attacks that may not be available in some DPI products.  NetScaler can provide full protections with and without signatures. Not only blocking malicious requests but also change the attacks to make it safe or harmless.
  6. You have a security team that is so overly worried about PCI compliance for auditing, reporting, etc.  See PCI compliance blog for details.
  7. Aside from network state (keeping track of who requested and who responded), you want to make sure that forms, content, cookies, etc are not tampered with in transit.  An example is what is rendered by the server is what is preserved at the client and perhaps the subsequent request.
  8. You care about protecting forms or support form integrity, then not only does NetScaler provide the form field consistency but it is session less.  See Sessionless blog for details.

Bottom line: It’s not one vs. the other; it is picking the right tool for the right job and right environment.