What Is a WAF?

web application firewall (WAF) protects web applications, application programming interfaces (APIs), and servers from malicious internet traffic to prevent data breaches. It filters and monitors inbound and outbound traffic that hits website servers to safeguard web applications from visitors with bad intentions. 

Organizations are increasingly reliant on web applications to connect with partners and enable employees to work as effectively as possible. However, these applications are also one of their greatest threats, with cyber criminals using increasingly sophisticated techniques to target potential vulnerabilities. A common WAF meaning is a type of firewall that inspects traffic as it goes in and out of the business network in an attempt to block and prevent attacks that target vulnerable code.

Attacks against web applications are one of the leading sources of data breaches. Businesses are increasingly looking to reduce their applications' time to market, which often results in human error and development issues leading to holes in security. A WAF is therefore a vital tool in helping businesses keep their confidential, sensitive information secure. 

Using a WAF is increasingly important in the face of sophisticated cyberattacks that discover and exploit code vulnerabilities before organizations even know they exist. Furthermore, as web applications become more complex, they become more reliant on a system that can analyze, discover, and mitigate issues in Hypertext Transfer Protocol (HTTP) and Hypertext Transfer Protocol Secure (HTTPS) traffic.

How Does a Web Application Firewall Work?

A WAF protects web applications by blocking, filtering, and monitoring malicious traffic between the web application and the internet. It also prevents unauthorized data from leaving the web application.

WAF security works as a reverse proxy that sits on top of an application to enhance its performance and protect it from bad traffic. There are various types of WAF. They are available as a cloud service, in a hardware appliance, or as a software format depending on the topology of the organization’s network.

A WAF targets specific types of traffic and attacks. It does this by working with policies that advise the types of traffic and behavior, potential loopholes, load balancer issues, and known vulnerabilities to look out for. When malicious activity or behavior is detected, the WAF then follows a prescribed set of next actions that will counter or prevent an attack.

A WAF also scans networks for incoming HTTP requests that look out of the ordinary. Advanced WAFs can then challenge a request and demand proof that it was sent by a legitimate person rather than a bot. It will immediately block traffic it considers to be fraudulent to prevent potentially harmful bots or malware from advancing. A WAF helps to protect businesses from a wide range of advanced security threats, such as:

  1. Cross-site scripting (XSS) attacks: An XSS attack sees the malicious attacker exploit loopholes and gaps in the security of a web application. They insert malicious codes and scripts that are activated when a user loads the affected website.
  2. Malware attacks: One of the most common forms of attack is through malware. Attackers exploit vulnerabilities in a web application or launch attacks through methods like phishing to infect websites with ransomware and spyware.
  3. Man-in-the-middle (MITM) attacks: Attackers position themselves as the middle man between two parties and impersonate one of them. The attacks can be carried out through tactics like Internet Protocol (IP) spoofing, poisoning the Domain Name Server (DNS), and Secure Sockets Layer (SSL) hijacking.
  4. SQL injection attacks: These attacks are executed against website forms, such as contact and submission forms. The attacker inserts malicious SQL codes into the fields that a user fills in, which helps them gain access to the back end of the website and steal data.
  5. Zero-day attacks: These attacks also target vulnerable code in an application. However, they occur so quickly that an organization does not know the issue exists. Malicious actors search for potential vulnerabilities, then build attacks to exploit the gap and gain access to the company’s data and resources. Zero-day attacks can often go undetected in corporate systems for months and even years.

The WAF will also scan for loopholes in web applications that a hacker may be able to exploit. When it discovers one, it automatically blocks potential hackers from finding them and immediately begins patching the issue.

As a result, WAFs need to be kept up to date at all times to ensure they can spot new code vulnerabilities and prevent emerging, previously unknown threats. Automation is crucial to the success of WAFs protecting businesses as the threat landscape becomes more complex and sophisticated.

Because a WAF can recognize legitimate traffic, it can also be used to discover weak points in an organization’s security defenses. It can discover and patch existing vulnerabilities and carry out security tests on organizations' web applications.

Application Profiling

Applications vary dramatically in their structure and the way they work. This can make it difficult for organizations to recognize whether an application is working efficiently and exactly what poses a threat. A WAF helps with this by understanding the unique characteristics of an application and identifying telltale signs of a threat.

From there, an organization can use predefined WAF profiles, create customized profiles based on predefined features, or create unique profiles based on user-defined configurations.

Blacklist Signatures

A WAF is able to add the unique signature of a malicious entity, such as a strand of malware, to a blacklist. This ensures that a known threat can be blocked before it reaches an organization's systems and resources.

Correlation Engine

A correlation engine allows an organization to spot potentially malicious or harmful threats. It does this by learning the normal behavior of an application. Then, should anything out of the ordinary occur, it is able to quickly flag it.

DDoS Protection

A distributed denial-of-service (DDoS) attack occurs when a hacker takes control of several web applications to form a network or botnet. The attacker uses the botnet to send huge amounts of traffic and multiple requests to their target, which eats up all of an organization’s resources and makes their security defenses vulnerable. A WAF helps prevent DDoS attacks by identifying signs of a botnet and blocking its requests, enabling the web application to run as normal.

Blacklist WAF vs. Whitelist WAF vs. Hybrid WAF

WAFs can be configured in several ways, using two common security methods. These are the blacklist WAF, which is also known as a negative security model, and the whitelist WAF approach, which is commonly referred to as a positive security model. Organizations can also use a combination of the two in a hybrid WAF approach.

The blacklist WAF model blocks traffic first before accepting genuine, accepted users onto the network. The WAF is given a set of policies that ensure it blocks traffic based on attack signals from potential malicious actors and to protect against specific weak points or code vulnerabilities. This is particularly useful for blocking DDoS attacks because the WAF can be configured to deny access to IP addresses that suddenly send unusually high levels of traffic.

The whitelist WAF model is configured to only allow approved traffic to gain access to a web application. This means that only a select group of end-users can access the network and all other visitors are blocked by the firewall. This approach is ideal for organizations that are testing a new website, as opposed to an application that is available for public use.

The hybrid WAF model combines the approach of both the blacklist and whitelist WAFs and enables both approaches to be deployed. This will be based on how the WAF’s models and policies are configured and the specific requirements and risk profile of the web application. 

Web Application Firewall vs. Network Firewall

A web application firewall detects and monitors web traffic that attempts to access web applications. 

A network firewall is the traditional security product used by organizations and in homes to protect all devices connecting to a network. Everything behind the firewall is considered trusted and given access, while everything else is blocked. 

Large organizations also use network firewalls to protect confidential information in their systems' isolated trusted zones. They are designed to control the flow of data packets in and out of the network.

A network firewall operates at Level 3 to 4 of the Open Systems Interconnection (OSI) model, whereas a WAF operates at Level 7. This means that a network firewall only focuses on connection requests to the network and has to allow web traffic to the network by default. But a WAF is a more advanced system that explores the web traffic being transmitted and offers superior threat detection from application-based vulnerabilities.

WAF vs. Intrusion Prevention System (IPS)

A WAF sits between web applications and users, analyzing HTTP communication before it can reach the application or users. When it detects a risk, it blocks traffic and rejects any requests the malicious actor might make to take sensitive information from the site.

An IPS detects and prevents threats that have previously been identified. The tool continuously monitors business networks while identifying potential threats and gathering information about them.

WAFs and IPSs are similar in that both monitor the traffic that goes in and out of web applications and servers. However, the key difference is that an IPS is limited to focusing on signatures, which means it is not able to monitor sessions and users that try to gain access to an application. A WAF takes into account programs and users that attempt access to a web application and analyzes traffic with a deeper level of intelligence than an IPS.

Types of Web Application Firewalls

There are three ways in which a web application firewall can be deployed: through network firewalls, local firewalls, and application firewalls.

Network Firewalls

A network firewall only focuses on connection requests into the network and blocks all traffic that is not recognized or signed into the network. Organizations can also get network WAFs, which are typically hardware-based and installed on a server to monitor data packets, metadata, and content. 

These more advanced firewalls offer better threat detection through machine-learning techniques. They are fast, locally installed firewalls that ward against data latency and are highly effective at monitoring traffic. However, they require hardware and ongoing maintenance, which make them expensive to run.

Local Firewalls

Local firewalls focus on a defined area or environment, such as a specific server or on a user’s desktop. Devices such as Mac and Windows computers operate local firewalls that enable users to control access to their applications. Each has its own access and configuration requirements that make the user’s local environment trusted.

Application Firewalls

Also known as a host-based WAF, an application firewall can be fully integrated into the software of an application. It goes beyond the metadata of packets that go in and out of the network to focus on the data being transferred. These firewalls are designed to recognize the type of data allowed within protocols such as HTTP and the Simple Mail Transfer Protocol (SMTP). However, they can consume huge resources from the local server, can be complex to implement, and costly to maintain.

Different applications have their own specific firewalls, such as email servers and websites. They can also be found at both the local and network level, depending on how they have been configured by the organization and the specific threats that need to be countered. 

Deployment and Configuration of WAF's

Businesses looking to deploy a WAF have three options available to them: in-line appliance, endpoint, and cloud-based firewalls.

  1. In-line appliance firewalls: Deployed within the organization’s network. They carry configuration and installation requirements and are platform-agnostic.
  2. Endpoint firewalls: Deployed within a hosting server. They can be deployed at the operating system, such as the Intrusion Detection System (IDS) or the IPS, in a web server like Apache, or within the web application itself.
  3. Cloud-based firewalls: Deployed outside the organization’s hosting environment. They do not have any installation requirements, are configured through the DNS or Border Gateway Protocol (BGP), and are also platform-agnostic. Cloud-based WAFs are affordable to run, easier to implement and maintain, and demand minimal outlay in terms of an upfront cost. They can also be updated, and even updated automatically, to ensure that the organization is constantly protected from the latest security threats.

Choosing which of these three firewall locations to deploy and selecting the type of firewall required is dependent on the organization, the capability of its security team, and the amount of investment it is willing to make in securing its network.

Organizations that have the resources to manage their WAF themselves can opt for network-based, local, or host-based firewalls. However, this option is likely expensive and can deplete the resources of the IT and security teams. Selecting a WAF means that all the hard work is done automatically, taking the strain away from admins, IT, and security.

Fortinet Web Application Firewall

The Fortinet WAF, FortiWeb, protects organizations’ most critical web applications from both the threats they are aware of and the vulnerabilities that are unknown to them. FortiWeb helps businesses keep their web applications secure every time they introduce new features, unveil new updates, or launch new web-based APIs. 

FortiWeb is a comprehensive solution that secures web applications by focusing on the signatures of application attacks, mitigating bots, DDoS protection, IP reputation, and more. It also utilizes machine learning to automatically establish and develop an evolving model of normal user behavior. It uses this baseline to discover the existence of malicious actors and any out-of-the-ordinary behavior, without consuming the time and resources of IT and security teams and admin users.

Fortinet also provides advanced threat protection with its next-generation firewall (NGFW), FortiGate. It filters traffic to protect organizations from threats, identify potential attacks, prevent malware attacks, and perform deeper inspection. It gives businesses control over their applications, in addition to advanced network visibility and intrusion prevention. The solution also ensures organizations have the latest threat updates to keep their networks secure at all times.