What Is A WAF (Web Application Firewall)?

A WAF, or web application firewall, is a virtual security appliance, cloud service designed to protect organizations at the application level by filtering, monitoring and analyzing hypertext transfer protocol (HTTP) and hypertext transfer protocol secure (HTTPS) traffic between the web applications and the internet.

What is a WAF

Watch this Radware Minute episode with Radware’s Uri Dorot to learn what a web application firewall is, why it is important to have one, how it works, and what you should look for when choosing one.

WAF protects web applications from attacks such as cross-site forgery, server-side request forgery, file inclusion, and SQL injection, among others. In addition, it also safeguards applications and websites against vulnerabilities, exploitations and zero-day assaults. Attacks to applications are the leading cause of breaches—they are the gateway to your valuable data. With the right WAF in place, you can successfully block the array of attacks that aim to exfiltrate data by compromising the systems.

How Does A WAF Work?

When a WAF is deployed in front of a web application, a protective shield is placed between the web application and the internet that monitors all the traffic between the application and the end user(s). A WAF protects the web apps by filtering, monitoring, and blocking any malicious HTTP/S traffic traveling to the web application, and also prevents any unauthorized data from leaving the application by adhering to a set of policies that help determine what traffic is malicious and what traffic is safe. Just as a proxy server acts as an intermediary to protect the identity of a client, in a traditional deployment, a WAF operates in similar fashion but in the reverse—called a reverse proxy—acting as an intermediary that protects the web app server from a potentially malicious client.


WAF Security Models

There are three approaches to security that WAFs typically take:

Whitelisting– An “allow list” that uses machine learning and behavior modeling algorithms to define what traffic the WAF lets through. It then blocks the rest.

Blacklisting– A “block list” based on up-to-date signatures against known vulnerabilities that defines what traffic the WAF denies. The rest is accepted.

Hybrid Approach– The WAF relies on a combination of both positive and negative security models—a combination of allow and block lists that determines what gets through.

The Difference Between WAF and Firewall

The main difference between a firewall and a web application firewall is that a firewall is usually associated with protection of only the network and transport layers (layers 3 and 4). However, a web application firewall provides protection to layer 7.

Types of Web Application Firewalls and Deployment Options

A WAF can be implemented in various ways, each with its own unique advantages and disadvantages. There are three types of WAF:

  • A network-based WAF is generally hardware-based. Since it is installed locally it minimizes latency, however it also requires the storage and maintenance of the physical equipment.
  • A software-based WAF is managed by a service provider that offers the WAF as a security-as-a-service

Cloud-based WAFs offer an affordable and an easy to implement option; they usually offer a turnkey installation that is as simple as a change in DNS to redirect traffic. Cloud-based WAFs also have a minimal upfront cost, as users pay monthly or annually for security as a service. Cloud-based WAFs can also offer a solution that is consistently updated to protect against the newest threats without any additional work or cost on the user’s end. The drawback of a cloud-based WAF is that users hand over the responsibility to a third party.

Ideally, a WAF should provide the option to be deployed either in-line, where the solution can serve as a “middleman,” or as an API-based, out-of-path (OOP) service. An API-based, OOP deployment can offer several unique advantages that enable it to be optimized for multi-cloud environments. It enables application requests to go directly from the client to the application server without interruption. Benefits include reduced latency, no traffic redirection, increased uptime and comprehensive protection across heterogenous environments.

What Are The Key Capabilities Of A WAF?

Ideally, a WAF should combine both positive and negative security models to provide comprehensive protection, which includes being able to mitigate known web application attacks, such as access violations, attacks disguised behind CDNs, API manipulations and assaults, the aforementioned HTTP/S floods and Brute Force assaults, and others. Additionally, this combination also provides protection against unknown attacks and vulnerabilities, such as zero-day assaults.

A web application firewall should also leverage behavioral-based, machine-learning algorithms to create and optimize security policies in real-time for comprehensive protection while producing minimal to no false positives. This capability should also provide automatic detection and protection of new applications, as they are added to a network.

Other key capabilities a WAF should include are:

  • Core features should include filter network traffic based on geoblocking, IP groups, blocklist, allowlist, whitelisting and blacklisting
  • API discovery and protection that provides visibility, enforcement, and mitigation of all forms of API abuse and manipulation, whether for on-premise or cloud-hosted environments
  • Built-in DDoS protection to stop the aforementioned application-layer DDoS attacks
  • The ability to integrate with bot management solutions to detect and integrate sophisticated, human-like bots
  • Data leakage prevention mechanisms to automatically mask sensitive user data, such as Personally Identifiable Information (PII)

Why Do You Need a WAF?

Many organizations face increased security risks at the application level due to agile development methodologies, shift to the cloud, increased use of web-based software or SaaS applications, and remote workforces. Incorporating a WAF enables organizations to address attacks that are aimed at web applications and application programming interfaces (APIs).

While WAFs do not protect organizations from all digital threats, they do address those that are aimed at the application level, including the OWASP Top 10 Application vulnerabilities. These can include:

  • Cross site scripting (XSS): A code injection attack in which an adversary inserts malicious code within a legitimate website. The code then launches as an infected script in the user’s web browser, enabling the attacker to steal sensitive information or impersonate the user.
  • Application-Layer DDoS Attacks: A volumetric DoS or DDoS assault focused at the application layer. Common examples include HTTP/S floods, SSL attacks, slow and slow attacks, and Brute Force assaults.
  • SQL injection: An SQL injection attack is similar to XSS as the adversaries leverage a known vulnerability to inject malicious SQL statements into an application. This, in turn, allows the hacker to extract, alter or delete information.
  • Zero-day attacks:A zero-day attack occurs when a hacker exploits an unknown security vulnerability or software flaw before the software developer has released a patch.

WAF Market Dynamics and Trends

According to Quadrant Knowledge Solutions’ research, the following are key market drivers for WAF:

  • WAF providers wanting to improve their offerings are integrating their products with security information and event management (SIEM) systems, application security testing (AST) and web access management (WAM).
  • Vendors are providing WAF solutions that are based on a positive security model and use a machine learning algorithm to analyze HTTP requests.
  • Thanks to the increase in IoT devices, it’s likely organizations will invest in WAF solutions to comply with data privacy norms, including IoT-specific features such as device fingerprinting and protocol validation.
  • Enterprises are seeking enhanced threat intelligence, extended WAF protection and a variety of out-of-the box integrations.
  • There’s a focus on new detection methods to prevent web attacks and minimize false positives.


Contact Radware Sales

Our experts will answer your questions, assess your needs, and help you understand which products are best for your business.

Already a Customer?

We’re ready to help, whether you need support, additional services, or answers to your questions about our products and solutions.

Get Answers Now from KnowledgeBase
Get Free Online Product Training
Engage with Radware Technical Support
Join the Radware Customer Program

Get Social

Connect with experts and join the conversation about Radware technologies.

Security Research Center