Web Application Firewall Defintion
A Web Application Firewall (WAF) is a security device that makes up part of a comprehensive cybersecurity strategy designed to protect organizations at the application level. WAF web application firewalls achieve this goal by monitoring, filtering, and analyzing hypertext transfer protocol (HTTP) and hypertext transfer protocol secure (HTTPS) traffic between the internet and the web application.
Acting as a reverse proxy, the purpose of a common web application firewall is to shield the application from malicious requests and stop them before they reach the web application or user. In this way, a WAF protects the organization against a range of application-layer attacks, including SQL injection, cross-site scripting (XSS) attacks, cross-site request forgery (CSRF), denial of service (DoS) and distributed denial of service (DDoS) attacks, and zero-day attacks.
Web Application Firewall FAQs
What Is A Web Application Firewall?
A web application firewall (WAF) guards web applications from a range of application-layer attacks including SQL injection, cross-site scripting (XSS), distributed denial of service (DDoS) attacks, and cookie poisoning, to name a few. Because applications are the means for attackers to connect to valuable data, they are also the leading source of breaches—making implementing the right WAF a critical step.
How Does A Web Application Firewall Work?
To understand how web application firewalls work, first realize that there are a few possible deployment models for a WAF:
- Appliance WAF: Hardware-based or running on a virtual appliance
- Host-based WAF: Software running with the web application on the same server
- Cloud WAF: Cloud-based web application firewall platform or service
Most appliance or network WAFs are hardware-based. These have several advantages. To reduce latency, they can be installed locally as close to the field application as possible using dedicated equipment. And most hardware-based WAFs support large scale deployments on corporate networks by allowing admins to copy rules and settings between devices.
The disadvantages of an appliance WAF are ongoing maintenance costs and a large upfront investment.
Running the WAF as a virtual appliance is an alternative, either by deploying a pre-configured cloud machine image in the public cloud, or using network function virtualization (NVF) technology locally. This will reduce the upfront investment, but does not address the maintenance costs.
Host-based WAFs can be highly customized at a low cost because they can be fully integrated into your application code. However, host-based WAFs demand the installation of specific libraries on the application server, making them more complex to deploy, and they rely on server resources to function. This approach also makes the WAF a dependency of the web application, adding it to the list of development lifecycle management tasks.
Cloud Web Application Firewall WAF
These turnkey WAF solutions offer a cost-effective option that delivers rapid deployment with no upfront investment. Typically, cloud WAF solutions work with simple DNS or proxy configuration and are subscription based. Advantages include updated threat intelligence, and often managed services to help respond to attacks in real-time and define security rules.
The potential disadvantage with cloud WAFs is reliability; they must effectively route all traffic to your web application. The top web application firewalls manage to do this with the best performance, but when WAF performance is poor, so is your site’s performance. This is why the best web application firewall solutions provide integrated WAF, DDoS, and CDN protection to ensure minimal latency and maximum uptime.
Regardless of the deployment model, the WAF sits in front of the web application so it can intercept all internet traffic to and from it.
The network administrator defines a set of policies or rules for the WAF to operate. Each WAF rule or policy addresses a known vulnerability or an application-level threat. Deployed as a whole, the policies identify malicious traffic and isolate it before it can reach an application or user. When that happens, users are likely to see a warning from the WAF: “the transfer has triggered a web application firewall.”
But what does a web application firewall do? Beyond these deployment models, there are several types of web application firewalls.
Blocklist Web Application Firewall (Blocklist WAF)
A blocklist WAF denies access to known attacks and traffic on a set list based on a negative security model. A blocklist, sometimes called a blacklist, contains a list of prohibited traffic and things that should not pass the firewall processor; it is the opposite of an allowlist.
Allowlist Web Application Firewall (Allowlist WAF)
An allowlist WAF admits only traffic on an approved list based on a positive security model. The allowlist, sometimes called a whitelist, contains a list of safe things that may pass through firewall rule sets without being checked for malicious traffic. This would only be used for known safe traffic.
Hybrid Web Application Firewall (Hybrid WAF)
The most common approach taken by modern firewalls, a hybrid WAF applies both blocklist and allowlist model elements.
Although signature-based detection is more in the realm of intrusion detection than WAFs, many modern firewalls do include this feature. Signature-based detection searches for specific, known, malicious patterns and blocks any such requests.
Web Security Gateway vs Web Application Firewall
Secure web gateways and WAFs, especially Next-Generation Firewalls, are similar. They both distinguish friendly vs. malicious traffic to provide advanced network and application protection. However, they are not comparable, and both are essential elements of enterprise security architecture.
Secure web gateways (SWGs) primarily work at the application level, protecting against advanced internet-based attacks and detecting malicious intent by inspecting actual traffic. WAFs also inspect traffic, but at the packet level, using deep packet inspection rules to identify safe applications and permit or refuse each packet network access while controlling and blocking dangerous applications.
Reverse Proxy vs Web Application Firewall
What is the difference between a reverse proxy and a WAF? The key difference is the lack of inspection and protection. Reverse proxies protect clients, while users deploy WAFs to protect servers and particular web applications running on them. In this case, the client is the web application, and the WAF is serving as a reverse proxy. WAFs can take the shape of a server plug-in, an appliance, or a filter, and can be customized.
The Global Web Application Firewall Market
The Gartner report on web application firewalls offers an interesting tool for analysis: the Gartner magic quadrant for web application firewalls. The quadrant assesses a basic list of web application firewalls tools and vendors to provide an overview of the market.
Gartner breaks web application firewall vendors into four categories based on the type of web application firewall services they offer: leaders, challengers, visionaries, and niche players. Top web application firewall vendors can also be classified based on vertical (such as education or banking, financial services, and insurance); geography (such as North American or Asia Pacific); component (solution or service, and which type); and/or key stakeholders and partnerships involved. One final way to think about this is whether it’s a web application firewall open source solution such as Shadow Daemon or ModSecurity, or a managed web application firewall service. Amazon AWS web application firewall is an example of the latter.
Traditional Firewalls vs Web Application Firewalls
In a general sense, any firmware that filters network traffic is a firewall, but based on the type of protection the approach to filtering traffic offers, there are multiple categories of firewalls, including packet filtering, proxy servers, stateful inspection, and next-generation firewalls (NGFW).
The difference between a firewall and a web application firewall (WAF) is the WAF inspects and filters data packets at the application layer in a unique way that detects many attacks that are otherwise invisible. For example, a standard firewall won’t detect an SQL injection attack because it does not inspect application request payloads—SQL queries, for example. WAFs allow users to define which kinds of application behaviors are malicious by configuring specific rules, while a traditional firewall merely blocks traffic from particular areas or IP ranges.
The distinction between application firewall vs web application firewall and network firewall is based on differences in types of protection and application of security measures. A network firewall guards against unauthorized network access, while a WAF analyzes HTTP/HTTPS communication to protect the organization at the application level.
Technically speaking, the key difference within the Open Systems Interconnection (OSI) model is that WAFs protect from attacks at the application level or OSI model Layer 7. Network firewalls focus on network traffic and data transfer, operating on OSI model Layers 3 and 4.
A WAF also goes beyond merely blocking specific ports or IP addresses. WAFs seek out signs of a possible injection or attack in web traffic and are highly customizable.
Web Application Firewall vs Next-Gen Firewall
Web application firewall architecture only guards against web application attacks. Thus, although a WAF is a critical piece of cybersecurity strategy at the enterprise level, it must be bolstered by other security measures, and in no sense is a comprehensive answer.
A next-generation firewall (NGFW) combines WAF, network firewall, antivirus, and other security tools in a single platform. An NGFW can identify and prevent attacks at the port, application, and protocol levels like a traditional firewall, but it can also block modern threats such as application-layer and advanced malware attacks. You can also expect more advanced features from most NGFWs, such as intrusion prevention systems (IPS), application awareness, and cloud-enabled threat intelligence.
A next-gen firewall uses both VPN support and static and dynamic packet filtering to ensure security like a traditional firewall, but an NGFW also has other features:
- Supports deep-packet inspection
- Offers enhanced application layer visibility and control, can filter packets based on applications
- Protects against malware and advanced persistent threats (APTs)
- Makes future upgrades simpler
- Supports external sources of intelligence
WAFs and NGFWs are functions that manage network traffic at different points. The NGFW is guarding the entrance to a shopping mall (network traffic), and the WAF is protecting a specific store (the application on the network).
Why Use A Web Application Firewall?
There are many important reasons to add a web application firewall to an enterprise security strategy. Organizations face increased application-level security risks due to remote work trends, “bring your own device” policies, an increased use of SaaS applications, along with cloud and web-based software. This massively increased attack surface of application programming interfaces (APIs) and web applications can in part be addressed by incorporating a WAF into the larger cybersecurity strategy.
WAFs protect organizations from digital threats at the application level, including:
DoS and DDoS
- DoS and DDoS attacks are targeted, malicious attempts to disrupt business operations with overwhelming floods of false requests to the network.
- In a Zero-Day attack, a hacker exploits an unknown software or security flaw or vulnerability before the developer can release a patch.
Cross-Site Scripting (XSS)
- In this code injection attack, the hacker inserts malicious code in a legitimate website that launches in the user’s browser as an infected script. This allows the attacker to impersonate the user or steal sensitive information.
- Similar to XSS, in SQL injection attacks, hackers inject malicious SQL statements into an application using a known vulnerability. This allows them to extract information and use, alter, or delete it.
Cyber attackers are constantly seeking new points of access to websites and applications. This means security-minded coding is good, but not sufficient, to keep users safe. Additional security tools like WAFs are also necessary. In fact, PCI DSS 3.1 requirement 6.6 suggests using a WAF or similar automated solution to monitor traffic continuously and prevent web-based attacks.
Who Uses Web Application Firewalls?
Given how common and how complex cyberattacks have become, most organizations find themselves in the position of needing to defend themselves from malicious attacks. E-commerce businesses, healthcare organizations, online financial services, and many others face an ongoing barrage of data theft and fraud threats. This can leave any brand open to possible regulatory discipline and compromised consumer trust.
WAFs are an important addition to a suite of tools to address these problems. A web application firewall can fortify an already-robust application security program with an essential extra layer of defense. WAFs can also help security professionals maintain more control, monitoring based on pre-determined rules and guidelines to alert for possible attacks in progress or based on customized rules. In short, WAFs are standard equipment at the enterprise level and increasingly for smaller online businesses as well.
Web Application Firewall Pros and Cons
What is the benefit of web application firewalls? There are many, and they are obvious products of WAF features.
Here are some typical web application firewall features:
Matching Against Attack Signature Database
Attack signatures are patterns such as known malicious IPs, and server responses, requests, and other signs that can help identify malicious traffic. This was the old school method all WAFs used, but against new and unknown attacks these databases are mostly ineffective.
The WAF analyzes overall web application behavior and structure, including typical requests, URLs, and permitted data values and types. Creating a robust application profile may help identify and block abnormal or malicious requests.
AI/ML Traffic Pattern Analysis
The best web application firewall software and platforms use artificial intelligence algorithms and machine learning to perform behavioral analysis. They monitor traffic and characterize baselines for specific varieties, and in doing so capture anomalies. Thus, even when the application sustains novel attacks that don’t match known malicious patterns, using Artificial Intelligence, a WAF can identify the behavior in time.
WAFs and cloud-based distributed denial as a service (DDoS) protection platforms often integrate to detect and defend against DDoS attacks. The WAF detects malicious requests, and the traffic moves to the DDoS protection system, which can withstand large volumetric attacks by scaling up.
WAF operators may define and instantly apply organization- or web application-specific security rules to application traffic. This enables customization of WAF behavior without the risk of legitimate traffic getting blocked.
Content Delivery Network (CDN)
Cloud-based WAFs are deployed at the edge of the network, and therefore may also provide a CDN that improves website load time by caching the website. The CDN created by the WAF is deployed globally across multiple points of presence (PoP), and users access the website through the nearest PoP.
Cloud-based web application firewall benefits keep your data secure and protect applications in a few significant ways.
Deploying a cloud WAF is a good way to protect applications against web exploits, including security misconfigurations, cross-site scripting, and SQL injection attacks, and other Open Web Application Security Project (OWASP) top ten risks.
Skilled, experienced attackers work to uncover vulnerabilities in online application code. They quickly develop zero-day exploits once they discover these weaknesses and deploy them against applications running vulnerable code. Hackers might sell such exploits for profit, or use them to steal credit card information, customer data, or other personally identifiable information (PII).
Web commodity exploits are easy to execute and locate. Any application might be vulnerable to web attacks, even if its originating organization has intrusion detection and endpoint protection.
Hackers target not only web application vulnerabilities but also the systems that support applications. An application programmable interface (API) drives communication between systems in most modern application development, and according to Tech Republic, 91% of enterprises experienced an API security incident in 2020.
APIs enable programs and machines to communicate and render the quickest delivery possible. Web and mobile apps rely on APIs to supply their supporting systems with critical information.
But API attacks such as broken authentication, rate limiting, and other OWASP Top Ten Threats for APIs are increasingly popular. Cloud WAFs can help protect applications and their supporting systems from these attacks, but in themselves are not sufficient to protect APIs from exploits.
Applications are vulnerable to availability attacks such as denial-of-service (DoS) attacks, in which hackers flood applications with massive volumes of traffic that can overwhelm even very well-engineered solutions. This can impair or degrade user experiences. On-prem deployments are particularly vulnerable to volumetric attacks such as DNS amplification attacks or SYN floods that overwhelm the network aggregation point or internet bandwidth by saturating the network with malicious traffic.
Many organizations deploy AWS web application firewall or Azure web application firewall and migrate to their respective cloud provider to mitigate volumetric DDoS attacks.
These providers offer security groups similar to a stateful firewall that allow users to block unwanted protocols and ports. This technique does not block traffic on the protocols or ports your application relies on, although it will prevent bogus traffic floods from reaching the application.
For this reason, phony application requests that target required protocols and ports are another favored form of attack. This is called an application DDoS attack because its target is not the network, but the application. When deployed together, volumetric and application DDoS attacks leave on-prem users with few defenses.
However, a cloud WAF does secure applications from both application DDoS and volumetric attacks. Cloud WAF DDoS mitigation solutions exist for cloud, on-prem, and hybrid environments.
Bots, Crawlers, and Scrapers
Even a very well-designed application that was initially deployed in a secure way can quickly become vulnerable. Competitors and malicious actors can use scrapers to monitor your site for changes and do things like undercut sales and steal customers. And crawlers can steal trade secrets and SEO information from a site.
A cloud WAF can prevent bots, crawlers, and scrapers from impacting your application. The result is reduced infrastructure costs, less unwanted traffic, a higher marketing ROI, and a better user experience overall.
Disadvantages of Web Application Firewalls (WAF)
No discussion of web application firewall benefits vs weaknesses is complete without a look at the downside, and web application firewall vulnerabilities do exist.
WAFs are deployed at the network edge and work to stop suspicious and malicious traffic. This filtering was originally rules-based, either from the WAF vendor for out of the box use, or customized by users.
However, rule-based WAFs demand very high maintenance. WAFs must be actively maintained and properly configured in an ongoing way to achieve full protection because WAFs rely so heavily on security rules and policies to defend against cross-site request forgery (CSRF), cross-site scripting (XSS), and SQL injection, among other attacks.
Organizations must carefully define and apply managed rules to match their particular application patterns and adjust them as applications evolve. And because new attacks may demand totally new rules, it might be harder to address changing threat vectors.
The constant changing of rules also means that WAFs frequently experience many false positives or even risk allowing harmful traffic—a false negative—as practical requirements change faster than rules.
Operating WAFs in a microservices environment presents an additional challenge. New microservices versions are released many times a day in large microservices applications. Updating rules sets for every component is simply impractical. For this reason, microservices will often remain unprotected by a WAF.
How a Web Application Firewall Supports API Security
Applications and APIs are the foundation of internet-connected devices. Any program that uses a web browser is a web application, and any software that enables communication and data exchange between applications is an application programming interface, or API.
According to Verizon web applications are the leading attack vector for cybercriminals, and according to the web application firewall Gartner report, by 2022 APIs will overtake the dubious distinction of number one attack vector.
APIs often self-document their internal structure, implementation, and other information, which serves as intelligence for cyberattacks. Additional weaknesses make APIs vulnerable to other attacks, which is why flaws in business logic, insecure endpoints, lack of encryption, and weak authentication are all potentially problematic.
Man In The Middle (MITM)
In a man in the middle (MITM) attack, a hacker obtains sensitive information by secretly intercepting, relaying, or altering communications between two parties, including API messages.
For example, a perpetrator launching a MITM attack between a user’s browser and an API issuing a session token might be granted access to the user’s account, including login credentials and credit card information.
And, as discussed above, API injections such as SQLi and XSS as well as distributed denial-of-service (DDoS) attacks can also target APIs.
API Security Best Practices
Secure APIs against these common attacks with best practices for authentication and authorization.
Determine the end user’s identity. TLS protocol is acceptable for basic authentication in a REST API, but OpenID Connect and OAuth 2 are more secure alternatives.
Determine which resources a user can access. APIs should be designed and verified to prevent access to API functions outside predefined roles. For example, no read-only API client should have access to an admin functionality endpoint.
Validate API calls against clearly defined API schemas. Performing schema validation and scanning payloads can prevent malicious entity declarations, code injections, and parser attacks. To prevent endpoint attacks and validate incoming queries, assign an API token for each API call. And prevent site traffic interception and mitigate MITM attack threats by encrypting and authenticating transmitted data and securing all webpages with TLS/SSL.
In all of these ways, web application security firewalls are commonly used to prevent exploitation and misuse, secure API platforms, and help mitigate application-layer attacks. WAFs also use SSL/TLS encryption and regularly-patched signatures to prevent site traffic interception in MITM attacks and block injection attacks.
Does Noname Security offer a Web Application Firewall Security?
Neither a load balancer nor a web API security gateway can protect against all API attacks and vulnerabilities. Most enterprises have invested in WAFs and API gateways to manage their APIs and secure their web applications. However, alone these tools cannot achieve API security. Moreover, Noname Security’s testing in customer environments consistently finds that 30% of APIs are not even routed through a gateway.
At Noname Security, we break the massive challenge of API security down into a few manageable API security issues:
- APIs with in-code or in-design vulnerabilities
- APIs that are misconfigured or misrouted
- APIs that interact with sensitive information, but shouldn't
Noname approaches this with its D.A.R.T. Strategy for API security:
41% of enterprises attempt to secure APIs just like they secure web applications—with WAFs, for example. However, WAFs lack the full D.A.R.T. (Discover, Analyze, Remediate, Test) API Security Strategy and functionality.
Our API security solution doesn’t require sensors or agents and offers reduced operational friction and deeper visibility of out-of-band traffic. Noname ensures easy API Integration with WAFs, clouds, and gateways and the ability to connect with existing infrastructure rather than compete against it.
Learn more about how to approach API Security by downloading our eBook: The D.A.R.T. Strategy for API Security.