A web application firewall, or WAF, is a security tool for monitoring, filtering and blocking incoming and outgoing data packets from a web application or website. WAFs can be host-based, network-based or cloud-based and are typically deployed through reverse proxies and placed in front of an application or website (or multiple apps and sites).
WAFs can run as network appliances, server plugins or cloud services, inspecting each packet and analyzing application layer (Layer 7) logic according to rules to filter out suspicious or dangerous traffic.
Why Is WAF Security Important?
WAFs are important for a growing number of organizations that offer products or services online—this includes mobile app developers, social media providers, and digital bankers. A WAF can help you protect sensitive data, such as customer records and payment card data, and prevent leakage.
Organizations usually store much of their sensitive data in a backend database that can be accessed through web applications. Companies are increasingly employing mobile applications and IoT devices to facilitate business interactions, with many online transactions occurring at the application layer. Attackers often target applications to reach this data.
Using a WAF can help you meet compliance requirements such as PCI DSS (the Payment Card Industry Data Security Standard), which applies to any organization handling cardholder data and requires the installation of a firewall. A WAF is thus an essential component of an organization’s security model.
It is important to have a WAF, but it is recommended you combine it with other security measures, such as intrusion detection systems (IDS), intrusion prevention systems (IPS), and traditional firewalls, to achieve a defense-in-depth security model.
WAF workflow
Types of Web Application Firewalls
There are three primary ways to implement a WAF:
- Network-based WAF—usually hardware-based, it is installed locally to minimize latency. However, this is the most expensive type of WAF and necessitates storing and maintaining physical equipment.
- Host-based WAF—can be fully integrated into the software of an application. This option is cheaper than network-based WAFs and is more customizable, but it consumes extensive local server resources, is complex to implement, and can be expensive to maintain. The machine used to run a host-based WAF often needs to be hardened and customized, which can take time and be costly.
- Cloud-based WAF—an affordable, easily implemented solution, which typically does not require an upfront investment, with users paying a monthly or annual security-as-a-service subscription. A cloud-based WAF can be regularly updated at no extra cost, and without any effort on the part of the user. However, since you rely on a third party to manage your WAF, it is important to ensure cloud-based WAFs have sufficient customization options to match your organization’s business rules.
WAF Features and Capabilities
Web application firewalls typically offer the following features and capabilities:
 |
Attack signature databases | Attack signatures are patterns that may indicate malicious traffic, including request types, anomalous server responses, and known malicious IP addresses. WAFs used to rely predominantly on attack pattern databases that were less effective against new or unknown attacks. |
 |
AI-powered traffic pattern analysis | Artificial intelligence algorithms enable behavioral analysis of traffic patterns, using behavioral baselines for various types of traffic to detect anomalies that indicate an attack. This allows you to detect attacks that don’t match known malicious patterns. |
 |
Application profiling | This involves analyzing the structure of an application, including the typical requests, URLs, values, and permitted data types. This allows the WAF to identify and block potentially malicious requests. |
 |
Customization | Operators can define the security rules applied to application traffic. This allows organizations to customize WAF behavior according to their needs and prevent the blocking of legitimate traffic. |
 |
Correlation engines | These analyze incoming traffic and triage it with known attack signatures, application profiling, AI analysis, and custom rules to determine whether it should be blocked. |
 |
DDoS protection platforms | You can integrate a cloud-based platform that protects against distributed denial of service (DDoS) attacks. If the WAF detects a DDoS attack, it can transfer the traffic to the DDoS protection platform, which can handle a large volume of attacks. |
 |
Content delivery networks (CDNs) | WAFs are deployed at the network edge, so a cloud-hosted WAF can provide a CDN to cache the website and improve its load time. The WAF deploys the CDN on several points of presence (PoPs) that are distributed globally, so users are served from the closest PoP. |
WAF Technology
A WAF can be built into server-side software plugins or hardware appliances, or they can be offered as a service to filter traffic. WAFs can protect web apps from malicious or compromised endpoints and function as reverse proxies (as opposed to a proxy server, which protects users from malicious websites).
WAFs ensure security by intercepting and examining every HTTP request. Illegitimate traffic can be tested using a variety of techniques, such as device fingerprinting, input device analysis, and CAPTCHA challenges, and if they appear not to be legitimate, they can be blocked.
WAFs are pre-loaded with security rules that can detect and block many known attack patterns – these typically include the top web app security vulnerabilities maintained by the Open Web Application Security Project (OWASP).
In addition, the organization can define custom rules and security policies to match their application business logic. It can require special expertise to configure and customize a WAF.
WAF Security Models
WAFs can use a positive or negative security model, or a combination of the two:
- Positive security model—the positive WAF security model involves a whitelist that filters traffic according to a list of permitted elements and actions—anything not on the list is blocked. The advantage of this model is that it can block new or unknown attacks that the developer didn’t anticipate.
- Negative security model—the negative model involves a blacklist (or denylist) that only blocks specific items—anything not on the list is allowed. This model is easier to implement but it cannot guarantee that all threats are addressed. It also requires maintaining a potentially long list of malicious signatures. The level of security depends on the number of restrictions implemented.
WAF with Imperva
Imperva provides an industry-leading Web Application Firewall, which prevents attacks with world-class analysis of web traffic to your applications.
Beyond WAF, Imperva provides comprehensive protection for applications, APIs, and microservices:
Runtime Application Self-Protection (RASP) – Real-time attack detection and prevention from your application runtime environment goes wherever your applications go. Stop external attacks and injections and reduce your vulnerability backlog.
API Security – Automated API protection ensures your API endpoints are protected as they are published, shielding your applications from exploitation.
Advanced Bot Protection – Prevent business logic attacks from all access points – websites, mobile apps and APIs. Gain seamless visibility and control over bot traffic to stop online fraud through account takeover or competitive price scraping.
DDoS Protection – Block attack traffic at the edge to ensure business continuity with guaranteed uptime and no performance impact. Secure your on premises or cloud-based assets – whether you’re hosted in AWS, Microsoft Azure, or Google Public Cloud.
Attack Analytics – Ensures complete visibility with machine learning and domain expertise across the application security stack to reveal patterns in the noise and detect application attacks, enabling you to isolate and prevent attack campaigns.
Client-Side Protection – Gain visibility and control over third-party JavaScript code to reduce the risk of supply chain fraud, prevent data breaches, and client-side attacks.
