Web Application Firewall (WAF) Definition
A Web application firewall (WAF) is a firewall that monitors, filters or blocks data packets as they travel to and from a Web application. A WAF can be either network-based, host-based or cloud-based and is often deployed through a proxy and placed in front of one or more Web applications. Running as a network appliance, server plug-in or cloud service, the WAF inspects each packet and uses a rule base to analyze Layer 7 web application logic and filter out potentially harmful traffic.
Web application firewalls are a common security control used by enterprises to protect Web applications against zero-day exploits, impersonation and known vulnerabilities and attackers. Through customized inspections, a WAF is also able to prevent cross-site scripting (XSS) attacks, SQL injection attacks, session hijacking and buffer overflows, which traditional network firewalls and other intrusion detection systems may not be capable of doing. WAFs are especially useful to companies that provide products or services over the Internet.
Network-based WAFs are usually hardware-based and can reduce latency because they are installed locally, as close to the application as possible. Most major network-based WAF vendors allow replication of rules and settings across multiple appliances, thereby making large scale deployment and configuration possible. The biggest drawback for this type of WAF product is cost.
Host-based WAFs may be fully integrated into the application code itself. The benefits of application-based WAF implementation include low cost and increased customization options. Application-based WAFs can be a challenge to manage because they require local libraries and depend upon local server resources to run effectively.
Cloud-hosted WAFs offer a low-cost solution for organizations that want a turnkey product. Cloud WAFs are easy to deploy, are available on a subscription basis and often require only a simple DNS change to redirect application traffic. Although it can be challenging to place responsibility for filtering an organization’s web application traffic with a third-party provider, the strategy allows applications to be protected across a broad spectrum of hosting locations and use similar policies to protect against application layer attacks.