Web application firewall (WAF)

What is a Web Application Firewall (WAF)?

Q: Find the Right Web Application Firewall Provider

In-house operation of a WAF (also known as an application level firewall or web app firewall) involves a great deal of effort. Depending on the type, considerable costs are incurred for the necessary hardware, software and operation – in particular, specialist personnel with in-depth knowledge of information security are often difficult to obtain. IT security service providers who offer WAF solutions as a service can help here. Suitable service providers have the necessary industry experience to ensure efficient operation of the WAF services. The rule sets configured within the WAF must harmonize with the digital business processes of the respective organization. Otherwise there is a risk of downtime and performance losses. A customized configuration by the web application firewall provider is essential for this. In addition, compliance requirements resulting from laws and regulatory provisions such as the General Data Protection Regulation (GDPR), the NIS 2 Directive or the IT Security Act must be observed when selecting a service provider. As a rule, highly certified providers based in the European Economic Area (EEA) are preferable from a compliance perspective.

Q: This Is Why Expertise Is Crucial When Using WAFs

A poorly configured WAF (or cloud WAF) can cause several issues. For instance, a bad setup may slow down web applications, leading to added latency. It can also create false positives or negatives. This means legitimate user requests might be blocked, while malicious attacks get through. Such problems can lead to extra costs for reconfiguration and maintenance. To ensure top protection, a web application firewall needs constant monitoring and optimization. This helps it adapt to new threats, fix bugs, and meet updated security policies. Therefore, working with an experienced service partner is often the best way to secure and enhance web application performance.

Q: Why a WAF Is Not an All-In-One Solution

A WAF (Web Application Firewall) is crucial for web application security. However, it should not stand alone. It must work alongside other tools like DDoS protection, bot management, and load balancing. Only then can a WAF fully use its strengths. This combination helps protect critical business processes on the web.

A Web Application Firewall (WAF) is a security solution that filters, monitors, and blocks HTTP and HTTPS traffic to and from a web application. This protects against a wide range of cyberattacks at the application layer – including SQL injection, cross-site scripting, and more.

Learn more about the Myra WAF

At a glance

01. Web Application Firewall (WAF): A definition
02. How Does a Web Application Firewall (WAF) Work?
03. What Dangers Does a Web Application Firewall (WAF) Protect Against?
04. What Are the Advantages of Using WAF Security?
05. What Types of WAFs Are There?
06. What can an Application Level Firewall not protect against?
07. Which Companies Need a WAF?
08. What Do Companies Need to Consider When Using a WAF?
09. Web Application Firewall (WAF): What You Need to Know

01

Web Application Firewall (WAF): A Definition

A Web Application Firewall (WAF) sits in front of websites and other application and checks all data going back and forth. It blocks dangerous traffic, like hackers trying to break in, so only safe requests reach the web app. WAFs use rules to spot attacks such as cross-site scripting and SQL injection, helping keep web applications secure. Most WAFs can be set up as software, hardware, or managed cloud services, and their rules are updated to stay ahead of new threats. They make it easier for organizations to meet security standards and protect important data from being stolen.

02

How Does a Web Application Firewall (WAF) Work?

A WAF protects web applications from specific cyber attacks. It helps defend against threats like cross-site scripting and SQL injection. It forms a protective wall between the web application and the Internet. Clients that want to reach the web server must first pass through the web application firewall.

When analyzing data, the WAF follows defined rules, known as policies. They are used to filter out harmful traffic. These policies are constantly updated in order to be able to react to various forms of cyber attacks. Basically, there are blocklist and allowlist WAFs:

Blocklist WAFs are based on a negative security model and protect against known attacks. The firewall recognizes these attacks and prevents them.
Allowlist WAFs, on the other hand, pursue a positive security model. They only allow pre-approved traffic through.

In practice, many WAFs follow a hybrid approach of blocklist and allowlist for optimum security performance.

Find out more about flexible and scalable WAF protection solutions for your websites → GDPR-compliant & Made in Germany

Experience Myra WAF

03

What Dangers Does a Web Application Firewall (WAF) Protect Against?

A web application firewall (WAF) shields web apps from data theft, account takeovers, and malicious acts. Organizations can defend against these attack patterns with a WAF:

Cross-Site Scripting (XSS)

In a cross-site scripting attack, cyber criminals add harmful code to web apps. They exploit security flaws to steal sensitive information, like login details. Interactive websites and applications are particularly susceptible to this. As an upstream protective wall, a web application firewall prevents such malicious access.

SQL-Injection

Cyber criminals use SQL injection attacks to exploit security weaknesses. They insert harmful commands or code through input fields. Dedicated rule sets allow WAF solutions to reliably detect and thwart injection attacks.

OWASP Top 10

OWASP, the non-profit organization, regularly lists the 10 biggest security issues for web applications. Many of the threats on this list can be addressed by a web application firewall.

Zero-Day Exploits

Cyber criminals quickly exploit newly found software vulnerabilities, like Log4Shell or Confluence OGNL. Adapted WAF rules provide immediate protection against these urgent threats. This helps until patches for the vulnerable software are ready and installed.

04 - What Are the Advantages of Using WAF Security?

Companies that use a web application firewall on their website benefit from the following advantages:

Additional Security Layer for Web Applications

An application-level firewall adds extra protection against unauthorized access. It works best with other security measures.

Closing Security Gaps in Multiple Applications

Webmasters can place a WAF in front of several applications at the same time. This procedure makes it possible to close existing security gaps.

Protection of Legacy Systems and Applications

Older software that hasn’t been updated or programmed internally can have lasting security vulnerabilities. A WAF offers additional security here.

05

What Types of WAFs Are There?

You can set up a WAF architecture in three ways:

Centralized, using a network-based hardware or virtual appliance
Host-based, installed directly on the web server
As a cloud SaaS solution from a provider

Depending on the type and deployment, the functionality and associated costs differ immensely.

Network-Based WAF

These web application firewalls can be hardware or virtual appliances. They sit in front of or behind web servers. These solutions provide high scalability and performance. However, they need more bandwidth and a strong infrastructure.

Host-Based WAF

Host-based web application firewalls are software or modules. They run on the same server as the web application. They offer a high level of integration and control options, but also require more resources and high maintenance costs.

Cloud SaaS WAF

Many providers now offer software-as-a-service (SaaS) solutions for web application firewalls (WAF). These cloud-hosted options reduce internal effort for companies. They are also flexible and cost-effective. With a managed WAF, the provider handles configuration, maintenance, and operation of the firewall.

06

What can an Application Level Firewall not protect against?

A WAF does not offer total protection, but should always be part of a comprehensive security concept. The following threats cannot be defended against by an application level firewall:

Attacks via protocols outside the application level such as DNS, SMTP, Telnet, RDP, SSH or FTP are not identifiable for a WAF solution.
DDoS attacks that use malicious traffic to overload web applications and the underlying web infrastructure can only be partially intercepted by a WAF. Dedicated DDoS protection solutions at network, protocol and application level, on the other hand, offer reliable protection.
Logic errors in the web applications themselves can lead to unwanted reactions and can be exploited by cyber criminals. Such conceptual programming errors are not recognized by an application level firewall.

07

Which Companies Need a WAF?

Companies with important websites, online portals, or web APIs can gain from a cloud WAF. For those offering credit card payments, using a WAF is essential to meet PCI DSS standards. This is especially true for many e-commerce businesses. Other regulations, like the NIS-2 directive, also push companies to secure their systems with modern tech, often including a WAF for critical online applications. Additionally, organizations using agile development methods depend on WAFs to protect against development errors.

08

What Do Companies Need to Consider When Using a WAF?

A web application firewall is only as good as its filters and configuration. If you make a mistake here or are too restrictive, you can expect problems. Managing a WAF needs skilled IT security specialists. They must have the right resources to handle ongoing firewall management. If companies can't manage this internally, they rely on SaaS solutions from external providers for administrative tasks.

09

Web Application Firewall (WAF): What You Need to Know

A web application firewall is an important factor in a comprehensive security concept for the company website, business-critical online portals and APIs. The security solution monitors traffic directly at the application level. The solution checks incoming requests and responses from the web server for suspicious patterns. Requests classified as malicious are blocked by the WAF – this ensures that the applications are protected without the need for any adjustments to the application itself.

The Web Application Firewall protects websites from attacks that occur via the Hypertext Transfer Protocol (HTTP/S). These include risks from the OWASP Top 10, zero-day exploits, SQL injection and cross-site scripting (XSS).

To ensure smooth operation, the WAF provider must adapt the security solution to the existing web applications. This is the only way to rule out performance or security problems and complete failures in advance.

The Myra WAF protects your content and applications and integrates seamlessly into your existing IT infrastructure.

Learn more about the Myra WAF

Want to learn more about our solutions, use cases and best practices for attack defense? In our download area you will find product sheets, fact sheets, white papers and case studies.

Go to download section

Deep Dive WAF IT-Security

Find the Right Web Application Firewall Provider

This Is Why Expertise Is Crucial When Using WAFs

Why a WAF Is Not an All-In-One Solution

About the author

Björn Greif

Senior Editor

About the author

Björn started his career as an editor at the IT news portal ZDNet in 2006. 10 years and exactly 12,693 articles later, he joined the German start-up Cliqz to campaign for more privacy and data protection on the web. It was then only a small step from data protection to IT security: Björn has been writing about the latest trends and developments in the world of cybersecurity at Myra since 2020.