Web application firewalls (WAF) help enterprises neutralize common website attacks and breaches, protecting site uptime and accounts that store sensitive information. A WAF sits as a line of defense between the website and all HTTP and HTTPS traffic, examining each request to enter the site and observing trends in internet traffic to determine what comes from an attacker. Many security vendors offer web application firewalls for enterprises to install as an appliance, a cloud, or a piece of software on their web servers.
- What are the types of web application firewalls?
- Why are web application firewalls important?
- How to choose a WAF solution
What is a web application firewall?
A web application firewall is a security service that protects web applications, or websites. Web application firewalls are useful for many different issues, including managing web service traffic, allowing and blocking HTTP and HTTPS requests based on the organization’s predefined rules and sometimes real-time decisions based on threat intelligence.
WAF software can also:
- Block common website attacks
- Protect organizations’ web servers
Types of attacks that web application firewalls protect applications and sites from include:
- Distributed denial of service (DDoS) attacks, which bring servers down because they flood them with an unreasonable number of IP requests
- Zero-day exploits, which immediately target a security vulnerability once the threat is revealed to the public
- SQL injections, which exploit unsecured code to access systems such as databases or host computers
- Cross-site scripting attacks, which use dynamic web page generation to enter restricted accounts and edit website content
Compare the best web application firewall solutions
The following seven WAF vendors offer web application firewall solutions that stop attacks and offer additional features, such as customizable policies or rulesets, advanced threat monitoring, or integrations with third parties and other vendor security products. Consider a WAF solution offered below when trying to find a WAF vendor that suites your needs.
Imperva’s Web Application Firewall, part of the provider’s web application and network security suite, is delivered through a cloud-based content delivery network (CDN). Imperva’s CDN is not only security-focused but also efficient: it reduces bandwidth consumption and speeds page rendering. This allows the WAF to respond more quickly. The CDN, DDoS protection feature, and web application firewall are all components of the Web Application and API Protection (WAAP) platform, which Imperva uses to improve caching, load balancing, and security for enterprises’ web applications.
Imperva’s WAF is PCI compliant and is designed to protect third party applications, APIs, microservices, containers, virtual machines, and more. It alerts users about potential attacks and can be configured without advanced HTTP knowledge.
- Automated dynamic application profiling
- DDoS protection
- PCI compliance
- High reliability and stability, noted by Imperva customers
Cloudflare offers a web application firewall to both enterprises and SaaS providers. The SaaS solution also includes SSL certificates, DDoS mitigation, and bot management, a combination that helps enterprises protect their web applications from attacks. Cloudflare is a good solution for enterprises that have multiple clouds, as its multi-cloud support covers load balancing and DNS technology for businesses that have more than one cloud deployment.
Cloudflare offers OWASP coverage for the top 10 OWASP (Open Web Application Security Project) vulnerabilities. Users customize rulesets to block certain patterns or types of traffic. Cloudflare’s WAF also monitors traffic for exposed credentials, in case an attacker uses stolen credentials to access a site.
- Protection against zero-day attacks
- Customizable rulesets
- OWASP coverage for top 10 vulnerabilities
- Alerts when Cloudflare detects sensitive data
Read more: Types of Firewalls Explained
Amazon Web Services WAF
The AWS Web Application Firewall protects websites by monitoring HTTP and HTTPS requests sent to CloudFront, its content delivery network. Users specify rules, which CloudFront uses to allow or block traffic. Although AWS WAF integrates with Amazon’s CDN, CloudFront does support websites that are hosted elsewhere, so users don’t have to host a site through Amazon to use the firewall.
AWS WAF users can choose between multiple deployments, including Amazon API Gateway and Application Load Balancer. Costs rise the more that enterprises add rules, but AWS provides a variety of customizable rule options, including OWASP top 10 vulnerabilities and bot management.
- Bot management
- Integration with CloudFront, Amazon’s CDN
- Pay-per-use format
- OWASP vulnerability management
Barracuda Networks WAF
Barracuda Networks offers a web application firewall for cloud environment protection; it defends applications hosted in Microsoft Azure. The firewall belongs to Barracuda’s Cloud Application Protection platform for securing apps, using automation, access control, and advanced bot protection. Barracuda’s WAF integrates with multiple services, including Amazon CloudWatch and Microsoft Azure Sentinel.
Barracuda’s firewall is also available as a service; the WAF-as-a-sService protects both JSON and XML APIs. WAF-as-a-sService is also certified for Azure applications.
- Advanced Bot Protection (ABP) capability
- Automated creation of API rulesets
- WAF-as-a-sService option
- Integrations with Amazon CloudWatch and Azure Sentinel
Security provider Akamai offers a web application firewall, Kona Site Defender, which protects data centers from attacks coming from the edge. Akamai has a threat intelligence team that edits WAF rules based on arising threats and existing attacks. Kona belongs to its cloud-based web security platform, which offers 12 other solutions as well.
Akamai takes measures against SQLi and cross-site scripting attacks. It offers predefined rules in the application layer controls, such as protocol violations, but users can also configure those rules. Akamai monitors alerts and more detailed data about actions that triggered an alert or a response from the firewall. Akamai also offers IP whitelisting and blacklisting as well as geographical blocking. Users can apply rate controls for volume-based attacks.
- Rate controls for volume-based attacks
- Protection against SQL injection and cross-site scripting
- Deep alert monitoring and detailed data about security threats
- Predefined yet configurable rules
Fortinet’s web application firewall is available in a variety of deployments:
- Hardware appliance
- Virtual machine
- Public cloud
- Container appliance
Its virtual machine deployment offers multiple virtual environments, including VMWare and Microsoft Hyper-V, and it supports the three major public cloud providers as well as Oracle.
Fortinet’s SaaS WAF is cloud-based and defends web apps at the application layer from common attacks and the top 10 OWASP vulnerabilities. The SaaS version also uses services from Fortinet’s FortiGuard Labs, such as sandboxing and providing IP reputation management for web application traffic. The IP reputation management service collects IP data from multiple sources, blocking known malicious patterns. It works with Fortinet’s anti-botnet security and blocks malicious botnet sources.
- Wide variety of deployment options
- Cloud-based SaaS firewall with additional FortiGuard services
- IP reputation and anti-botnet security services
- Integration with multiple IT services like AWS, HPE, Nutanix, and Oracle
Sucuri’s web application firewall belongs to its web security platform, which includes an intrusion prevention system as well. Sucuri defends websites against zero-day exploits and three different layers of DDoS attacks. Its security software updates patches and server rules to prevent hackers from exploiting recently revealed weaknesses.
Sucuri offers an allowlist of IP addresses for network and system administrators, so they aren’t blocked by the techniques that stop attackers. Users also have the option to choose additional protection for certain web pages, such as captcha or two-factor authentication options. Sucuri supports individual application profiling for each site, analyzing requests based on what fits the application’s profile.
- Quick patching and server rule updates
- Additional protection applied to web pages
- Allowlist of IP addresses for system admins
- Geo-blocking for countries that supply a large number of attacks
What are the types of web application firewalls?
Three major web application firewall types vary in cost and deployment.
Network appliance WAF
A network appliance WAF is a locally installed piece of hardware that protects on-premises web application hosting. Network appliance firewalls can be managed directly by administrators in the office or local data center. They are also expensive to maintain, and organizations are responsible for all hardware upkeep.
Cloud-hosted web application firewalls can be hybrid deployments or a pure cloud deployment. If they’re entirely cloud, the provider is responsible for managing the hardware and network, lifting any administrative burden from the enterprise. A cloud-hosted WAF is good for businesses that don’t have the space or resources to install an on-premises WAF.
A host-based web application firewall is installed as software on a server or computer and uses that web server’s resources to run. Host-based WAFs differ from other firewalls because they are installed on devices rather than at the network layer. However, some attacks aren’t required to go through a host-based firewall and may then slip through the barrier.
Why are web application firewalls important?
Web application firewalls are dedicated to protecting websites and web servers from regular attacks that can cost enterprises money and sensitive data. Web application firewalls halt common web-based attacks, which can result in stolen data, site downtime, and lost finances.
WAF software also:
- Increases the likelihood of keeping sites and servers up because traffic is limited based on predefined policies and automatic updated attack signatures. Websites are often a major source of businesses’ revenue—all online purchases and account sessions are done through the site.
- Catches issues within running scripts, which are designed to look like innocent internet traffic
- Halts malicious bot attacks by accessing frequently updated records of malicious code and regularly scanning traffic for strange signatures or other abnormalities
How to choose a WAF solution
If your business is considering implementing a web application firewall, consider the following questions:
- Does the firewall frequently update malicious signatures, adding them to a list or database of known suspicious code, and block new ones within a short time period? Because attackers sometimes exploit recently discovered vulnerabilities, having a WAF that quickly prepares for those attacks could decrease the number of site breaches.
- Does the WAF deployment type work well for your business? If you need to closely configure all aspects of the firewall and have on-premises hardware, a network appliance firewall might be the right choice for your organization. But if you want to pay less and don’t have the onsite resources, a cloud-based firewall will alleviate the IT configuration you’d have to do otherwise.
- What do the firewall’s integrations look like? Does it work with other security platforms? Another consideration is how many security solutions you want to implement at once; does the vendor offer multiple application security solutions that work together?
Learn more about protecting networks and applications: NGFW vs. WAF: Which is Best for You?