A Web Application Firewall (WAF) is a standard security system used by many enterprises worldwide. WAFs help to protect web systems against a wide variety of online threats, such as malware infections, zero-day exploits, and other system vulnerabilities both known and unknown.
In this article, we’ll introduce you to the basics of web application firewalls, the different WAF options available, and why this should be included in you web application security strategy.
What is a Web Application Firewall?
A WAF is a firewall security system designed to provide web applications the protection they need against a variety of online attacks and threats. Essentially, it works by closely monitoring and filtering traffic from the web application and the scary void of the internet. A robust WAF solution is capable of detecting and preventing a variety of attacks, including SQL injection, buffer overflows, and session hijacking. By and large, a WAF can detect and prevent threats that traditional network security systems may not be capable of stopping.
WAFs are classified as protocol layer 7 defence. While they’re not designed to defend against all types of online threats, its threat prevention is normally integrated with a suite of tools and firewall applications that work together seamlessly in order to build a more holistic wall that guards against a wide range of threat vectors.
By implementing a web application firewall between your web applications and the internet, you’re essentially placing a shield over your web-based apps and keeping them isolated from online dangers. This is a different approach than your standard proxy server, which is designed to protect a client machine’s identity through an intermediary.
In a nutshell, you can think of WAFs as a type of reverse proxy – securing the server from unnecessary exposure by forcing clients to pass through the WAF and undergo in-depth inspection before they even reach the server. Many companies prefer WAFs due to its efficiency, speed and the ease of implementing policy changes. This allows for quicker and more immediate response to various attack vectors.
During a DDoS (Distributed Denial of Service) attack, for example, rate limiting can be easily and effectively implemented by changing WAF policies, making WAFs a good layer of DDoS protection.
Blacklist WAFs and Whitelist WAFs: What’s the Difference?
This is where Web Application Firewalls get a bit more challenging to wrap your head around.
What we refer to as Blacklist WAFs basically operate on a negative security model, which means they protect against attacks and threats that are known. So, imagine a fancy restaurant with a strict dress code: a blacklist WAF would be like the security guard at this establishment, thoroughly instructed to deny access to guests who don’t follow the dress code.
Whitelist WAFs, on the other hand, work completely differently. They operate on a positive security model, in the sense that the system only admits traffic that has already been pre-approved. In this scenario, the whitelist WAFs are like a bouncer at a private event. Only guests with invitations, and the proper credentials, will be allowed in.
Both blacklist and whitelist WAFs have their benefits and drawbacks. To get the most out of your web firewall solution, most security vendors offer a hybrid approach.
Do you want to learn more about how to remain secure in 2019? Read our Buyer’s Guide to Security software.
WAF Implementation Methods
Most web application firewalls can be deployed in three different ways. Each of these methods have their pros and cons, which your company must take into consideration before settling on deployment method and network infrastructure.
A cloud-based web application firewall in an affordable solution for SMEs and start-ups that prefer low-cost turnkey products that only require minimal resources for deployment and maintenance.
Cloud-based solutions are by nature quick and easy to deploy. Your organisation might also benefit from the fact that most of these solutions are available through subscription-based pricing models.
Relying on a third-party provider to have the sole responsibility of monitoring and filtering your web application traffic can be a challenge for most stakeholders. After all, the last thing you was as a company is to place your security in the hands of another company, right?
Well, just as with ITSM solutions, this approach enables applications to be secured and protected throughout a broad spectrum. Moreover, many reputable third-party providers provide the latest security risk assessment solutions to help identify and prevent the latest versions of application security threats.
A host-based WAF is often fully integrated into a specific software application code. And, just like cloud-hosted WAFs, this implementation method is both affordable and easy to implement.
The increased customization option is another great benefit. For a reasonably-priced security solution, small businesses will have the ability to completely customize their approach to web app security and protection, an ability that used to only be available through more advanced, high-end solutions.
The biggest downside of host-based WAFs is that they can be toucher and more challenging to manage and maintain regularly. Even though the implementation method offers a great degree of customization, it will still require you to have application libraries and rely on local server resources to properly implement the system. In other words, you might have to invest in staff resources, such as IT specialists or system developers. This will obviously increase the cost of operations – a clear downside if you originally chose host-based WAF to save money.
Unlike the two other methods, network-based WAFs are typically hardware-based. This can help reduce latency issues due to that the system is installed locally.
Network-based WAFs are essentially on-premise solutions. However, a clear disadvantage is the cost. The upfront investment for this method can be quite hefty, considering that it’s hardware-based. Additionally, you will need to rely on IT staff and devops to properly implement and maintain the system, which isn’t exactly the more prudent approach for small businesses on a tight budget.
Open Source vs Licensed WAF
As with most other software solutions, there are both commercial and open source options available to choose from.
Commercial solutions like Barracuda and CloudFlare are amongst the many solutions available on the market. These are closed-source products available through the software licensing model, meaning that customers must purchase a license in order to use the product.
On the other hand, you have WAF systems like WebKnight and ModSecurity which are both open source software maintained by a community of IT security experts and developers.
At the end of the day, the type of WAF you choose – open source or commercial – will largely depend on the situation your organisation is in, such as your budget situation and available IT resources. How much can you, as a business, afford to invest in your security?