A web application firewall (WAF) protects applications and APIs. WAFs are usually placed in front or before web-facing applications to detect and protect against a variety of malicious attacks. A WAF is focused on web application traffic (HTTP/S) and protects applications in internet-facing zones of the network.
WAFs are available as a service in the cloud or may be deployed as a hardware or virtual appliance in a hybrid topology. The hybrid deployment may span physical and software-defined data centers and private or public cloud-based environments.
A WAF can use many techniques to understand whether traffic should be allowed to pass through to an application or should be blocked, including behavioral algorithms (machine learning and a positive security model) and/or a negative security model.
Lastly, WAFs are transitioning from standalone tools into fully-integrated Web Application and API Protection (WAAP) offerings that include a suite of capabilities, including protecting APIs, bot management and mitigation capabilities, application Layer 7 DDoS protection, web application security, and more.
Next-Generation Firewalls (NGFW) protect against unauthorized access to a computer network. NGFW add additional capabilities to a traditional network firewall, including antivirus, anti-malware, intrusion prevention, URL filtering, and certain application security capabilities, to their network firewall functionality.
NGFW protect unauthorized access by creating and separating a secure zone from a less secure zone. They use configuration and access control policies to control communications between the two zones.
NGFW and WAFs protect against different types of threats and complement each other.
In the same way a WAF relies on an NGFW or a network firewall to protect against attacks at network Layer 3 and 4; an NGFW requires WAF/WAAPs to provide more comprehensive protection of applications, in addition to protecting published and unlisted APIs and offering bot management capabilities.
| |
WAF |
NGFW |
| Focus |
Web applications – OSI layer |
Network protocols at Layer 3 and 4 of OSI model; some NGFW add basic application protection capabilities |
| Function |
Protect web-facing applications in internet-facing zones |
Protects internal networks. Separates networks as secure and less-secure zone and prevent unauthorized access to a secure zone. |
| Capabilities |
Web application protection against XSS, CSRF, API security, BOT protection, API discovery |
Protect DNS, FTP, SMTP, SSH, and Telnet. NGFW add anti-virus, anti-malware and IPS capability and some application security. |
Additional Resources