Web Application Firewall (WAF)

A Web Application Firewall (WAF) is a web application security solution intended to protect internet applications that use HTTP to send and receive information between client and a web-server. WAFs are designed to spot illegitimate requests that seek to exploit security weaknesses in a web application.

WAFs detect and filter potentially malicious traffic using a set of rules or machine-learning algorithms. By using a Web Application Firewall in front of a web application, a shield is placed between the web application and the internet.

WAFs have become vulnerable to the sophisticated bots that have surfaced in recent years.

How web application firewall works

Functionally, WAFs typically operate on two levels:

• Real-Time Protection monitors and protects both malformed requests and attacks against vulnerabilities in real-time while standard traffic is passing through
• Real-Time Attack Detection (RAD) identifies attacks after they have occurred based on past experience with similar attacks

Web application firewall deployment modes

There are generally three modes of deployment of Web Application Firewalls:

• Inline mode. This is where the WAF sits between a web server and its internet gateway. All traffic has to go through the WAF before it reaches any other component of the network. The advantage of this approach is that all requests are protected against attacks, but there may be some performance impact on the client side due to additional latency.
• Non-Inline mode. This is where the WAF sits in front of an existing web application server but does not share the same IP address with it. The advantage here is no performance hit on users as they will direct their traffic to non-WAF IP addresses, while still enjoying protection from a single point for both data integrity and security issues).
• Hybrid mode. This is where the WAF sits in front of an existing web application server (i.e. Apache HTTPd) but shares the same IP address with it. It provides protection against bots or automated attacks on performance and integrity, without affecting normal traffic adversely.

Types of cyberattacks a WAF is designed to stop

• Malware
• Zero-day Attacks
• SQL Injection Attacks
• Defacements
• Cross-Site Scripting (XSS) Attacks
• DDoS Attacks
• Business Logic Attacks

Benefits of a web application firewall

• It protects against malicious attacks by blocking unauthorized access to applications.
• Web Application Firewalls are a cost-effective way to secure your network environment.
• WAF doesn’t require any changes to the existing infrastructure or applications, so there’s no need for downtime when installing one.
• It protects your organization’s data and reputation.
• Web Application Firewalls can be used in conjunction with other security measures such as intrusion prevention systems, antivirus software and more.

Challenges in deployment of a web application firewall

The biggest challenge in deploying a Web Application Firewall is determining which features are necessary for your environment. Some organizations do not require protection from all the cyber attacks described above, so an organization may only need to protect against malicious code or SQL injection. Web Application Firewall vendors usually have a solution that will provide protection from some of these threats, while others offer a comprehensive defense plan that offers protection from many of the digital dangers that organizations face today.

Web Application Firewalls can also have a negative impact on the performance of applications that are being protected. A WAF is another point in the data path, so as with all security devices there is some kind of cost involved – this cost usually manifests itself in terms of increased latency for users. Also, each protection mechanism may be subject to its own performance penalty which needs to be taken into consideration when selecting your WAF.

Another potential problem is complexity. Once deployed, the attack mechanisms become more complex and thus more difficult to manage and maintain.  Web Application Firewall vendors will usually provide you with better protection if they know about what attacks their customers face – so it’s recommendable to work closely with them on analyzing threats deciding the appropriate protection mechanisms and how to use them in your environment.

You may also want to consider the maturity of the market, as this can be an important factor in your decision. The vendors should have a well-established support structure that will back you up if there are any vulnerabilities or issues with the WAF  solution when deployed into production. Also, work closely with your vendor during deployment and try to get all relevant information on what features they offer so that you do not end up wasting money by paying for things that you don’t need.

Examples and use cases

Web Application Firewalls are used by both small businesses and large enterprises. They perform important functions like blocking malicious traffic while simultaneously reducing workloads on network security teams by reducing the number of false positives that must be reviewed.

Web Application Firewalls can be used to protect web applications from a variety of attacks, like Distributed Denial-of-Service (DDoS) attacks and Cross-Site Scripting (XSS).  They can also identify attempts at unauthorized access.

They can be integrated with other types of security solutions to provide additional layers of protection. For example, Web Application Firewalls can monitor traffic for signs of malware that antivirus software or intrusion prevention systems (IPS) might have missed.

WAF vs IPS

The fundamental differences between Web Application Firewall and Intrusion Prevention System (IPS) are:

• • A WAF is used to protect web applications whereas an IPS usually protects the network or the endpoints from external malicious forms of attacks including but not limited to malware/viruses. One could argue that there is nothing stopping you from installing an IPS in front of your web application but this would be redundant as it will just perform protectionist duties rather than detection duties; hence an IPS is usually an addition to WAF in this case.
  • A WAF can be used for more than just protecting web applications from malicious traffic; it can also perform optimizations and offer web application specific views on the data, e.g., session management or business intelligence insights (usually referred to as ‘dashboards’) that are not available from IPS solutions.
  • An IPS usually has a lower performance overhead than a WAF solution does because it’s not doing much of any processing; it mainly inspects the packets inflow and has no requirements on historical data (e.g., any web application specific XML dumps of the web application’s state, session information, etc) to provide protections or optimizations (although there are exceptions to this rule). A WAF usually has a much higher performance overhead because it must do both: inspecting each packet with its processing rules and recording all the relevant business logic which comes from parsing that specific web application’s logs/XML dumps.
  • Both types of systems may have signature-based protection, but for different reasons: an IPS could be signature-based if it detects malicious traffic at the network level through signatures (i.e., by comparing network protocols to known malware patterns) whereas a WAF can be signature-based if it detects malicious traffic at the application level through signatures (i.e., by comparing requests to known attack patterns). An IPS is usually signature-based for network protection, but a WAF can also be signature-based when protecting web applications from any type of attacks including errors and bugs that an IPS might not cover.

Frequently asked questions about web application firewalls

How does a web application firewall operate?

Web Application Firewalls usually operate on the edge of the network and inspect HTTP traffic, looking for attempts to exploit vulnerabilities that are specific to application logic. They detect attacks through signatures or by applying rules that provide a whitelist/blacklist based approach.

How to disable a WAF?

While disabling a WAF is possible, it’s not recommended. If you do disable your WAF (for testing purposes), ensure that the traffic through your web application is not sent through any load-balancers or proxy servers that could route the requests to internal servers where a hacker may be trying to exploit the vulnerability. Otherwise, you might inadvertently expose your application to external attacks – while seeing the benefits of an IDS/IPS solution, rather than a Web Application Firewall.

How does a WAF work with anti-virus solutions?

A security solution should complement other security solutions and more importantly, address different aspects of cybersecurity. An antivirus will most likely provide network-level protection but can also be used as an endpoint solution deployed on the client machines and it can be signature-based or behavior-based. A Web Application Firewall will most likely protect applications from web attacks rather than computers, but may also use signatures to detect vulnerabilities in the code of an application.

How does a WAF work with SSL?

A WAF inspects traffic between clients and servers, so HTTPS is irrelevant when it comes to the logic used to detect malicious activity by a hacker trying to exploit a web vulnerability.

Is there such thing as an ‘active’ web application firewall?

Web Application Firewalls sometimes include active detection capabilities which are based on real-time analysis of data – for example, in order to identify zero-day exploits or sophisticated attacks which have not been seen before or in order to block known exploits.

What is the most common technique web application firewalls use to detect attacks?

The most common techniques used by Web Application Firewalls are signature-based or rule-based detection of web attacks. Signature-based detection means that a WAF inspects the traffic and compares it to a specific string, while rule-based detection means that a WAF inspects the traffic based on rules which could be whitelists/blacklists, match criteria against business logic, provide access controls, etc.

What is the difference between an IDS, an IPS and a WAF?

IDS/IPS detect malicious traffic only at the network level (payload of packets) while a Web Application Firewall can detect attacks by inspecting application requests – either by comparing them to known attack patterns or by applying rules that provide a whitelist/blacklist based approach.

How to implement a web application firewall?

The most effective implementation of a Web Application Firewall is to place it as close as possible to the endpoints, so that the requests will be inspected before they are transmitted. A Web Application Firewall can also be placed in-between the clients and the application servers (a rarely recommended practice), but doing so may affect performance.

How do I choose between an IPS/IDS solution and a WAF?

It depends on your business requirements. An IPS/IDS could provide network-level protection while a Web Application Firewall could inspect HTTP transactions at the web protocol level – detecting vulnerabilities or attacks by comparing them to known attack patterns or by applying rules that provide a whitelist/blacklist based approach.

Is a WAF easy to maintain?

A Web Application Firewall needs to be frequently updated in order to keep up with the latest web application vulnerabilities, technology and threats, which means that the flexibility of the solution must outweigh its maintenance overhead.

Is it better to go for a mature WAF or an emerging one?

It depends on your needs. A mature product could provide stability while an emerging one is likely to offer more features – but may lack maturity and support from third parties.

Does it make sense to implement a WAF as part of a platform?

Yes. Platforms are used as an abstraction layer (or shield) between real software and hardware components, providing common functionalities such as management console workflow, centralized deployment and management, multiple platforms support, etc.

How should I ensure that a WAF is effective?

A Web Application Firewall needs to have its rules updated in order to reach full effectiveness and detect the latest attacks. The frequency of updates will depend on your business requirements – for example, if you need more advanced protection against zero-day exploits or sophisticated attacks which have not been seen before then frequent updates will be required.

How to install a WAF?

Installing a WAF consists of deploying the platform and then importing rules. The platforms are designed to be easy-to-deploy, update and manage in order to make deployment easier for you.

How to test a WAF?

Most products offer free trial versions or evaluation licenses that can be used for testing purposes. Before buying the product, you should also ensure that it supports your browsers, OSes and databases – otherwise, it may not be possible to use all features or you may need to install additional software/hardware components which could increase maintenance overhead.

Is an IPS/IDS and a WAF redundant if I have both solutions deployed on my network?

No. Implementing both solutions provides maximum protection level as vulnerabilities and threats could be detected at both network level and web application level.

Is it possible to use a WAF as an IDS/IPS?

Yes, some Web Application Firewalls can also provide intrusion detection functionality – detecting vulnerabilities and attacks by comparing them to known attack patterns or by applying rules that provide a whitelist/blacklist based approach. However, if you need to detect malicious traffic only on the network layer then an IPS/IDS is considered a more effective solution.

How do I benefit from implementing a WAF?

A Web Application Firewall provides protection against common web application vulnerabilities, denial-of-service (DoS) attacks, frauds (phishing, etc.), business logic abuse through cross-site scripting (XSS) and cross-site request forgery (CSRF), SQL injection attacks, buffer overflow etc. By using a Web Application Firewall, you can also mitigate risks related to web applications being used as an attack vector into your network infrastructure, protect sensitive data from leaking outside of your company through web applications and comply with regulatory compliance by protecting against state tampering, access control issues or unauthorized access attempts in web application components (such as administration panels, login interface).

What are the main differences between WAFs on the market?

It depends on the scope of functionality provided – there are solutions that focus only on security aspects while others provide a wider range of functionalities such as DDoS protection. The scalability is another factor that needs to be considered when comparing WAFs on the market – a very robust solution may not be able to support a more limited number of requests, for example.

How to configure a web application firewall?

The configuration process consists of importing the rules into the platform, assigning them to different roles and then activating them in order to minimize the impact on your web application. The rule import/update can be done manually or automatically – depending on your specific needs.

How to evaluate a WAF?

When evaluating a Web Application Firewall it is important to understand what functionalities are required for protecting your business against new and emerging threats. For example, if you need protection against web application vulnerabilities that have not been seen before you may require frequent updates provided by most vendors through support subscription or purchase upgrade packages. However, if you do not need such advanced protection level then an open source solution would be more appropriate for you as they provide free updates with high support availability.

How to avoid false positives when using WAFs?

It is important to understand whether you want to use your Web Application Firewall for detecting vulnerabilities only – in which case you can disable heuristic checks which may lead to false positives and increase performance or whether you want to also detect attacks such as DoS, SQL injection, XSS – in which case it is recommended to enable heuristic checks and tune them according to your specific needs.

Where to use a WAF?

More effective solutions allow you to deploy a WAF in many different locations – at the network level and/or application level. While it would be ideal to have both, this is not always possible for most companies due to high costs or technical reasons.

Are WAFs installed on web servers?

It depends on your specific needs and requires a bit of research. For example, if you are looking for performance then the best location for a Web Application Firewall is close to web traffic but if you want more security then it should be placed between web applications and networks. Depending on your requirements, you may choose between hardware-based and software-based appliances that need to support modern protocols such as SSL/TLS (HTTPS), HTTP/2, SPDY.

Where to buy a WAF?

You can easily find solutions on the internet that are just as effective as advanced enterprise-class solutions but the choice should be made based on your specific needs and requirements. While open source security solutions may not be able to provide you with a high performance or very robust protection level, they are often free and easy to use. However, if you want to protect critical web applications (such as online e-commerce) or can spend more money on a solution then it is recommended to consider commercial products that offer a much wider range of functionalities such as access control, DDoS protection or compliance reporting functionality. In addition, if you need support and speedy updates for new vulnerabilities in order to stay protected against the latest threats then most vendors provide support subscription and upgrade plans for additional costs.

Where is a web application firewall deployed?

There are three main locations for deploying a Web Application Firewall – at the network level, at the webserver level and between your applications and databases. It is important to determine where you want to deploy your system based on its specific functionalities, availability of vulnerable services, network infrastructure capabilities and costs.

Why do WAFs fail?

Most vendors have a lot of experience when it comes to developing secure systems but they may not be able to provide protection against unknown attacks such as those conducted via zero-day exploits or vulnerabilities that require advanced filtering rules beyond basic XML firewalls. This can happen due to limitations in their rule engines or the lack of additional features required for detecting new threats. When using open source solutions then you must make sure that they can detect and prevent attacks targeting your applications in a reliable way.