What is a WAF?

A web application firewall, aka a WAF, is an application firewall. It is deployed to protect specific web applications from common attacks such as cross site scripting and SQL injection. WAFs are different from proxies as WAFs protect servers and proxies generally protect clients.

A traditional network firewall is good at stopping illegitimate traffic and providing network-level security. A network firewall acts as a barrier between a trusted network and an untrusted network. The firewall’s policy defines what traffic is allowed onto the network, all other traffic is denied. The disadvantage of a network firewall is that it does not have the ability to detect and stop attacks that result from vulnerabilities found in web applications. These attacks are disguised as genuine requests to the application. A traditional firewall allows these requests to proceed because they appear to be normal rendering them unable to guard against these attacks. Once the request gets through, a hacker can perform a number of actions to access sensitive data stored on the application. A WAF proactively protects web applications from these threats by examining web traffic for suspicious activity.

So how does a WAF actually work?

The WAF analyzes incoming HTTP requests before they reach the server. It looks at both GET and POST based HTTP requests and applies a set of rules to determine whether the traffic is malicious or not. If the traffic is determined to be illegitimate, it is automatically filtered out. Imagine that the WAF is like a bouncer. It has a set of rules that it uses to determine which data packets to filter out. Similarly, a bouncer follows a set of rules (is the person over 21) to determine who should be allowed entry.

A WAF can be network-based, host-based or cloud-based. Network-based WAFs are usually hardware-based and have the benefit of reducing latency because they are installed as close to the application as possible. The drawback for network-based WAFs is the cost. Host-based WAFs have the ability to be fully integrated into the application code. This provides low cost and increased customization. However, they can be challenging to manage because of the dependency on local server resources. Cloud-based WAFs are easy to deploy and low cost, but as a third-party product, some aspects may be a black box.

It is important to note that WAFs are not a silver bullet for securing web applications. They will not protect against application logic flaws, session management vulnerabilities, weak passwords, insider threat, etc. WAFs are good at what they do, but they should never be relied on individually. You wouldn’t depend on just airbags in the car to keep you safe, you make sure your brakes are working and your mirrors are set to minimize any blind spots. Just like in life, in the digital world, the best defense is always a layered defense.