Web application firewalls (WAF) help enterprises neutralize common website attacks and breaches, protecting site uptime and accounts that store sensitive information. A WAF sits as a line of defense between the website and all HTTP and HTTPS traffic, examining each request to enter the site and observing trends in internet traffic to determine what comes from an attacker. Many security vendors offer web application firewalls for enterprises to install as an appliance, a cloud, or a piece of software on their web servers.
Jump to:
A web application firewall is a security service that protects web applications, or websites. Web application firewalls are useful for many different issues, including managing web service traffic, allowing and blocking HTTP and HTTPS requests based on the organization’s predefined rules and sometimes real-time decisions based on threat intelligence.
WAF software can also:
Types of attacks that web application firewalls protect applications and sites from include:
The following seven WAF vendors offer web application firewall solutions that stop attacks and offer additional features, such as customizable policies or rulesets, advanced threat monitoring, or integrations with third parties and other vendor security products. Consider a WAF solution offered below when trying to find a WAF vendor that suites your needs.
Imperva’s Web Application Firewall, part of the provider’s web application and network security suite, is delivered through a cloud-based content delivery network (CDN). Imperva’s CDN is not only security-focused but also efficient: it reduces bandwidth consumption and speeds page rendering. This allows the WAF to respond more quickly. The CDN, DDoS protection feature, and web application firewall are all components of the Web Application and API Protection (WAAP) platform, which Imperva uses to improve caching, load balancing, and security for enterprises’ web applications.
Imperva’s WAF is PCI compliant and is designed to protect third party applications, APIs, microservices, containers, virtual machines, and more. It alerts users about potential attacks and can be configured without advanced HTTP knowledge.
Cloudflare offers a web application firewall to both enterprises and SaaS providers. The SaaS solution also includes SSL certificates, DDoS mitigation, and bot management, a combination that helps enterprises protect their web applications from attacks. Cloudflare is a good solution for enterprises that have multiple clouds, as its multi-cloud support covers load balancing and DNS technology for businesses that have more than one cloud deployment.
Cloudflare offers OWASP coverage for the top 10 OWASP (Open Web Application Security Project) vulnerabilities. Users customize rulesets to block certain patterns or types of traffic. Cloudflare’s WAF also monitors traffic for exposed credentials, in case an attacker uses stolen credentials to access a site.
Read more: Types of Firewalls Explained
The AWS Web Application Firewall protects websites by monitoring HTTP and HTTPS requests sent to CloudFront, its content delivery network. Users specify rules, which CloudFront uses to allow or block traffic. Although AWS WAF integrates with Amazon’s CDN, CloudFront does support websites that are hosted elsewhere, so users don’t have to host a site through Amazon to use the firewall.
AWS WAF users can choose between multiple deployments, including Amazon API Gateway and Application Load Balancer. Costs rise the more that enterprises add rules, but AWS provides a variety of customizable rule options, including OWASP top 10 vulnerabilities and bot management.
Barracuda Networks offers a web application firewall for cloud environment protection; it defends applications hosted in Microsoft Azure. The firewall belongs to Barracuda’s Cloud Application Protection platform for securing apps, using automation, access control, and advanced bot protection. Barracuda’s WAF integrates with multiple services, including Amazon CloudWatch and Microsoft Azure Sentinel.
Barracuda’s firewall is also available as a service; the WAF-as-a-sService protects both JSON and XML APIs. WAF-as-a-sService is also certified for Azure applications.
Security provider Akamai offers a web application firewall, Kona Site Defender, which protects data centers from attacks coming from the edge. Akamai has a threat intelligence team that edits WAF rules based on arising threats and existing attacks. Kona belongs to its cloud-based web security platform, which offers 12 other solutions as well.
Akamai takes measures against SQLi and cross-site scripting attacks. It offers predefined rules in the application layer controls, such as protocol violations, but users can also configure those rules. Akamai monitors alerts and more detailed data about actions that triggered an alert or a response from the firewall. Akamai also offers IP whitelisting and blacklisting as well as geographical blocking. Users can apply rate controls for volume-based attacks.
Fortinet’s web application firewall is available in a variety of deployments:
Its virtual machine deployment offers multiple virtual environments, including VMWare and Microsoft Hyper-V, and it supports the three major public cloud providers as well as Oracle.
Fortinet’s SaaS WAF is cloud-based and defends web apps at the application layer from common attacks and the top 10 OWASP vulnerabilities. The SaaS version also uses services from Fortinet’s FortiGuard Labs, such as sandboxing and providing IP reputation management for web application traffic. The IP reputation management service collects IP data from multiple sources, blocking known malicious patterns. It works with Fortinet’s anti-botnet security and blocks malicious botnet sources.
Sucuri’s web application firewall belongs to its web security platform, which includes an intrusion prevention system as well. Sucuri defends websites against zero-day exploits and three different layers of DDoS attacks. Its security software updates patches and server rules to prevent hackers from exploiting recently revealed weaknesses.
Sucuri offers an allowlist of IP addresses for network and system administrators, so they aren’t blocked by the techniques that stop attackers. Users also have the option to choose additional protection for certain web pages, such as captcha or two-factor authentication options. Sucuri supports individual application profiling for each site, analyzing requests based on what fits the application’s profile.
Three major web application firewall types vary in cost and deployment.
A network appliance WAF is a locally installed piece of hardware that protects on-premises web application hosting. Network appliance firewalls can be managed directly by administrators in the office or local data center. They are also expensive to maintain, and organizations are responsible for all hardware upkeep.
Cloud-hosted web application firewalls can be hybrid deployments or a pure cloud deployment. If they’re entirely cloud, the provider is responsible for managing the hardware and network, lifting any administrative burden from the enterprise. A cloud-hosted WAF is good for businesses that don’t have the space or resources to install an on-premises WAF.
A host-based web application firewall is installed as software on a server or computer and uses that web server’s resources to run. Host-based WAFs differ from other firewalls because they are installed on devices rather than at the network layer. However, some attacks aren’t required to go through a host-based firewall and may then slip through the barrier.
Web application firewalls are dedicated to protecting websites and web servers from regular attacks that can cost enterprises money and sensitive data. Web application firewalls halt common web-based attacks, which can result in stolen data, site downtime, and lost finances.
WAF software also:
If your business is considering implementing a web application firewall, consider the following questions:
Learn more about protecting networks and applications: NGFW vs. WAF: Which is Best for You?