What is a Web Application Firewall?

An introduction

If you have watched a superhero movie, you may be aware of force fields. They create a layered defense against attacks; even if they are not completely impenetrable, force fields are difficult to penetrate and provide the user time to come up with a stronger defense and counter-attack strategy while the attacks are being taken care of.

A Web Application Firewall is like your superhero’s force field, it acts as the shield between the website/ web application and internet traffic. It monitors the internet traffic and inspects all incoming requests before they can access your website/ web application/ web server, filtering out and blocking bad requests and botnets and allowing access to only legitimate users.

What does it protect against?

Web App Firewalls protect against known threats such as SQL injection, Cross-Site Forgery, Cross-Site Scripting (XSS), file inclusion, and clickjacking, among others. Much like the force field, the WAF is not equipped to handle all sorts of attacks and is not completely impenetrable. There are vulnerabilities, loopholes, and weaknesses such as business logic flaws and zero-day threats that WAFs cannot handle. Additionally, if there are weaknesses in the WAF itself or it is not constantly tuned and updated, it could be ineffective in preventing attacks.

How does a Web Application Firewall function?

A Web Application Firewall works based on the rules that it is built with, called policies. Policies tell the WAF what kind of traffic behavior/ requests are acceptable/ allowed, what to do when an illegitimate request is made, what to do when vulnerabilities are found in the web application/ website, etc. It is these policies that enable the WAF to effectively stop attacks.

Intelligent WAF’s instantaneously patch vulnerabilities/ loopholes in the application/website upon discovery, providing time for developers to fix them. This ensures that the bad requests and malicious actors do not gain access to the website/ server through those vulnerabilities.

Security models of WAF

Blacklist web app firewalls operate on a negative security model wherein the WAF will protect against all known threats.

Whitelist web app firewalls operate on a positive security model wherein the WAF will allow only those requests/ traffic that are pre-approved.

However, most web app firewalls operate with a hybrid security model to minimize the drawbacks of positive and negative models and maximize security.

Modes of deployment

Network-based/ hardware-based WAFs are installed locally which minimizes latency. However, they require physical equipment and involve hefty infrastructure, installation, storage, and maintenance costs, making them an expensive option.

Host-based/ Software-based WAFs are customizable ones that are integrated fully into the software of the application. It is a less expensive option, but it is more complicated to implement and uses up local server resources.

Cloud WAFs are the most cost-effective option with minimal upfront costs where users pay monthly or annually for service. It is easy to deploy with minimal disruption to the website during installation. They are consistently and automatically updated without additional costs to protect against the latest threats. The only drawback is that the user will be handing over responsibility to a third party, which highlights the need to choose the right and most trusted provider.

Critical capabilities that differentiate a WAF

  • Speed and ease of tuning or implementing policy modification – This determines how quick and effective the WAF will be against varying attack vectors.
  • Customization – The WAF should allow for policies to be customized based on the unique context and needs of the business.
  • Intelligence – The WAF needs to be equipped with global threat intelligence so that it can effectively stop newer threats. It must also be able to learn from past attempts and attack histories to strengthen defense. AppTrana’s WAF decides whether to allow, block, challenge, or flag requests based on context.
  • Management – This is the most important capability to look for in a WAF. Unlike network firewalls, application firewalls require more specialized expertise and understanding of the applications, co-relating with its risk profile to create a specific custom policy, updating policies on a continuous basis, and doing so without any false positives. AppTrana from Indusface WAF comes with 24×7 management including managed custom rules with zero assured false positives as part of its feature set.