A WAF creates a shield between a web app and the Internet; this shield can help mitigate many common attacks.
Learning Objectives
After reading this article, you will be able to:
- Define web application firewall.
- Explain the difference between blocklist and allowlist wafs
- Understand the pros and cons of network-based, host-based, and cloud-based wafs
A WAF or web application firewall helps protect web applications by filtering and monitoring HTTP traffic between a web application and the Internet. It covers web applications from attacks such as cross-site forgery, cross-site-scripting (XSS), file inclusion, and SQL injection. A WAF is a protocol layer 7 defense (in the OSI model), not designed to defend against all attacks. This method of attack mitigation is usually part of a suite of tools that together create a holistic defense against a range of attack vectors.
A shield is placed between the web application and the Internet by deploying a WAF before a web application. While a proxy server protects a client machine’s identity using an intermediary, a WAF is a reverse proxy that protects the server from exposure by having clients pass through the WAF before reaching the server.
A WAF operates through a set of rules, often called policies. These policies aim to protect against vulnerabilities in the application by filtering out malicious traffic. The value of a WAF comes in part from the speed and ease with which policy modification can be implemented, allowing for faster response to varying attack vectors; during a DDoS attack, rate limiting can be quickly implemented by modifying WAF policies.
What is the difference between blocklist and allowlist WAFs?
A WAF based on a blocklist (negative security model) protects against known attacks. Think of a blocklist WAF as a club bouncer instructed to deny admittance to guests who don’t meet the dress code. Conversely, a WAF based on an allowlist (positive security model) only admits pre-approved traffic. This is like the bouncer at an exclusive party; he or she only accepts people on the list. Both blocklists and allowlists have advantages and drawbacks, so many WAFs offer a hybrid security model that implements both.
What are network-based, host-based, and cloud-based WAFs?
A WAF can be implemented in one of three different ways, each with its benefits and shortcomings:
- A network-based WAF is generally hardware-based. Since they are installed locally, they minimize latency, but network-based WAFs are the most expensive option and require physical equipment storage and maintenance.
- A host-based WAF may be fully integrated into an application’s software. This solution is less expensive than a network-based WAF and offers more customizability. The downside of a host-based WAF is the consumption of local server resources, implementation complexity, and maintenance costs. These components typically require engineering time and may be costly.
- Cloud-based WAFs offer an affordable option that is very easy to implement; they usually provide a turnkey installation that is as simple as a change in DNS to redirect traffic. Cloud-based WAFs also have a minimal upfront cost, as users pay monthly or annually for security as a service. Cloud-based WAFs can also offer a consistently updated solution to protect against the newest threats without additional work or cost on the user’s end. The drawback of a cloud-based WAF is that users hand over the responsibility to a third party. Therefore, some features of the WAF may be a black box to them.
