What is a Web Application Firewall?

A web application firewall (WAF) is a security device designed to protect organizations at the application level. WAFs achieve this goal by monitoring, filtering, and analyzing traffic between the internet and the web application. Acting as a reverse proxy, the purpose of a common web application firewall is to shield applications from malicious requests.

Because applications are the means for attackers to connect to valuable data, they are also the leading source of breaches. This means implementing the right WAF a critical step.

With that in mind, a WAF protects the organization against a range of application-layer attacks. These include: SQL injection, cross-site scripting (XSS) attacks, cross-site request forgery (CSRF), denial of service (DoS), distributed denial of service (DDoS) attacks, cookie poisoning, and zero-day attacks.

Benefits of a web application firewall (WAF)

There are many important reasons to add a web application firewall to an enterprise security strategy. Organizations face increased application-level security risks. Remote work trends, “bring your own device” policies, and an increased use of SaaS applications are arguably the reason.

This massively increased the attack surface of application programming interfaces (APIs) and web applications. By adding a WAF into your larger cyber security strategy, you can proactively address the risks that come with this expansion.

Application profiling

The WAF analyzes overall web application behavior and structure, including typical requests, URLs, and permitted data values and types. Creating a robust application profile may help identify and block abnormal or malicious requests.

AI/ML traffic pattern analysis

The best web application firewall software and platforms use artificial intelligence algorithms and machine learning to perform behavioral analysis. They monitor traffic and characterize baselines for specific varieties, and in doing so capture anomalies. So even when the application sustains attacks that don’t match known malicious patterns, a WAF can identify the behavior.

Customization

WAF operators may define and instantly apply organization- or web application-specific security rules to application traffic. This enables customization of WAF behavior without the risk of legitimate traffic getting blocked.

Content delivery network (CDN)

Cloud-based WAFs are deployed at the edge of the network. Some may provide a content delivery network (CDN) that improves website load time by caching the website. The CDN created by the WAF is deployed globally across multiple points of presence (PoP). Users access the website through the nearest PoP.

Protection against web exploits

Deploying a cloud WAF is a good way to protect applications against variety of threats. Threats like security misconfigurations, cross-site scripting, and SQL injection attacks. As well as other risks outlined by the Open Web Application Security Project (OWASP).

API abuse monitoring

Application programmable interfaces, or APIs, drive communication between systems in most modern application development. Understanding this, hackers target not only web application vulnerabilities but also the systems that support applications – meaning APIs. And according to TechRepublic, 91% of enterprises experienced an API security incident in 2020.

API attacks such as broken authentication, rate limiting, and other OWASP Top Ten Threats for APIs are increasingly popular. Cloud WAFs can help protect applications and their supporting systems from these attacks. But deployed by themselves, cloud WAFs are not sufficient to protect APIs from exploits.

Availability attack protection

Applications are vulnerable to availability attacks such as denial-of-service (DoS) attacks. With these attacks, hackers flood applications with massive volumes of traffic that can overwhelm even very well-engineered solutions. This can impair or degrade user experiences.

On-prem deployments are particularly vulnerable to volumetric attacks. Things like DNS amplification attacks or SYN floods. Theses attacks overwhelm the network aggregation point or internet bandwidth by saturating the network with malicious traffic.

Many organizations migrate to the cloud and deploy their respective cloud provider’s web application firewall to mitigate volumetric DDoS attacks. These providers offer security groups similar to a stateful firewall that allow users to block unwanted protocols and ports. However, this technique does not block traffic on the protocols or ports your application relies on. Though it will prevent bogus traffic floods from reaching the application.

For this reason, phony application requests that target required protocols and ports are another favored form of attack. This is called an application DDoS attack because its target is not the network, but the application. When deployed together, volumetric and application DDoS attacks leave on-prem users with few defenses.

However, a cloud WAF does secure applications from both application DDoS and volumetric attacks. Cloud WAF DDoS mitigation solutions are available for cloud, on-prem, and hybrid environments.

Bots, crawlers, and scrapers prevention

Even a very well-designed application that was initially deployed in a secure way can quickly become vulnerable. Competitors and malicious actors can use scrapers to monitor your site for changes and try to undercut sales and steal customers. And crawlers can steal trade secrets and SEO information from a site.

A cloud WAF can prevent bots, crawlers, and scrapers from impacting your application. The result is reduced infrastructure costs, less unwanted traffic, a higher marketing ROI, and a better user experience overall.

Protection against cross-site scripting (XSS) and SQL injection

In this code injection attack, the hacker inserts malicious code in a legitimate website. It then launches in the user’s browser as an infected script. This allows the attacker to impersonate the user or steal sensitive information.

Similar to XSS, in SQL injection attacks, hackers inject malicious SQL statements into an application using a known vulnerability. This allows them to extract information and use, alter, or delete it.

Disadvantages of web application firewalls

No discussion of web application firewalls is complete without a look at the downside, and web application firewall vulnerabilities do exist. WAFs are deployed at the network edge and work to stop suspicious and malicious traffic. This filtering was originally rules-based, either from the WAF vendor for out of the box use, or customized by users.

However, rule-based WAFs demand very high maintenance. WAFs must be actively maintained and properly configured in an ongoing way to achieve full protection. This is because WAFs rely so heavily on security rules and policies to defend against attacks. Attacks like cross-site request forgery (CSRF), cross-site scripting (XSS), and SQL Injections.

Organizations must also carefully define and apply managed rules to match their particular application patterns and adjust them as applications evolve. And because new attacks may demand totally new rules, it might be harder to address changing threat vectors. The constant changing of rules also means that WAFs frequently experience many false positives. Or even worse, risk allowing harmful traffic (a false negative), as practical requirements change faster than rules.

Operating WAFs in a microservices environment presents an additional challenge. New microservices versions are released many times a day in large microservices applications. Updating rules sets for every component is simply impractical. For this reason, microservices will often remain unprotected by a WAF.

Who uses web application firewalls?

Given how common and complex cyberattacks have become, most organizations find themselves struggling to defend themselves from malicious attacks. E-commerce businesses, healthcare organizations, online financial services, and many others face an ongoing barrage of data theft and fraud threats. This can leave any brand open to possible regulatory discipline and compromised consumer trust.

WAFs are an important addition to a suite of tools to address these problems. A web application firewall can fortify an application security program with an essential extra layer of defense. WAFs can also help security professionals maintain more control. Security teams can monitor based on predetermined rules and guidelines to alert for possible attacks in progress.

How does a web application firewall work?

To understand how web application firewalls work, first realize that there are a few possible deployment models:

• Appliance WAF: Hardware-based or running on a virtual appliance
• Host-based WAF: Software running with the web application on the same server
• Cloud WAF: Cloud-based web application firewall platform or service.

Appliance WAF

Most appliance or network WAFs are hardware-based. These have several advantages. To reduce latency, they can be installed locally as close to the field application as possible using dedicated equipment. And most hardware-based WAFs support large scale deployments by allowing admins to copy rules and settings between devices.

The disadvantages of an appliance WAF are ongoing maintenance costs and a large upfront investment. Running the WAF as a virtual appliance is an alternative. Either by deploying a pre-configured cloud machine image in the public cloud or using network function virtualization (NVF) technology locally. This will reduce the upfront investment, but does not address the maintenance costs.

Host-Based WAF

Host-based WAFs can be highly customized at a low cost because they can be fully integrated into your application code. However, host-based WAFs demand the installation of specific libraries on the application server. This makes them more complex to deploy, and they rely on server resources to function. The WAF also becomes a dependency of the web application, adding it to the list of development lifecycle management tasks.

Cloud web application firewall (WAF)

These turnkey WAF solutions offer a cost effective option that delivers rapid deployment with no upfront investment. Typically, cloud WAF solutions work with simple DNS or proxy configuration and are subscription based. Advantages include updated threat intelligence, and often managed services to help respond to attacks in real-time and define security rules.

The potential disadvantage with cloud WAFs is reliability. They must effectively route all traffic to your web application. The top web application firewalls manage to do this with the best performance. But when WAF performance is poor, so is your site’s performance.

Regardless of the deployment model, the WAF sits in front of the web application so it can intercept all internet traffic. The network administrator defines a set of policies or rules for the WAF to operate. Each WAF rule or policy addresses a known vulnerability or an application-level threat.

Deployed as a whole, the policies identify malicious traffic and isolate it before it can reach an application or user. When that happens, users are likely to see a warning from the WAF: “the transfer has triggered a web application firewall.”

Types of web application firewalls

Now that you understand the deployment models, you’re probably wondering, “what does a web application firewall do”? Beyond these deployment models, there are several types of web application firewalls.

Blocklist web application firewall (Blocklist WAF)

A blocklist WAF denies access to known attacks and traffic on a set list based on a negative security model. A blocklist, sometimes called a blacklist, contains a list of prohibited traffic. The list also includes things that should not pass the firewall processor; it is the opposite of an allowlist.

Allowlist web application firewall (Allowlist WAF)

An allowlist, sometimes called a whitelist, WAF admits only traffic on an approved list based on a positive security model. The allowlist contains a list of safe things that may pass through the firewall without being checked for malicious traffic. This would only be used for known safe traffic.

Hybrid web application firewall (Hybrid WAF)

The most common approach taken by modern firewalls, a hybrid WAF applies both blocklist and allowlist model elements.

Signature-based detection

Although signature-based detection is more in the realm of intrusion detection than WAFs, many modern firewalls do include this feature. Signature-based detection searches for specific, known, malicious patterns and blocks any such requests.

Traditional firewalls vs web application firewalls

In a general sense, any firmware that filters network traffic is a firewall. But based on the type of protection the approach to filtering traffic offers, there are multiple categories of firewalls. These include: packet filtering, proxy servers, stateful inspection, and next-generation firewalls (NGFW).

The distinction between web application firewalls and network firewalls is based on differences in the types of protection. A traditional firewall guards against unauthorized network access and blocks traffic from particular areas or IP ranges.

A WAF inspects and filters data packets at the application layer and detects attacks that are otherwise invisible. For example, a standard firewall won’t detect an SQL injection attack. This is because it does not inspect application request payloads—SQL queries, for example.

WAFs allow users to define which kinds of application behaviors are malicious by configuring specific rules. A WAF analyzes HTTP/HTTPS communication to protect the organization at the application level.

Technically speaking, the difference between a firewall and a web application firewall (WAF) lie within the Open Systems Interconnection (OSI) model. WAFs protect from attacks at the application level, or OSI model Layer 7. Network firewalls focus on network traffic and data transfer, operating on OSI model Layers 3 and 4. A WAF also goes beyond merely blocking specific ports or IP addresses. WAFs seek out signs of a possible injection or attack in web traffic and are highly customizable.

Web application firewall vs next-generation firewall

Web application firewall architecture only guards against web application attacks. Thus, in no sense is a WAF a comprehensive answer. Although a WAF is a critical piece of cyber security strategy, it must be bolstered by other security measures, and .

A next-generation firewall (NGFW) combines WAF, network firewall, antivirus, and other security tools in a single platform. An NGFW can identify and prevent attacks at the port, application, and protocol levels like a traditional firewall.

But it can also block modern threats such as application-layer and advanced malware attacks. You can also expect more advanced features from most NGFWs. Such as intrusion prevention systems (IPS), application awareness, and cloud-enabled threat intelligence.

A next-gen firewall uses both VPN support and static and dynamic packet filtering to ensure security like a traditional firewall. But an NGFW also has other features:

• Supports deep-packet inspection
• Offers enhanced application layer visibility and control, can filter packets based on applications
• Protects against malware and advanced persistent threats (APTs)
• Makes future upgrades simpler
• Supports external sources of intelligence
• WAFs and NGFWs are functions that manage network traffic at different points. The NGFW is guarding the entrance to a shopping mall (network traffic). The WAF is protecting a specific store (the application on the network).

Web security gateway vs web application firewalls

Secure web gateways and WAFs, especially Next-Generation Firewalls, are similar. They both distinguish friendly vs. malicious traffic to provide advanced network and application protection. However, they are not comparable, and both are essential elements of enterprise security architecture.

Secure web gateways (SWGs) primarily work at the application level. They protect against advanced internet-based attacks and detecting malicious intent by inspecting actual traffic. WAFs also inspect traffic, but at the packet level, using deep packet inspection rules to identify safe applications. They permit or refuse each packet network access while controlling and blocking dangerous applications.

Reverse proxy vs web application firewalls

What is the difference between a reverse proxy and a WAF? The key difference is the lack of inspection and protection. Reverse proxies protect clients, while users deploy WAFs to protect servers and particular web applications running on them. WAFs can take the shape of a server plug-in, an appliance, or a filter, and can be customized.

Addressing web application firewall security gaps

41% of enterprises attempt to secure APIs just like they secure web applications—with WAFs, for example. However, neither a load balancer nor a web API security gateway can protect against all API attacks and vulnerabilities.

Most enterprises have invested in WAFs and API gateways to manage their APIs and secure their web applications. However, alone these tools cannot achieve API security. As evidence, Noname Security consistently finds that 30% of APIs are not even routed through a gateway in our customer environments.

The Noname API Security Platform integrates seamlessly with WAFs, clouds, and gateways to fill in the gaps. Our goal is to work together with existing infrastructure rather than compete against it.

The combination of these technologies helps to provide safe and secure environments for digital business applications. This enables IT teams to better protect APIs and critical assets from cyber attacks. It also helps to build and maintain an effective API security program.