A WAF creates a shield between a web app and the Internet; this shield can help mitigate many common attacks.
Learning Objectives
After reading this article, you will be able to:
- Define a web application firewall.
- Explain the difference between blocklist and allowlist WAFs
- Understand the pros and cons of network-based, host-based, and cloud-based WAFs
A Web Application Firewall (WAF) is a security solution that filters, monitors, and blocks HTTP traffic between a web application and the internet. Unlike traditional firewalls, which focus on network security, WAFs operate at the application layer (Layer 7 of the OSI model) to safeguard web applications from malicious requests.
It covers web applications from attacks such as cross-site forgery, cross-site-scripting (XSS), file inclusion, and SQL injection. A WAF is a protocol layer 7 defense (in the OSI model), not designed to defend against all attacks. This method of attack mitigation is usually part of a suite of tools that together create a holistic defense against a range of attack vectors.
A shield is placed between the web application and the Internet by deploying a WAF before the web application. While a proxy server protects a client machine’s identity using an intermediary, a WAF is a reverse proxy that protects the server from exposure by having clients pass through the WAF before reaching the server.
A WAF operates through a set of rules, often called policies. These policies aim to protect against vulnerabilities in the application by filtering out malicious traffic. The value of a WAF comes in part from the speed and ease with which policy modification can be implemented, allowing for faster response to varying attack vectors; during a DDoS attack, rate limiting can be quickly implemented by modifying WAF policies.
What is the difference between a blocklist and an allowlist WAF?
Blocks known malicious traffic based on predefined attack signatures.
Similar to a club bouncer who denies entry to guests violating the dress code.
Effective against known threats, but may struggle with new or evolving attack techniques.
Allowlist WAF (Positive Security Model):
- Only allows pre-approved traffic, blocking everything else.
- Works like an exclusive party where only guests on the list can enter.
- Provides stronger security but requires careful configuration to avoid blocking legitimate users.
Many modern WAFs use a hybrid approach, combining both models for enhanced protection.
Pros and Cons of Network-Based, Host-Based, and Cloud-Based WAFs
| Type | Pros | Cons |
|---|---|---|
| Network-Based WAF | Low latency, strong security, protects all applications on the network | Expensive, requires physical hardware, complex maintenance |
| Host-Based WAF | Customizable, integrated into the application, no extra hardware needed | Consumes server resources, complex implementation, maintenance costs |
| Cloud-Based WAF | Scalable, easy deployment, no hardware required | Potential latency issues, less direct control over security settings |
Each type of WAF has its advantages depending on budget, security needs, and deployment preferences.
