WAF vs. Firewall: Application and Network Firewalls

In the modern age of sophisticated cyberattacks and digital innovation, it is vital for businesses to understand the threats they face and what their security defenses protect them from. This is especially the case with firewalls, as web application firewalls and network firewalls protect organizations from different types of attacks. It is therefore important to understand how a network firewall is different from an application firewall, and how to prevent web attacks and broader network attacks.

Traditionally, businesses have protected their data and users with network firewalls, which lack the flexibility and transparency to protect against modern security threats. But the growth of bring your own device (BYOD), public cloud, and Software-as-a-Service (SaaS) solutions means they need to add a web application firewall (WAF) to their security strategy. This increases protection from attacks against web applications, which are stored on a remote server, delivered over the internet through a browser interface, and appealing targets for hackers.

Understanding the Difference Between Application and Network-level Firewalls

A WAF protects web applications by targeting Hypertext Transfer Protocol (HTTP) traffic. This differs from a standard firewall, which provides a barrier between external and internal network traffic.

A WAF sits between external users and web applications to analyze all HTTP communication. It then detects and blocks malicious requests before they reach users or web applications. As a result, WAFs secure business-critical web applications and web servers from zero-day threats and other application-layer attacks. This is increasingly important as businesses expand into new digital initiatives, which can leave new web applications and application programming interfaces (APIs) vulnerable to attacks.

A network firewall protects a secured local-area network from unauthorized access to prevent the risk of attacks. Its primary objective is to separate a secured zone from a less secure zone and control communications between the two. Without it, any computer with a public Internet Protocol (IP) address is accessible outside the network and potentially at risk of attack.

Application Traffic vs. Network Traffic

Traditional network firewalls mitigate or prevent unauthorized access to private networks. Firewall policies define the traffic allowed onto the network, and any other access attempts are blocked. Examples of network traffic this helps to prevent are unauthorized users and attacks from users or devices in less secure zones.

A WAF specifically targets application traffic. It protects HTTP and Hypertext Transfer Protocol Secure (HTTPS) traffic and applications in internet-facing zones of the network. This secures businesses against threats like cross-site scripting (XSS) attacks, distributed denial-of-service (DDoS) attacks, and SQL injection attacks.

Protection at Layer 7 vs. Layer 3 and 4

The key technical difference between application-level firewall and network-level firewall is the layer of security they operate on. These are defined by the Open Systems Interconnection (OSI) model, which characterizes and standardizes communication functions within telecommunication and computing systems. 

WAFs protect attacks at OSI model Layer 7, which is the application level. This includes attacks against applications like Ajax, ActiveX, and JavaScript, as well as cookie manipulation, SQL injection, and URL attacks. They also target web application protocols HTTP and HTTPS, which are used to connect web browsers and web servers. 

For example, a Layer 7 DDoS attack sends a flood of traffic to the server layer where web pages are generated and delivered in response to HTTP requests. A WAF mitigates this by acting as a reverse proxy that protects the targeted server from malicious traffic and filters requests to identify the use of DDoS tools. 

Network firewalls operate at OSI model Layers 3 and 4, which protect data transfer and network traffic. This includes attacks against the Domain Name System (DNS) and File Transfer Protocol (FTP), as well as Simple Mail Transfer Protocol (SMTP), Secure Shell (SSH), and Telnet.

Web Attacks vs. Unauthorized Access

WAF solutions protect businesses from web-based attacks targeted at applications. Without an application firewall, hackers could infiltrate the broader network through web application vulnerabilities. WAFs protect businesses from common web attacks such as:

  • Direct denial-of-service: An attempt to disrupt a network, service, or server by overwhelming it with a flood of internet traffic. It aims to exhaust its target's resources and can be difficult to defend as the traffic is not always obviously malicious.
  • SQL injection: A type of injection attack that enables hackers to execute malicious SQL statements, which control the database server behind a web application. This enables attackers to bypass webpage authentication and authorization and retrieve the content of the SQL database, then add, modify, and delete its records. Cyber criminals can use an SQL injection to access customer information, personal data, and intellectual property. It was listed as the number one threat to web application security in the OWASP Top 10 in 2017.
  • Cross-site scripting: A web security vulnerability that enables attackers to compromise user interactions with applications. It enables the attacker to circumvent the same-origin policy, which segregates different websites. As a result, the attacker can masquerade as a genuine user and access the data and resources they have permission for. 

Network firewalls protect against unauthorized access and traffic going in and out of the network. They protect against networkwide attacks against devices and systems that connect to the internet. Examples of frequently used network attacks include:

  • Unauthorized access: Attackers accessing a network without permission. This is commonly achieved through credential theft and compromised accounts as a result of people using weak passwords, social engineering, and insider threats.
  • Man-in-the-middle (MITM) attacks: Attackers intercept traffic either between the network and external sites or within the network itself. This is often as a result of insecure communication protocols enabling attackers to steal data in transmission, then obtain user credentials and hijack user accounts.
  • Privilege escalation: Attackers gain access to a network then use privilege escalation to expand their reach deeper into the system. They can do so horizontally, whereby they gain access to adjacent systems, or vertically by gaining higher privileges within the same system.

Choosing an Application or Network Firewall

Standard network firewalls and WAFs protect against different types of threats, so it is vital to choose the right one. A network firewall alone will not protect businesses from attacks against webpages, which are only preventable through WAF capabilities. So without an application firewall, businesses could leave their broader network open to attack through web application vulnerabilities. However, a WAF cannot protect from attacks at the network layer, so it should supplement a network firewall rather than replace it. 

Both web-based and network solutions work at different layers and protect from different types of traffic. So rather than competing, they complement each other. A network firewall typically protects a wider range of traffic types, whereas a WAF deals with a specific threat that the traditional approach cannot cover. It is therefore advisable to have both solutions, especially if a business’s operating systems work closely with the web.

Rather than selecting one or the other, the challenge is more to select the right WAF system that best suits the business’s needs. The WAF should have a hardware accelerator, monitor traffic and block malicious attempts, be highly available, and be scalable to maintain performance as the business grows.

Next-generation Firewall vs. WAF and Network Firewalls

Purchasing separate firewall products to protect every layer of security is expensive and cumbersome. That is leading businesses to comprehensive solutions like next-generation firewalls (NGFWs). NGFWs typically combine the capabilities of network firewalls and WAFs into a centrally managed system. They also provide extra context to security policies, which is vital to protect businesses from modern security threats. 

NGFWs are context-based systems that use information such as identity, the time, and location to confirm that a user is who they say they are. This added insight enables businesses to make more informed, intelligent decisions about user access. They also include features such as antivirus, anti-malware, intrusion prevention systems, and URL filtering. This simplifies and improves the effectiveness of security policies in line with the increasingly sophisticated threats that businesses face.

Having one comprehensive view of digital security is often easier and more cost-effective. However, it is vital to ensure an NGFW covers all the bases for network and web application protection. WAFs play a specific role in protecting web applications from code injection, cookie signing, custom error pages, request forgery, and URL encryption. It can, therefore, be necessary to use an NGFW in conjunction with a dedicated web application firewall like FortiWeb.

Fortinet protects business-critical web applications from attacks that target both known and unknown vulnerabilities. Our FortiWeb solution keeps pace with the rapid evolution of businesses’ web applications to ensure they remain protected every time they deploy new features, expose new web APIs, and update existing ones.

FortiWeb provides comprehensive protection to prevent businesses from all security threats, from DDoS protection and protocol validation to application attack signatures, bot mitigation, and IP reputation. It also uses machine learning to automatically build and maintain a model of normal user behavior, which is used to identify benign and malicious traffic without the time-consuming manual effort that most WAFs require.

For more information on Fortinet’s approach to network firewall vs. WAF, read our information brief on WAF vs. IPS.