Home / Definitions / WAF (Web Application Firewall)

WAF (Web Application Firewall)

Abby Braden
Last Updated June 3, 2022 5:59 am

WAF image.

A web application firewall (WAF) is a security solution that filters, tracks, and blocks Hypertext Transfer Protocol (HTTP) traffic to protect applications and servers. It applies a set of rules in the conversation between a web application and the internet, separating the benign from the malicious traffic, and preventing potential security threats from infiltrating the system.

What does a WAF do?

A WAF is software solution or a hardware device that performs the following tasks: 

  • Inspects the traffic to and from the web application
  • Identifies and blocks malicious traffic 
  • Examines the content to identify known exploits and blocks them

What threats do WAFs protect against?

Attacks on web applications and servers come in different forms such as SQL injections, cross-site scripting (XSS), distributed denial of service (DDoS), file inclusion, security misconfigurations, cookie poisoning, field manipulation, parameter tampering, forced browsing, stealth commanding, and malware infections. Without a protective layer that stands between the network and the application, hackers can get into the server and access a company’s sensitive information.

The WAF shields an application against vulnerabilities by rerouting clients through a rule-based filter mechanism before connecting to the server. In a way, it serves as a reverse proxy by sending requests to the WAF, screening them, then sending legitimate traffic to the web application. As it analyzes data packets on a two-way HTTP traffic, the WAF can immediately detect pernicious elements and prevent them from getting into the server, thereby protecting the system from attacks.

History of Web Application Firewalls

Originally, the term firewall referred to a wall used to confine a fire within a line of buildings. Still in use today, these fireproof walls run continuously from the foundation to the underside of the roof. Aside from being used in buildings, a firewall was also later used to describe a separating wall in vehicles and aircraft. 

It wasn’t until the 1980s that the term “firewall” was used in networking technology. In 1988, Digital Equipment Corporation developed the first firewall, known as the Packet-Filter Firewall. This firewall inspected packets of information transferred between computers of a network. If the packet didn’t meet specific requirements, it was dropped or rejected. 

A year later, AT&T Bell Labs continued the packet filtering research and developed the Circuit Level Gateway. This firewall used the connection state information to manage packet filtering. If a packet didn’t meet active connection requirements, it was evaluated according to the filtering requirements. If it matched the requirements, the packet could transfer. If not, it was dropped. 

In 1991, the Digital Equipment Corporation released another generation of firewall technology known as the Application Layer Firewall. This firewall ran on the application layer and could inspect all data being transmitted to and from the network. Other application layer firewalls were developed shortly after, such as the Firewall Toolkit in 1993 and the Gauntlet firewall in 1994. 

The key benefit of application layer filtering is that it can understand applications and protocols such as FTP, DNS, and HTTP. This allows the firewall to identify unwanted applications or services such as malware or detect if an allowed protocol is being misused. 

Since a WAF is a specific form of application firewall, the first generation of it did not emerge until 1999, when Perfecto Technologies released AppShield, a WAF focused on the ecommerce market and that protected against illegal web page character entries, creating failed workflowks. In 2002, an open source WAF called ModSecurity was created to make WAF technology more accessible and establish a core rule set for protecting web applications. 

Since then, the set of rules has been standardized and expanded through the Open Web Application Security Project. The WAF market has continued to grow, with a special focus placed on credit card fraud prevention.

Types of WAF

WAF offers protection to a range of enterprises and industries such as e-commerce, banking, and social media platforms that need data security for their back-end databases. It can be implemented in three ways:

  • Network-based is a hardware-based type of WAF installed in a local network but requires storage and maintenance, entailing cost. The appliance device can be expensive, but its deployment is scalable.
  • Host-based is a less expensive type that is integrated into the application with a number of customization options.
  • Cloud-based is the most affordable of the three and the easiest to implement, and it comes with regular updates. A cloud-based WAF is usually a security-as-a-service solution operated by a third-party provider.

Web Application Firewall vs. URL Filtering 

Web application firewalls and URL filtering solutions are two popular web security solutions used to protect websites from cyberattacks. Both solutions are designed to protect websites from malicious traffic and keep them safe.

Blacklist and whitelist WAFs

WAF offers blacklist or negative security, whitelist or positive security, and a hybrid of the two security models. Blacklist WAF protects against known attacks, denying harmful data transfers that can expose an application s security vulnerability. On the other hand, whitelist WAF denies unknown and default traffic, allowing only trusted and pre-approved requests.

How do Web Application Firewalls Work?

WAFs protect web applications by filtering, monitoring, and blocking malicious HTTP traffic traveling to the web application and preventing unauthorized data from leaving it. Filtering, blocking, and monitoring is done by adhering to a set of rules known as policies that determine what traffic is malicious and what is safe. 

These policies protect against vulnerabilities in the application and can be modified quickly if needed. This is especially valuable during a DDoS attack for example, when policy modification needs to be implemented quickly to mitigate the attack. 

While a proxy server serves as an intermediary to protect a client machine’s identity, a WAF serves as a type of reverse proxy, protecting the server’s identity by having the client pass through the WAF before getting to the server. 

Differences between WAF and Firewalls

The main difference between a web application firewall and a traditional next generation firewall is that a WAF protects public-facing web applications such as websites and APIs against vulnerabilities and malicious attacks, while a traditional firewall protects against network attacks. 

The key technical difference is that these firewalls operate on different layers of security. These layers are defined by the OSI model, which is a networking framework to implement protocols. WAFs operate on layer 7, the application layer, while network firewalls operate on layers 3 and 4, data transfer and network.

OSI layers

Businesses have traditionally protected their data with standard network firewalls, which does not offer the flexibility and transparency needed for modern security threats. With the growth of BYOD, SaaS, and other cloud-based technologies, businesses need to also invest in a WAF to prevent web app attacks. By employing both technologies, businesses and their clients are fully protected by providing multi-layer security across OSI layers 3, 4, and 7.

A WAF is positioned between external users and web applications to analyze all HTTP communication. This allows it to detect and block malicious requests before they ever reach users. A network firewall protects a secured LAN from unauthorized access. It separates a secure zone from a non-secure zone and polices communication between the two. 

WAFs protect from common web attacks such as: 

  • Direct Denial of Service (DDoS)
  • SQL Injection 
  • Cross-site scripting

Network firewalls protect from attacks such as: 

Also read: How to Choose the Right Web Application Firewall

Benefits of WAF

WAF runs in a physical device, plugin, or cloud service, and it provides the following advantages:

  • Discovers a web application s security vulnerabilities and coding errors that need immediate fixes
  • Prevents unauthorized transfer of sensitive data away from the application
  • Complements other perimeter defense and protective systems such as firewalls and intrusion prevention tools
  • Averts attacks that bypass the network firewalls and defends a web application without having to access its source code
  • Allows users to quickly modify an application’s settings in response to the security threats

Top Web Application Firewall Vendors

WAF solutions are in high demand due to the increase of dependence on application resources. A few top WAF providers in alphabetical order are listed below.

AWS WAF

aws logo

AWS WAF is a good solution for those seeking an Amazon Web Service cloud-native tool. It helps protect web apps or APIs against common web exploits and bots that may affect availability, compromise security, or consume resources. It comes with a pre-configured set of rules managed by AWS.

Cloudflare WAF

cloudflare logo

Cloudflare is a web infrastructure and cybersecurity company that specializes in CDN services, protecting organizations at the network edge. Its WAF solution offers zero-day vulnerability protections, custom rulesets, sensitive data detection alerts, and advanced rate limiting.

Fortinet FortiWeb

fortinet logo

FortiWeb is  an advanced solution for web app and API security and bot migration that employs two layers of machine learning. The solution is available in a lot of different form factors, ranging from entry-level hardware appliances to top-level virtual machine options that can be incorporated into complex cloud environments.

Microsoft Azure WAF

microsoft azure logo

Azure WAF provides an easy-to-deploy solution for Microsoft users that is integrated with features from the Azure Security Center. This cloud-native service protects web apps from common web-hacking techniques and gives real-time visibility into the application environment.