What Is A Web Application Firewall?
An Introduction to a Web Application Firewall or WAF
A web application firewall (WAF) provides web application security for online services from malicious security attacks such as SQL injection, cross-site scripting (XSS). WAF security detects and filters out threats which could degrade, compromise, or expose online applications to denial-of-service (DoS) attacks. WAF security examines HTTP traffic before it reaches the application server. They also protect against unauthorized transfer of data from the server.
In recent years, web application security has become increasingly important, especially after web application attacks ranked as the most common reason for breaches, as reported in the Verizon Data Breach Investigations Report. WAFs have become a critical component of web application security, and guard against web application vulnerabilities while providing the ability to customize the security rules for each application. As WAF is inline with traffic, some functions are conveniently implemented by a load balancer.
According to the PCI Security Standards Council, WAFs function as “a security policy enforcement point positioned between a web application and the client endpoint. This functionality can be implemented in software or hardware, running in an appliance device, or in a typical server running a common operating system. It may be a stand-alone device or integrated into other network components.”
How Web Application Firewalls Work
WAFs can be built into hardware appliances, server-side software plugins, or filter traffic as-a-service. WAF security protects web applications from malicious endpoints and are essentially opposites of proxy servers (i.e. reverse proxies), which protect devices from malicious applications.
To ensure security, WAFs intercept and examine all HTTP requests. Bogus traffic is simply blocked or tested with CAPTCHA tests designed to stump harmful bots and computer programs.
The fine print of WAF administration is based on security procedures that are built upon customized policies, which should address the top web application security flaws listed by the Open Web Application Security Project (OWASP).
Traditionally, these policies can be elaborate, requiring specialized administrators to configure the WAF in accordance to the company’s security policy. These administrators are responsible for correctly placing, configuring, administering, and monitoring WAFs to ensure maximum security.
For more on the actual implementation of web application firewall, check out our Application Delivery How-To Videos or watch Web Application Firewall How To Video here:
Attacks That WAFs Prevent
WAF security can prevent many attacks, including:
- Cross-site Scripting (XSS) — Attackers inject client-side scripts into web pages viewed by other users.
- SQL injection — Malicious code is inserted or injected into an web entry field that allows attackers to compromise the application and underlying systems.
- Cookie poisoning — Modification of a cookie to gain unauthorized information about the user for purposes such as identity theft.
- Unvalidated input — Attackers tamper with HTTP request (including the url, headers and form fields) to bypass the site’s security mechanisms.
- Layer 7 DoS — An HTTP flood attack that utilizes valid requests in typical URL data retrievals.
- Web scraping — Data scraping used for extracting data from websites.
Cloud WAF
A cloud WAF – also known as a cloud-based WAF or cloud-native WAF – provides modern web application security at a much lower cost than traditional appliance-based web application firewalls while offering some distinct advantages. Cloud based WAF services offer more responsive, elastic, and customizable application security options based on predefined security policies that scale and react automatically to threats per application or tenant.
The customization and flexibility of such cloud WAF services saves administrators from time-consuming manual tuning of security software or hardware on their systems, allows for proactive rather than responsive threat detection, enables real-time app security insights and visibility, and ensures compliance (GDPR, HIPAA and PCI), all while providing centralized application security across multi-cloud, hybrid-cloud or on premise application environments.