What is a Web Application Firewall (WAF)?
A web application firewall (WAF) is a security device designed to protect organizations at the application level. WAFs achieve this goal by monitoring, filtering, and analyzing traffic between the internet and the web application. Acting as a reverse proxy, the purpose of a common web application firewall is to shield the application from malicious requests and stop them before they reach the web application or user. Because applications are the means for attackers to connect to valuable data, they are also the leading source of breaches—making implementing the right WAF a critical step. With that in mind, a WAF protects the organization against a range of application-layer attacks, including SQL injection, cross-site scripting (XSS) attacks, cross-site request forgery (CSRF), denial of service (DoS) and distributed denial of service (DDoS) attacks, cookie poisoning, and zero-day attacks.
Benefits of a web application firewall (WAF)
There are many important reasons to add a web application firewall to an enterprise security strategy. Organizations face increased application-level security risks due to remote work trends, “bring your own device” policies, an increased use of SaaS applications, along with cloud and web-based software. This massively increased attack surface of application programming interfaces (APIs) and web applications. By incorporating a WAF into your larger cybersecurity strategy, you can proactively address the security risks that come with this expansion.
The WAF analyzes overall web application behavior and structure, including typical requests, URLs, and permitted data values and types. Creating a robust application profile may help identify and block abnormal or malicious requests.
AI/ML Traffic Pattern Analysis
The best web application firewall software and platforms use artificial intelligence algorithms and machine learning to perform behavioral analysis. They monitor traffic and characterize baselines for specific varieties, and in doing so capture anomalies. Thus, even when the application sustains novel attacks that don’t match known malicious patterns, using artificial intelligence, a WAF can identify the behavior in time.
WAFs often integrate to detect and defend against DDoS attacks. The WAF detects malicious requests, and the traffic moves to a DDoS protection system, which can withstand large volumetric attacks by scaling up.
WAF operators may define and instantly apply organization- or web application-specific security rules to application traffic. This enables customization of WAF behavior without the risk of legitimate traffic getting blocked.
Content Delivery Network (CDN)
Cloud-based WAFs are deployed at the edge of the network, and therefore may also provide a CDN that improves website load time by caching the website. The CDN created by the WAF is deployed globally across multiple points of presence (PoP), and users access the website through the nearest PoP.
Protection Against Web Exploits
Deploying a cloud WAF is a good way to protect applications against web exploits, including security misconfigurations, cross-site scripting, and SQL injection attacks, and other risks outlined by the Open Web Application Security Project (OWASP).
API Abuse Monitoring
Application programmable interfaces, or APIs, drive communication between systems in most modern application development. Understanding this, hackers target not only web application vulnerabilities but also the systems that support applications – meaning APIs. And according to TechRepublic, 91% of enterprises experienced an API security incident in 2020.
API attacks such as broken authentication, rate limiting, and other OWASP Top Ten Threats for APIs are increasingly popular. Cloud WAFs can help protect applications and their supporting systems from these attacks, but in themselves are not sufficient to protect APIs from exploits.
Availability Attack Protection
Applications are vulnerable to availability attacks such as denial-of-service (DoS) attacks, in which hackers flood applications with massive volumes of traffic that can overwhelm even very well-engineered solutions. This can impair or degrade user experiences. On-prem deployments are particularly vulnerable to volumetric attacks such as DNS amplification attacks or SYN floods that overwhelm the network aggregation point or internet bandwidth by saturating the network with malicious traffic.
Many organizations deploy AWS web application firewall or Azure web application firewall and migrate to their respective cloud provider to mitigate volumetric DDoS attacks. These providers offer security groups similar to a stateful firewall that allow users to block unwanted protocols and ports. However, this technique does not block traffic on the protocols or ports your application relies on, although it will prevent bogus traffic floods from reaching the application.
For this reason, phony application requests that target required protocols and ports are another favored form of attack. This is called an application DDoS attack because its target is not the network, but the application. When deployed together, volumetric and application DDoS attacks leave on-prem users with few defenses. However, a cloud WAF does secure applications from both application DDoS and volumetric attacks. Cloud WAF DDoS mitigation solutions exist for cloud, on-prem, and hybrid environments.
Bots, Crawlers, and Scrapers Prevention
Even a very well-designed application that was initially deployed in a secure way can quickly become vulnerable. Competitors and malicious actors can use scrapers to monitor your site for changes and do things like undercut sales and steal customers. And crawlers can steal trade secrets and SEO information from a site.
A cloud WAF can prevent bots, crawlers, and scrapers from impacting your application. The result is reduced infrastructure costs, less unwanted traffic, a higher marketing ROI, and a better user experience overall.
Protection Against Cross-site Scripting (XSS) and SQL Injection
In this code injection attack, the hacker inserts malicious code in a legitimate website that launches in the user’s browser as an infected script. This allows the attacker to impersonate the user or steal sensitive information. Similar to XSS, in SQL injection attacks, hackers inject malicious SQL statements into an application using a known vulnerability. This allows them to extract information and use, alter, or delete it.
Disadvantages of web application firewalls
No discussion of web application firewalls is complete without a look at the downside, and web application firewall vulnerabilities do exist. WAFs are deployed at the network edge and work to stop suspicious and malicious traffic. This filtering was originally rules-based, either from the WAF vendor for out of the box use, or customized by users. However, rule-based WAFs demand very high maintenance. WAFs must be actively maintained and properly configured in an ongoing way to achieve full protection. This is because WAFs rely so heavily on security rules and policies to defend against cross-site request forgery (CSRF), cross-site scripting (XSS), and SQL injection, among other attacks.
Organizations must also carefully define and apply managed rules to match their particular application patterns and adjust them as applications evolve. And because new attacks may demand totally new rules, it might be harder to address changing threat vectors.The constant changing of rules also means that WAFs frequently experience many false positives or even risk allowing harmful traffic—a false negative—as practical requirements change faster than rules.
Operating WAFs in a microservices environment presents an additional challenge. New microservices versions are released many times a day in large microservices applications. Updating rules sets for every component is simply impractical. For this reason, microservices will often remain unprotected by a WAF.
Who uses web application firewalls?
Given how common and how complex cyberattacks have become, most organizations find themselves in the position of needing to defend themselves from malicious attacks. E-commerce businesses, healthcare organizations, online financial services, and many others face an ongoing barrage of data theft and fraud threats. This can leave any brand open to possible regulatory discipline and compromised consumer trust.
WAFs are an important addition to a suite of tools to address these problems. A web application firewall can fortify an already-robust application security program with an essential extra layer of defense. WAFs can also help security professionals maintain more control, monitoring based on predetermined rules and guidelines to alert for possible attacks in progress or based on customized rules. In short, WAFs are standard equipment at the enterprise level and increasingly for smaller online businesses as well.
How does a web application firewall work?
To understand how web application firewalls work, first realize that there are a few possible deployment models:
- Appliance WAF: Hardware-based or running on a virtual appliance
- Host-based WAF: Software running with the web application on the same server
- Cloud WAF: Cloud-based web application firewall platform or service.
Most appliance or network WAFs are hardware-based. These have several advantages. To reduce latency, they can be installed locally as close to the field application as possible using dedicated equipment. And most hardware-based WAFs support large scale deployments on corporate networks by allowing admins to copy rules and settings between devices.
The disadvantages of an appliance WAF are ongoing maintenance costs and a large upfront investment. Running the WAF as a virtual appliance is an alternative, either by deploying a pre-configured cloud machine image in the public cloud, or using network function virtualization (NVF) technology locally. This will reduce the upfront investment, but does not address the maintenance costs.
Host-based WAFs can be highly customized at a low cost because they can be fully integrated into your application code. However, host-based WAFs demand the installation of specific libraries on the application server, making them more complex to deploy, and they rely on server resources to function. This approach also makes the WAF a dependency of the web application, adding it to the list of development lifecycle management tasks.
Cloud Web Application Firewall WAF
These turnkey WAF solutions offer a cost-effective option that delivers rapid deployment with no upfront investment. Typically, cloud WAF solutions work with simple DNS or proxy configuration and are subscription based. Advantages include updated threat intelligence, and often managed services to help respond to attacks in real-time and define security rules.
The potential disadvantage with cloud WAFs is reliability. They must effectively route all traffic to your web application. The top web application firewalls manage to do this with the best performance, but when WAF performance is poor, so is your site’s performance. This is why the best web application firewall solutions provide integrated WAF, DDoS, and CDN protection to ensure minimal latency and maximum uptime.
Regardless of the deployment model, the WAF sits in front of the web application so it can intercept all internet traffic to and from it. The network administrator defines a set of policies or rules for the WAF to operate. Each WAF rule or policy addresses a known vulnerability or an application-level threat. Deployed as a whole, the policies identify malicious traffic and isolate it before it can reach an application or user. When that happens, users are likely to see a warning from the WAF: “the transfer has triggered a web application firewall.”
Types of web application firewalls
Now that you understand the deployment models, you’re probably wondering, “what does a web application firewall do?” Beyond these deployment models, there are several types of web application firewalls.
Blocklist Web Application Firewall (Blocklist WAF)
A blocklist WAF denies access to known attacks and traffic on a set list based on a negative security model. A blocklist, sometimes called a blacklist, contains a list of prohibited traffic and things that should not pass the firewall processor; it is the opposite of an allowlist.
Allowlist Web Application Firewall (Allowlist WAF)
An allowlist WAF admits only traffic on an approved list based on a positive security model. The allowlist, sometimes called a whitelist, contains a list of safe things that may pass through firewall rule sets without being checked for malicious traffic. This would only be used for known safe traffic.
Hybrid Web Application Firewall (Hybrid WAF)
The most common approach taken by modern firewalls, a hybrid WAF applies both blocklist and allowlist model elements.
Although signature-based detection is more in the realm of intrusion detection than WAFs, many modern firewalls do include this feature. Signature-based detection searches for specific, known, malicious patterns and blocks any such requests.
Traditional firewalls vs web application firewalls
In a general sense, any firmware that filters network traffic is a firewall, but based on the type of protection the approach to filtering traffic offers, there are multiple categories of firewalls, including packet filtering, proxy servers, stateful inspection, and next-generation firewalls (NGFW).
The difference between a firewall and a web application firewall (WAF) is the WAF inspects and filters data packets at the application layer in a unique way that detects many attacks that are otherwise invisible. For example, a standard firewall won’t detect an SQL injection attack because it does not inspect application request payloads—SQL queries, for example. WAFs allow users to define which kinds of application behaviors are malicious by configuring specific rules, while a traditional firewall merely blocks traffic from particular areas or IP ranges.
The distinction between application firewall vs web application firewall and network firewall is based on differences in types of protection and application of security measures. A network firewall guards against unauthorized network access, while a WAF analyzes HTTP/HTTPS communication to protect the organization at the application level.
Technically speaking, the key difference within the Open Systems Interconnection (OSI) model is that WAFs protect from attacks at the application level or OSI model Layer 7. Network firewalls focus on network traffic and data transfer, operating on OSI model Layers 3 and 4. A WAF also goes beyond merely blocking specific ports or IP addresses. WAFs seek out signs of a possible injection or attack in web traffic and are highly customizable.
Web application firewall vs next-generation firewall
Web application firewall architecture only guards against web application attacks. Thus, although a WAF is a critical piece of cybersecurity strategy at the enterprise level, it must be bolstered by other security measures, and in no sense is a comprehensive answer.
A next-generation firewall (NGFW) combines WAF, network firewall, antivirus, and other security tools in a single platform. An NGFW can identify and prevent attacks at the port, application, and protocol levels like a traditional firewall, but it can also block modern threats such as application-layer and advanced malware attacks. You can also expect more advanced features from most NGFWs, such as intrusion prevention systems (IPS), application awareness, and cloud-enabled threat intelligence.
A next-gen firewall uses both VPN support and static and dynamic packet filtering to ensure security like a traditional firewall, but an NGFW also has other features:
- Supports deep-packet inspection
- Offers enhanced application layer visibility and control, can filter packets based on applications
- Protects against malware and advanced persistent threats (APTs)
- Makes future upgrades simpler
- Supports external sources of intelligence
WAFs and NGFWs are functions that manage network traffic at different points. The NGFW is guarding the entrance to a shopping mall (network traffic), and the WAF is protecting a specific store (the application on the network).
Web security gateway vs web application firewalls
Secure web gateways and WAFs, especially Next-Generation Firewalls, are similar. They both distinguish friendly vs. malicious traffic to provide advanced network and application protection. However, they are not comparable, and both are essential elements of enterprise security architecture.
Secure web gateways (SWGs) primarily work at the application level, protecting against advanced internet-based attacks and detecting malicious intent by inspecting actual traffic. WAFs also inspect traffic, but at the packet level, using deep packet inspection rules to identify safe applications and permit or refuse each packet network access while controlling and blocking dangerous applications.
Reverse proxy vs web application firewalls
What is the difference between a reverse proxy and a WAF? The key difference is the lack of inspection and protection. Reverse proxies protect clients, while users deploy WAFs to protect servers and particular web applications running on them. In this case, the client is the web application, and the WAF is serving as a reverse proxy. WAFs can take the shape of a server plug-in, an appliance, or a filter, and can be customized.
Addressing web application firewall security gaps
41% of enterprises attempt to secure APIs just like they secure web applications—with WAFs, for example. However, neither a load balancer nor a web API security gateway can protect against all API attacks and vulnerabilities. Most enterprises have invested in WAFs and API gateways to manage their APIs and secure their web applications. However, alone these tools cannot achieve API security. As evidence, Noname Security’s testing in customer environments consistently finds that 30% of APIs are not even routed through a gateway.
The Noname API Security Platform integrates seamlessly with WAFs, clouds, and gateways to fill in the gaps. Our goal is to work together with existing infrastructure rather than compete against it. The combination of these technologies helps to provide safe and secure environments for digital business applications. This enables IT teams to not only better protect APIs and critical assets from cyber attacks, but to also build and maintain an effective API security program within the organization.
Our API security solution doesn’t require sensors or agents and offers reduced operational friction and deeper visibility of out-of-band traffic. Noname ensures easy API Integration and the ability to connect
Learn more about how to approach API Security by visiting us here.