Complete Web Application Firewall Guide
What is a Web Application Firewall (WAF)?
A WAF or Web Application Firewall helps protect web applications by filtering and monitoring HTTP traffic between a web application and the Internet.
It typically protects web applications from attacks such as cross-site forgery, cross-site-scripting (XSS), file inclusion, and SQL injection, among others. A WAF is a protocol layer 7 defense (in the OSI model), and is not designed to defend against all types of attacks.
This method of attack mitigation is usually part of a suite of tools which together create a holistic defense against a range of attack vectors.
By deploying a WAF in front of a web application, a shield is placed between the web application and the Internet.
While a proxy server protects a client machine’s identity by using an intermediary, a WAF is a type of reverse-proxy, protecting the server from exposure by having clients pass through the WAF before reaching the server.
A WAF operates through a set of rules often called policies. These policies aim to protect against vulnerabilities in the application by filtering out malicious traffic.
The value of a WAF comes in part from the speed and ease with which policy modification can be implemented, allowing for faster response to varying attack vectors; during a DDoS attack, rate limiting can be quickly implemented by modifying WAF policies.
What is the difference between blacklist and whitelist WAFs?
A WAF that operates based on a blacklist (negative security model) protects against known attacks.
Think of a blacklist WAF as a club bouncer instructed to deny admittance to guests who don’t meet the dress code.
Conversely, a WAF based on a whitelist (positive security model) only admits traffic that has been pre-approved. This is like the bouncer at an exclusive party, he or she only admits people who are on the list.
Both blacklists and whitelists have their advantages and drawbacks, which is why many WAFs offer a hybrid security model, which implements both.
devconnected — DevOps, Sysadmins & Engineering
Tutorials & Guides for DevOps, sysadmins and software engineers.
What are network-based, host-based, and cloud-based WAFs?
A WAF can be implemented one of three different ways, each with it’s own benefits and shortcomings:
- A network-based WAF is generally hardware-based: since they are installed locally they minimize latency, but network-based WAFs are the most expensive option and also require the storage and maintenance of physical equipment.
- A host-based WAF may be fully integrated into an application’s software: This solution is less expensive than a network-based WAF and offers more customizability. The downside of a host-based WAF is the consumption of local server resources, implementation complexity, and maintenance costs. These components typically require engineering time, and may be costly.
- Cloud-based WAFs offer an affordable option that is very easy to implement: they usually offer a turnkey installation that is as simple as a change in DNS to redirect traffic. Cloud-based WAFs also have a minimal upfront cost, as users pay monthly or annually for security as a service. Cloud-based WAFs can also offer a solution that is consistently updated to protect against the newest threats without any additional work or cost on the user’s end. The drawback of a cloud-based WAF is that users hand over the responsibility to a third-party, therefore some features of the WAF may be a black box to them. Learn about Cloudflare’s cloud-based WAF solution.
Software WAF vs. Appliance WAF
Web Application Firewall Deployment
- Reverse Proxy
The WAF is a proxy to the application server. Therefore, device traffic goes directly to the WAF.
2. Transparent Reverse Proxy
A reverse proxy with transparent mode. As a result, the WAF separately sends filtered traffic to web applications.
This allows for IP masking by hiding the address of the application server. Performance latency is a potential downside during translation.
3. Transparent Bridge
HTTP traffic goes directly to the web application. As a result, this makes the WAF transparent between the device and the server.
Cloud WAF vs On-Premises WAF
There are two main varieties of Web Application Firewall solutions — on-premise WAF (aka Hardware WAF) or cloud WAF.
Deciding which is best for your enterprise depends entirely on your needs.
Cloud WAFs, provided via SaaS, are managed by your cloud vendor: hardware or software, updates, and security are all maintained by your chosen provider and accessed through a mobile app or web interface.
A high compute capacity makes cloud WAFs more efficient than their hardware counterparts at detection of attacks (DDoS), deep security insights with real-time monitoring, and minimization of false positives with advanced analytics.
With simple point-and-click configuration, cloud WAFs grow with you, scaling to your capacity needs on a flexible, responsive platform. Comprehensive, high performance security helps meet compliance requirements like GDPR, PCI DSS, and HIPAA.
Typically, a usage-based payment plan for a web application security firewall is arranged in advance.
On-Premises hardware WAFs require far more legwork for security and IT teams, but can provide more fine-tuning customization.
Where cloud software is stored and managed in the provider’s high security data center, your administrators will need to dedicate an in-house team to secure your network.
The procurement and installment of hardware or software, maintenance, configuration, and updates are usually the technical team’s responsibility.
Estimating capacity with hardware WAFs may result in either an excess of or deficient security, depending on fluctuating traffic. Scaling to meet capacity needs will require further WAF hardware adjustments.
Having full access to all of the elements of your platform may be the right plan for your enterprise, allowing you full reign to customize the experience to your unique specifications.
How WAFs Work:
- Using a set of rules to distinguish between normal requests and malicious requests;
- Sometimes they use a learning mode to add rules automatically through learning about user behaviour
- Negative Model (Blacklist based) — A blacklisting model uses pre-set signatures to block web traffic that is clearly malicious, and signatures designed to prevent attacks which exploit certain website and web application vulnerabilities. Blacklisting model web application firewalls are a great choice for websites and web applications on the public internet, and are highly effective against an major types of DDoS attacks. Eg. Rule for blocking all
- Positive Model (Whitelist based) — A whitelisting model only allows web traffic according to specifically configured criteria. For example, it can be configured to only allow HTTP GET requests from certain IP addresses. This model can be very effective for blocking possible cyber-attacks, but whitelisting will block a lot of legitimate traffic. Whitelisting model firewalls are probably best for web applications on an internal network that are designed to be used by only a limited group of people, such as employees.
- Mixed/Hybrid Model (Inclusive model) — A hybrid security model is one that blends both whitelisting and blacklisting. Depending on all sorts of configuration specifics, hybrid firewalls could be the best choice for both web applications on internal networks and web applications on the public internet.
To identify WAFs, we need to (dummy) provoke it.
- Make a normal GET request from a browser, intercept and record response headers (specifically cookies).
- Make a request from command line (eg. cURL), and test response content and headers (no user-agent included).
- Make GET requests to random open ports and grab banners which might expose the WAFs identity.
- If there is a login page somewhere, try some common (easily detectable) payloads like
" or 1 = 1 --.
- If there is some input field somewhere, try with noisy payloads like
- Attach a dummy
../../../etc/passwdto a random parameter at end of URL.
- Append some catchy keywords like
' OR SLEEP(5) OR 'at end of URLs to any random parameter.
- Make GET requests with outdated protocols like
HTTP/0.9does not support POST type queries).
- Many a times, the WAF varies the
Serverheader upon different types of interactions.
- Drop Action Technique — Send a raw crafted FIN/RST packet to server and identify response.
Our Top 5 Best Cloud-Based WAFs
- Cloudflare WAF
Cloudflare has gained an excellent reputation for protecting web servers against DDoS attacks. Its service offering also features a Web Application Firewall.
The service already has a huge customer base and its servers currently handle close to three million requests per second.
And if you visit Cloudflare’s website, you’ll see that over 400 million WAF rules were triggered on the last day.
One of the primary benefits of using a cloud service with such a broad customer base is that you can benefit from intelligence acquired from other clients. For instance, if an attack attempt is detected at another client, a new signature will be created and applied to all clients. Another benefit of Cloudflare’s solution is that they also offer content delivery and DDoS protection.
2. Akamai Kona Site Defender
Akamai is the world leader in content delivery systems.
Throughout the years, the company has added more functionalities to its offering. Kona Site Defender, as their WAF is called, is one of them. The Web Application Firewall integrates full DDoS protection. And of course, the WAF service can also easily be combined with other Akamai services such as the Content Delivery Network.
Once your traffic is redirected to Akamai, you might as well take advantage of it and use as many services as you need.
Due to its size and client base, Akamai often discovers new exploits sooner than other vendors. As a Kona Site Defender user, you benefit from this competitive edge and effectively get a stronger protection with potentially better blockage of zero-day exploits.
3. F5 Silverline
F5 is often better known for its BIG-IP appliances than its cloud services.
In a nutshell, F5 Silverline is the online version of the company’s excellent BIG-IP ASM appliance reviewed below. It is available as a managed service or as what F5 refers to as an express self-service to protect web applications and data from ever-evolving threats. Subscriptions can have a one year or three-year duration. 24-hour live support is included with the service.
One major advantage of this cloud-based service is that it can protect a distributed or cloud-hosted infrastructure. The protection includes layer 7 DDoS shielding and will also block anonymized addresses like those which are part of the Tor network. The system also uses a live blacklist of known phishing practitioners and web scrapers. And since this blacklist is shared by all customers, you benefit from any intelligence gained with another client.
4. Amazon Web Services WAF
Amazon Web Services–or AWS–is the universally-known online marketplace’s cloud-based hosting service.
It capitalizes on Amazon’s huge distributed infrastructure to offer hosting services. If you’re a client of the Amazon Web Services, the AWS WAF might be for you. Amazon Web Service also offers load-balancing and content delivery service.
The pricing model of the Amazon Web Services WAF is different from other vendors. Instead of paying a predefined sum each month, you are invoiced for each security rule that you add to your service and for the number of web requests that are received each month.
The best thing about this is that you don’t have to pay right away for some future growth. It is also very interesting to organizations with seasonal peaks.
5. Imperva Incapsula
Imperva is another common name in the IT security field.
The Incapsula cloud-based Web Application Firewall Imperva’s managed service for protecting from application layer attacks, including all Open Web Application Security Project top 10 attacks and zero-day threats. The service is PCI-certified and highly customizable. It is also highly effective and will block most threats with minimal false positives.
Incapsula is one of the cheapest cloud-based WAF solutions you can find. Plans start as low as $300 per month. One great feature of Incapsula is that in addition to a more “traditional” WAF, the system also surveys your servers and will send patches to address found issues providing a better protection for your web applications. You can, of course, schedule patches to be applied at whatever time you chose to reduce your operational impacts.
devconnected — DevOps, Sysadmins & Engineering
Tutorials & Guides for DevOps, sysadmins and software engineers.
Our Top 5 Best WAF Appliances
- Imperva SecureSphere
Imperva is one of the two vendors who made it into both of our lists.
Its SecureSphere WAF targets smaller installations. The various units they propose vary in throughput from 100 Mbps to 10 Gbps with the smallest able to process 440 SSL transactions per second and the larger some 9000. A mid-tier unit, the X2020 has a throughput of 500 Mbps, will process 2000 SSL transactions per second and will set you back some $4200.
If you pick one of the top-tier models, you’ll be glad to learn that they are upgradable to the next bigger model. For example, the X821 can be upgraded to an X 10K, effectively doubling its capacity. And upgrading only requires purchasing proper software patch and license.
No costly hardware upgrades are required.
2. Barracuda Web Application Firewall
Barracuda is another well-respected name in the field of IT security.
It proposes an excellent WAF solution which is perfectly suited for small and mid-sized organizations.
The Barracuda appliances are somewhat more expensive than their competitor’s but they come with one year of free updates. And about updates, they take place frequently, whenever a new threat is identified.
The Barracuda WAF appliance also has a few extra features. For instance, it offers caching for faster content delivery.
Load balancing between multiple servers is another available feature. You can even add full DDoS protection. Like most other WAF appliances, the Barracuda WAAF is available in several sizes.
An average device like the Model 360 will cost you about $6350 and give you 25 Mbps of throughput and 2000 SSL transactions per second.
3. Citrix Netscaler Application Firewall
The Citrix Netscaler is an immensely popular load balancing appliance.
If you’re already using them, you’ll be glad to know that you can also use some of them as a Web Application Firewall. The functionality is only available in the top NetSclaer MPX appliances or the NetScaler Cloud Service.
And furthermore, you’ll need to purchase the top-tier Platinum license to get it for free although it is also available as an option with the Enterprise license.
The biggest advantage of the NetScaler WAF is that you get state of the art load balancing and security in one box.
This is a premium system and it comes at a premium price. You can expect to pay around $4000 for the smallest model, the MPX 5550 with a throughput of 500 Mbps and up to 1500 SSL transactions per second.
4. Fortinet FortiWeb
The FortiWeb appliance from Fortinet is better suited for smaller to mid-size organizations.
The appliance integrates WAF, load balancing, and an SSL offloading functionality. One of the best–and newest– features of the FortiWeb appliance is the two-step AI-based machine learning which improves attack detection accuracy. it nearly creates a “Set and Forget” Web Application Firewall
The FortiWeb appliance will protect your infrastructure from the latest application vulnerabilities, bots, and suspicious URLs.
And its dual machine learning detection engines keep your applications safe from all sorts of threats like SQL injection, cross-site scripting, buffer overflows, cookie poisoning, malicious sources, and DDoS attacks.
There are eight different FortiWeb models to choose from, each with increasing capacity. They range from the entry-level 100D at 25 Mbps to the top model 4000E with 20Gbps of throughput.
5. F5 BIG-IP Application Security Manager (ASM)
Last but not least is the F5 BIG-IP ASM appliance. You might know F5 as one of Citrix’s primary competitors. They’re well-known for their top-notch load balancers. This is an appliance which targets larger businesses.
The F5 BIG-IP ASM threat protection uses deep threat analysis and dynamic learning, you barely have any configuration to do and yet you can be assured that your infrastructure is adequately protected.
Another interesting feature of the F5 BIG-IP ASM is SSL offloading. The device will handle the SSL encryption and decryption on the fly, allowing your web servers to concentrate on what they do best, serve web pages.
5 Open Source Web Application Firewall
ModSecurity free rules will be helpful if you are looking for the following protection.
- Cross-site scripting
- Information leakage
- SQL injection
- Common web attacks
- Malicious activity
ModSecurity doesn’t have a graphical interface and if you are looking for the one then you may consider using WAF-FLE. It let you store, search and view the event in a console.
IronBee is a security framework to build your own WAF. IronBee is not available in the binary package yet so you got to compile from the source and tested on the following OS.
- OS X
It’s highly portable and very lightweight web security framework.
NAXSI is Nginx Anti-XSS & SQL Injection.
So as you can guess this is only for Nginx web server and mainly target to protect from cross-site scripting & SQL injection attacks.
NAXSI filter only GET and PUT request and default configuration will act as a DROP-by-default firewall so you got to add the ACCEPT rule to work properly.
WebKnight WAF is for Microsoft IIS.
It’s an ISAPI filter that secures your web server by blocking bad requests. WebKnight is good for securing from the following.
- Buffer overflow
- Directory transversal
- Character encoding
- SQL injection
- Blocking bad robots
- Brute force
- And much more…
In a default configuration, all blocked requests are logged and you can customize based on your needs. WebKnight 3.0 got admin web interface where you can customize the rules and perform administration tasks including statistics.
5. Shadow Daemon
Shadow Daemon detect, record and prevent web attacks by filtering request from malicious parameters. It comes with an own interface where you can perform administration and manage this WAF. It supports PHP, Perl & Python language framework.
It can detect the following attacks.
- SQL injection
- XML injection
- Code injection
- Command injection
- Backdoor access
- Local/remote file inclusion
Open source is free but you don’t get enterprise support means you need to rely on your expertise and community support.
So if you are looking for the commercial WAF then you may refer the following one.
- CloudFlare (cloud-based)
- Incapsula (cloud-based)
- F5 ASM
- TrustWave ModSecurity commercial rules
- SUCURI (cloud-based)
- Akeeba Admin tools (for Joomla)
I hope this helps this helps you an idea about open source web application firewall for the various platform.
Web Application Firewall Benefits vs Weaknesses
Web Application Firewall Benefits
WAFs prevent attacks that try to take advantage of the vulnerabilities in web-based applications.
Vulnerabilities can be common in legacy applications or applications with poor coding or designs.
WAFs handle the code deficiencies with custom rules or policies.
- SQL injection, comment spam
- Cross-site scripting (XSS)
- Distributed denial of service (DDoS) attacks
- Application-specific attacks
- Strong default rule sets
- Customized Layer 7 protection
- Integration with DDoS mitigation
- Real-time reporting and logging for instant visibility
Web Application Firewall Weaknesses
WAFs sit in-line between users and applications.
Therefore any delay or latency can impact the end user experience. Since the inspection of requests and responses is compute-intensive, WAFs do introduce traffic latency. The extent of that delay, and whether it would even be tolerable to an end user depends on the WAF’s performance, policy complexity and the application in use.
This can put organizations in a compromising situation: over-provision their WAFs to ensure minimal impact, which comes at a higher cost; or set security policies to a minimum to reduce inspection time, which compromises safety.
WAFs can also be complex to deploy given the need to establish efficient policies. They also require regular maintenance when applications have additions or updates.
Web Application Firewall vs Next Generation Firewall
Next Generation Firewalls concentrate on application stream signatures which work well for outbound internet traffic but offer very little inbound web server protection.