Web Application Firewall or WAF helps protect web applications by monitoring HTTP and filtering traffic between the Internet and a web application. It protects web applications from attacks like cross-site-scripting (XSS), cross-site forgery, SQL injection, file inclusion among others. A WAF is a protocol layer 7 defense, it is not designed to defend all types of attacks. This method of attack mitigation is usually part of a suite of tools which together create a holistic defense against a wide array of attack vectors.
When a WAF is deployed in front of a web application, there is a shield is placed in between the Internet and web application. By using an intermediary the proxy server protects a client machine’s identity, but the WAF is a type of reverse-proxy, that protects the server from exposure by having clients pass through the WAF before reaching the server.
A set of rules often called policies is what a WAF operates upon, and these policies aim to protect against vulnerabilities by filtering out malicious traffic. The value of a WAF comes in part from the policy modification that can be implemented with speed and ease, as it allows for faster response to varying attack vectors; by modifying WAF policies the rate limiting can be quickly implemented in case of a DDoS attack
Blacklist and Whitelist WAFs and the differences
Think of a blacklist WAF as a club bouncer it is instructed to deny permission to those who fails to follow the protocol. It operates based on a blacklist that protects against known attacks. A WAF based on a whitelist only allows traffic that has been pre-approved. Both blacklists and whitelists have their advantages and drawbacks, which is why many WAFs offer a hybrid security model, which implements both.
What are network-based, host-based, and cloud-based WAFs?
A WAF can be implemented one of three different ways, each with it’s own benefits and shortcomings:
A network-based WAF is generally hardware-based. Since they are installed locally they minimize latency, but network-based WAFs are the most expensive option and also require the storage and maintenance of physical equipment.
A host-based WAF may be fully integrated into an application’s software. This solution is less expensive than a network-based WAF and offers more customizability. The downside of a host-based WAF is the consumption of local server resources, implementation complexity, and maintenance costs. These components typically require engineering time, and may be costly.
Cloud-based WAFs offer an affordable option that is very easy to implement; they usually offer a turnkey installation that is as simple as a change in DNS to redirect traffic. Cloud-based WAFs also have a minimal upfront cost, as users pay monthly or annually for security as a service. Cloud-based WAFs can also offer a solution that is consistently updated to protect against the newest threats without any additional work or cost on the user’s end. The drawback of a cloud-based WAF is that users hand over the responsibility to a third-party, therefore some features of the WAF may be a black box to them.