A Brief Overview of the Web Application Firewall
As its name suggests, a WAF (or web application firewall) is an appliance that runs on a separate device or virtually in the cloud. WAFs are deployed in front of web applications and are expected to analyze bi-directional web-based (HTTP) traffic, detecting and blocking malicious activity.
Users access web applications through a web browser with an active internet connection; applications are programmed using a client–server structure: the user (or client) is provided services through an off-site server hosted by a third-party. Its functionality can be implemented in software or hardware, running in an appliance device, or in a typical server running a common operating system. It may be a stand-alone device or integrated into other network components. Examples of commonly-used web applications include email, online shopping, and internet banking.
WAFs can be a virtual or physical appliances, but both use a combination of rule-based logic, parsing, and signatures to detect and prevent cyber attacks.However, a WAF solution alone is insufficient to provide adequate protection and must be used in conjunction with other network perimeter security solutions such as network firewalls and intrusion prevention systems to provide a holistic defense strategy. The entire suite of tools is necessary to support successful attack mitigation across a range of vectors.
Importantly, WAFs are designed to defend against specific types of attacks, primarily network-side threats. WAFs are expected to operate like a shield placed between the web application and the Internet, protecting the server from exposure by having users (clients) pass through the WAF before reaching the server. Set policies and models like whitelisting and blacklisting help protect against application vulnerabilities by enabling the WAF to reject malicious traffic or allow traffic deemed to be safe. Static policies can be adjusted using trained technical staff to allow for response activities during an attack. WAFs also achieve some value by allowing organizations to check the box on broad compliance initiatives such as PCI, HIPAA, SOC 2, and others.
Three traditional WAF implementations include:
- Network-based WAF. Network-based WAFs are expensive to deploy and support because they are installed locally with the requisite storage and maintenance requirements of physical equipment.
- Host-based WAF. Host-based WAFs are more easily customizable, as they are integrated directly into an application’s software. However, with customization comes complexity, and with complexity comes longer implementation times and the need for engineering expertise to deploy and maintain the WAF effectively, which can quickly eat up any cost savings achieved by not implementing a network-based WAF.
- Cloud-based WAF. Of these three common appliance installations, cloud-based WAFs are by far the least expensive and least complex to deploy and maintain, with low upfront costs, a SaaS-like subscription model, and continual updates by the provider. But they still only offer partial attack-surface coverage, which requires additional technology purchases and integrations, all of which come with their own set of risks.
None of these options is sufficient to keep pace with growing attack vectors, increased compliance requirements, and the strong security posture necessary to keep web applications protected. See our post, “Making the Case for the Client-Side WAF,” for a fourth option that eschews traditional approaches to web application security and redefines what it means to be a WAF.