Web application firewall (WAF)

Contributor(s): Madelyn Bacon

A web application firewall (WAF) is a firewall that monitors, filters or blocks data packets as they travel to and from a website or web application. A WAF can be either network-based, host-based or cloud-based and is often deployed through a reverse proxy and placed in front of one or more web sites or applications. Running as a network appliance, server plug-in or cloud service, the WAF inspects each packet and uses a rule base to analyze Layer 7 web application logic and filter out potentially harmful traffic that can facilitate web exploits.

Web application firewalls are a common security control used by enterprises to protect web systems against zero-day exploits, malware infections, impersonation and other known and unknown threats and vulnerabilities. Through customized inspections, a WAF is able to detect and immediately prevent cross-site scripting (XSS) attacks, SQL injection attacks, session hijacking and buffer overflows, which traditional network firewalls and other intrusion detection systems and intrusion prevention systems may not be capable of doing. WAFs are especially useful to companies that provide products or services over the Internet such e-commerce shopping, online banking and other interactions with customers or business partners.

Types of web application firewalls

Network-based WAFs are usually hardware-based and can reduce latency because they are installed locally, on premise via a dedicated appliance, as close to the application as possible. Most major network-based WAF vendors allow replication of rules and settings across multiple appliances, thereby making large scale deployment, configuration and management possible. The biggest drawback for this type of WAF product is cost as there’s both an up-front capital expenditure as well as ongoing operational costs for maintenance.

Host-based WAFs may be fully integrated into the application code itself. The benefits of a host-based WAF implementation include lower cost and increased customization options. Host-based WAFs can be a challenge to manage because they require application libraries and depend upon local server resources to run effectively. Therefore, more staff resources, including that of developers, system analysts and devops/devsecops, may be required.

Cloud-hosted WAFs offer a low-cost solution for organizations that want a turnkey product that requires minimal resources for implementation and management. Cloud WAFs are easy to deploy, are available on a subscription basis and often require only a simple DNS or proxy change to redirect application traffic. Although it can be challenging to place responsibility for filtering an organization's web application traffic with a third-party provider, the strategy allows applications to be protected across a broad spectrum of hosting locations and use similar policies to protect against application layer attacks. Additionally, these third-parties have the latest threat intelligence and can help identify and block the latest application security threats.

Commercial vs Open Source WAFs

There are both commercial and open source WAF options. Popular commercial vendors include F5, Barracuda, and CloudFlare. Popular open source vendors include ModSecurity, Naxsi and WebKnight.

This was last updated in March 2019

Next Steps

Read about the latest advancements in Web application firewall technology and learn more about deploying, managing and supporting WAFs in the enterprise. Then read our expert advice to determine if a WAF is suitable for your organization, discover the most important questions to ask before buying a WAF, and get a comparision of the best WAF products on the market.

Continue Reading About Web application firewall (WAF)

Dig Deeper on Web application and API security best practices

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

Does it protect against ping attacks or is that layer 3 firewall?
Thank you for providing the detailed information on web application firewall


File Extensions and File Formats

Powered by: