A web application firewall (WAF) provides protection for web applications by analyzing traffic between clients and web servers at the application level. It can monitor, filter, and block HTTP traffic and is installed directly on the server or as a standalone firewall.
What is a Web Application Firewall?
The Web Application Firewall, abbreviated WAF, is an application-level firewall designed for applications in the web environment. It is a special form of the Application Level Firewall (ALF). The WAF can be used to protect web applications by analyzing, filtering, and blocking HTTP (Hypertext Transfer Protocol) data. Unlike a normal firewall, the data is not examined at the network and protocol level, but directly at the application level.
Often, conventional firewalls and the WAF are used together and analyze communication and data in successive steps. During the analysis, the application firewall considers both the data sent by the web server and the data received. The WAF can be software- or hardware-based and installed as a standalone appliance or additional component. Cloud-based services are also possible. The data that can be inspected includes HTML and HTTPS packets as well as XML-RPC and SOAP data.
Depending on the configuration and type of firewall, it works with blacklists or whitelists. The lists define whether only specified traffic is allowed through and the rest is blocked, or whether everything except recognized attack patterns is allowed to pass through the firewall.
Many application firewalls are able to learn based on the analyzed traffic and detect previously unknown attacks based on unusual patterns. The analysis of web traffic is done in real time before the data reaches the server and requires the firewall to have the appropriate processing power. A WAF can protect web applications from known attacks, identity theft, or zero-day exploits, for example. Firewalls are often referred to as web shields.
How a WAF works and how it differs from normal firewalls
A WAF examines all requests sent to a web server and its responses. If the firewall detects suspicious or dangerous patterns, it prevents further communication of the respective client or entire data streams. In addition to predefined patterns, application firewalls are usually able to detect dangerous or forbidden traffic independently in an upstream learning phase.
Among other things, the firewall analyzes the input parameters received for the form fields of the web application and blocks parameters that do not comply with the defined defaults. Defaults can be parameter lengths, parameter value types or parameter numbers, for example.
Compared to normal network firewalls or intrusion detection systems (IDS), the WAF offers enhanced protection because it operates at a higher level. While network firewalls only analyze sender and destination addresses or the ports and network services used for the communication data, the WAF works directly at the application level.
As a result, it provides additional protection to existing network filters. It can close vulnerabilities of applications that have not yet been updated and may cover multiple attack targets behind the WAF through a single filter.
What threats can the WAF protect against?
The WAF is designed to protect the web application from a variety of different threats. These include SQL injection attacks, script injection attacks, cross-site scripting (XSS) attacks, buffer overflow or parameter attacks, and hidden field tampering. Cookie poisoning or unauthorized access to certain areas of the web server and identity theft can also be avoided.
What WAF architectures and types exist?
Two basic architectures exist for the WAF depending on the positioning of the firewall. It can be placed behind the network firewall and in front of the web server, or it can be installed directly on the web server.
In the first case it is a centralized architecture, in the second case it is a host-based approach. In the centralized architecture, dedicated devices are usually used for the WAF. The WAF in the host-based approach usually consists of additional software. This software is, for example, a plug-in for the web server or integrated directly into the web server software.
A common use for the WAF is the so-called reverse proxy mode. The proxy is located between the web server and the firewall and terminates the web sessions. The proxy performs the accesses to the web applications on behalf of the client and analyzes the requests to the actual web server in the second step as an application firewall.