What is a Web Application Firewall (WAF)?
A web application firewall (WAF) is a stateful device that protects web applications against a variety of cyberattacks. WAFs function by monitoring and filtering HTTP traffic located between a web application and the Internet with the goal of identifying and blocking malicious traffic. They work in various environments, including public cloud, on-premises, and multicloud.
Web application firewalls date back to the late 1990s when web server attacks became more common. They were developed to protect key applications from these new, dangerous attacks that were decimating enterprises across the globe. The market has grown and evolved over time, leading to more advanced WAFs covering various industries and network environments.
WAFs play a crucial role in the security stack. They help protect against common cyberattacks, including cross-site scripting and SQL injection. They play a significant role in the overall stack, partnering with other network perimeter solutions such as network firewalls, intrusion protection systems (IPS), and more to provide a comprehensive cybersecurity strategy.
Functions of an Effective WAF
Effective WAFs monitor and filter traffic between the internet and web applications. This is done to identify potential threats and ensure that legitimate traffic is allowed through while malicious traffic is filtered out. This protects against many cyberattacks. Web application firewalls are often touted as effective DDoS defense solutions, but they have their shortcomings. As stateful devices, WAFs are easily overwhelmed by TCP state-exhaution attacks which fill the state tables very quickly, leaving the firewall overwhelmed and unable to pass traffic. The best way to combat this vulnerability is to pair an effective WAF with a comprehensive DDoS protection solution that is dedicated to detecting and mitigating DDoS attacks, allowing the WAF to protect key web applications from other types of attacks.
Types of Web Application Firewalls
There are three primary types of WAFs: cloud-based, network-based, and host-based. The key difference between these is where they are placed in the network environment or their deployment model:'
- Cloud-Based WAF: This type of WAF protects applications hosted in the cloud. It leverages load balancers or cloud networking services to filter traffic between the web and the cloud environment. However, these often fail to provide adequate protection.
- Network-Based WAF: Typically a hardware appliance, this type of WAF requires maintenance and operates on networking infrastructure like switches or TAPs. It sits between the applications and the internet.
- Host-Based WAF: These WAFs are colocated on servers where applications live. They are deployed as part of the application's operating system, so they can utilize OS-level filtering to filter the traffic hitting the web applications.
Differences between a Network Firewall and WAF
Several key differences exist between a network firewall and a web application firewall. One is the layers they focus on, with network firewalls primarily protecting layers 3 and 4 of the OSI model, while WAFs focus on layer 7. Another difference is their location in the security stack, with network firewalls deployed at the network edge. In contrast, WAFs are deployed in front of web servers to protect applications. Both types of firewalls are required for regulatory compliance, with network firewalls required for regulations such as GDPR for data protection and HIPAA for healthcare, while WAFs are required for PCI DSS for e-commerce websites. Finally, a network firewall's primary function is to control access to internal resources by blocking all unnecessary protocols and applications. A WAF protects applications from pointed attacks and performance degradations.
Using both a network firewall and WAF in tandem allows for comprehensive protection against many types of cyberattacks. This ensures stronger protections for your digital environments with fewer holes. While it is not a bulletproof protection system, it does provide more protection when both are used versus just using one on its own.
Considerations when Choosing a Web Application Firewall
When choosing a WAF, there are several things to look out for. First is the deployment model. Choosing the proper deployment model for your web applications' needs is paramount to getting the correct protection. Another key consideration is scalability to grow with your network environment. Rate limiting capacity is another key feature to look out for. The method in which it filters traffic can also be an important consideration to look at, as not all WAFs do this the same way. Automation of the analysis of traffic, using AI/ML technology can help detect attacks and issues without the need for human interaction. Finally, centralized management can help keep eyes on multiple WAF appliances in one place, improving operational efficiency.
You also want to make sure the WAF is compatible with your current infrastructure, including specific applications, CDNs, security stack components, and more. This helps to ensure a smooth implementation without surprises and proper operation once installed.
The last major considerations are price and maintenance needs. Ongoing costs from maintenance can stack up, so looking at total cost of ownership versus startup cost may be of benefit to organizations looking for a long-term web application firewall solution.
How NETSCOUT Helps
While NETSCOUT does not provide WAFs directly, we help ensure they are able to do their jobs with complementary solutions. Our Arbor Edge Defense (AED) product, part of our overall DDoS protection solution, protects WAFs to keep them up and running by defending them against state-exhaustion DDoS attacks. AED is a stateless solution that filters illegitimate DDoS attack traffic before it hits the firewall, preventing state tables from being filled and rendering the WAF unable to pass traffic.