What is a Web Application Firewall (WAF)?

A Web Application Firewall (WAF) is a specialized security solution that shields a web application from the internet, safeguarding the server by detecting and blocking malicious HTTP and HTTPS traffic to and from a web service. 

When properly configured and enabled, a WAF prevents application-layer (Layer 7) attacks that exploit web application vulnerabilities, including those listed by OWASP, such as SQL injection, cross-site scripting (XSS), and HTTP protocol violations.

How does a WAF work?

WAFs often function as reverse proxies between the internet and protected web applications. However, you can also deploy WAFs in various configurations, including inline, cloud-based, or on-premises, to suit specific security requirements. Regardless of the deployment method, a WAF inspects all incoming traffic before it reaches application servers, creating a protective shield against potential threats.

WAFs come in different forms to suit your needs:

• Software: Installed directly on your web server or integrated into your application code, giving you flexibility and cost savings.

• Appliances: These are purpose-built hardware devices easily deployed and managed. Appliances provide dedicated processing power for handling high traffic spikes.

• As-a-Service: Provided by third-party vendors, these protect your web apps without needing hardware on your premises. They handle all the maintenance for you and scale as your traffic grows.

A WAF's primary function is to analyze HTTP conversations between clients and servers. This analysis examines vital components such as headers, bodies, and query parameters across all request types. The WAF identifies HTTP traffic that matches known attack patterns or violates established security rules. It then proactively blocks dangerous requests before they reach the application, thus safeguarding web apps.

WAF policies

WAFs don’t protect against all types of threats and attacks; instead, they are one crucial element of a wider suite of tools used to protect websites and apps. The rules determining what traffic is deemed safe and what is malicious — in other words, what kind of traffic a WAF will allow or block — are called “policies.”

Each company or person using a WAF can customize policies to their unique requirements. Policies can be updated quickly and even automatically. This is one of the advantages of a WAF: because policies can be modified easily, there can be a faster response to various types of attacks.

WAFs typically employ various detection approaches to enforce these policies:

• Regular Expressions (Regex): Identify specific patterns within the traffic, enabling effective detection and blocking of malicious inputs.

• Scoring Models: These models assign risk scores to incoming traffic based on predefined criteria. The WAF evaluates these scores to determine whether to allow, block, or further inspect the traffic, enabling a more nuanced response to potential threats.

• SmartParse: This sophisticated method analyzes complex data structures within requests, helping to identify advanced attack patterns that might evade simpler detection techniques. It enhances the WAF's capability to detect and prevent sophisticated threats.

WAF vs NGFW

By now, you're familiar with what is WAF technology and understand how it operates. Occasionally, you’ll probably come across other terms like NGFW. Understanding the differences between these tools helps you select the best solution for your security needs. Let's take a look at each term to clear up any confusion:

• WAF (Web Application Firewall): Inspects each request in real-time, operating between your web servers and incoming traffic. This real-time inspection blocks common exploits and suspicious activity before reaching your apps. While WAFs are often deployed as reverse proxies, you can configure them in a number of ways to suit different security needs.

• NGFW (Next-Generation Firewall): A next-gen firewall combines the functions of traditional stateful firewalling and more advanced features into one device. In addition to port/address filtering, it can identify traffic based on usage patterns rather than just ports. It also uses threat intelligence from the vendor's global network and can inspect encrypted traffic.

To sum up, while WAFs focus on protecting your web applications, NGFW solutions provide a comprehensive approach to network security with advanced features. Since each takes a different approach, they can be combined to provide extensive coverage across your entire infrastructure and prevent threats coming from multiple directions.

What are the different types of WAF deployments?

WAFs can be implemented in three primary ways: on-premises, cloud, and hybrid. Let’s examine each approach in more detail.

• On-premises WAFs

On-premises WAFs, also known as appliance WAFs, are commonly used. Originally, all WAFs were on-premises, but many companies still rely on on-premises WAFs to protect workloads, particularly older or legacy apps.

• Cloud-Based WAFs

Cloud-based WAFs, hosted by vendors, offer a convenient and quick way to provide WAF protection. These solutions have gained popularity due to their ease of deployment and ability to block threats without on-premises software management. Organizations with limited in-house IT resources or those lacking full infrastructure oversight find cloud-based WAFs ideal. By adopting a cloud WAF, companies can reduce costs related to software management while ensuring robust protection for their applications and APIs.

• Edge Deployment

Edge deployment positions the WAF at the edge of a content delivery network (CDN) or closer to the traffic origin. This strategic placement blocks threats before they reach the network, providing an additional security layer. WAF deployment at the edge is particularly beneficial for reducing latency, as it inspects and filters traffic closer to users, improving overall performance while safeguarding web applications from potential threats.

• Hybrid WAFs

Hybrid WAFs combine on-premises and cloud-based deployments, providing visibility into web requests directed at apps and APIs in any environment.

Hybrid deployments enable companies to protect both legacy applications that have not been adapted to the cloud and modern distributed applications. This deployment model leverages the mixture of on-premises and cloud to feed production security telemetry to a central management console. This provides a view across all WAF production deployments in easy-to-consume dashboards and reports.

Ideally, regardless of deployment method, the WAF vendor also provides an API that customers can use to feed security data and indicators to third-party security information and event management (SIEM) or security orchestration, automation and response (SOAR) tooling.

What is a WAAP?

Web Application and API Protection (WAAP) is a term used to describe cloud-based services designed to protect these vulnerable web applications and APIs. They defend your web apps and APIs from a wide variety of attacks. A WAAP should provide safeguarding capabilities that leverage effective web request inspection before reaching the app or API endpoint.

A WAAP focuses only on the application layer (Layer 7) of the OSI model, and resides at the outer edge of a network. Cloud WAAP services typically include bot mitigation, WAF, API protection, and DDoS protection.

When should a WAF be used?

A WAF is a crucial part of a comprehensive security strategy. While not a silver bullet, it can be beneficial in various contexts. Here are some top situations where deploying a WAF makes a lot of sense:

1. Protecting against OWASP Top 10

The OWASP Top 10 highlights web applications' most critical security risks, including injection flaws that could overwrite data or expose sensitive information. A WAF actively monitors traffic for signs of attacks exploiting vulnerabilities like XSS and SQL injection. It then evaluates traffic in real-time against extensive rulesets of known exploits. 

2. Deploying new web applications

Launching a new public-facing application brings risks as potential issues are identified as your team fixes bugs. A WAF allows close monitoring of all web traffic to spot anomalies or attacks quickly in real-time. Its filters block malicious actors before they can compromise your new application's data.

3. Blocking account takeovers

Stolen credentials are a huge risk for any organization. Once compromised, they can be used repeatedly to access accounts on many platforms. A WAF inspects each request for suspicious patterns that may signal someone is trying to guess account credentials. Through customized rate-limiting filters, it identifies and blocks IP addresses engaging in brute force attempts after multiple failed logins.

4. Maintaining Regulatory Compliance

Businesses handling sensitive customer information must comply with standards like PCI DSS to protect data. PCI DSS 4.0 mandates implementing a WAF for securing web-facing applications. Auditors conduct regular security assessments to evaluate attack detection and prevention measures. A WAF generates auditable evidence of real-time traffic monitoring and known exploit blocking. This approach demonstrates compliance to auditors and protects your organization from data breach liability.

5. Preventing unauthorized access 

Fine-tuned rate limiting prevents brute-force login attempts and blocks malicious file uploads. A WAF allows granular traffic rules that curb unauthorized access attempts, such as failed logins from an IP after successive tries. Its filters ensure your applications remain responsive under heavy loads by slowing down or blocking anomalous traffic spikes from specific sources. 

6. Safeguarding against DDoS

While not a true DDoS mitigation solution, a WAF can still catch early signs of distributed attacks. By analyzing traffic patterns, it identifies abnormal behaviors, such as unusually high volumes of requests targeting specific URLs. Its filters then block traffic from identified sources to immediately mitigate attack vectors. With the WAF diverting malicious traffic, your web servers are protected from being overwhelmed, buying time for specialized DDoS protection to be enabled by your team.

Fastly and WAF

When choosing a WAF provider, it is essential to select one with global coverage, powerful detection, and integration capabilities tailored to modern infrastructure. Fastly's Next-Gen WAF is designed from the ground up with these features in mind. As the world's largest global edge cloud platform, it sits within milliseconds of users worldwide.

This strategic positioning allows Fastly to protect websites and applications faster than traditional WAFs. Inspecting traffic close to end users quickly limits the level threats can penetrate, helping to block attacks before they ever reach the origin servers.

Among its key benefits, Fastly's Next-Gen WAF provides:

• Comprehensive protection: Fastly detects and blocks the OWASP Top 10 web application vulnerabilities and custom threats you define through simple rules.

• Rapid response times: With its global network of POPs, Fastly's Next-Gen WAF ensures ultra-low latency inspection for exceptional user experience, even during attacks.

• Flexible configuration: You can customize rules, response pages, and more via Fastly's user-friendly interface without relying on lengthy change windows.

• Real-time analytics: Thanks to Fastly's dashboard and API for proactive issue identification, you benefit from valuable insights into traffic and security events.

• Seamless integration: Fastly's Next-Gen WAF works transparently with its CDN and edge computing services for unified security, performance, and delivery capabilities.

Learn more about how the Fastly Next-Gen WAF can provide advanced protection for your applications, APIs, and microservices with flexible deployment options and cutting-edge detection capabilities.