A Web Application Firewall is a security component that lives in front of a web application, and inspects inbound traffic to web applications to prevent malicious requests from exploiting vulnerabilities.
In the network stack, a WAF sits at the OSI model’s Application layer, giving it full visibility in the request payload. To do this inspection, termination of TLS & SSL termination takes place, allowing the WAF to inspect what’s coming in. Each request is then analyzed for patterns defined in a rules list. These rules can help prevent common attack methods such as SQL Injection Attacks, injection of cross-site scripting (XSS) payloads, Cross-site request forgery (CSRF), file inclusion attacks and more.
Maintaining strong firewall rules is the most valuable part of a WAF. Rule quality varies significantly between vendors, and is ultimately the key intellectual property difference between vendors. A WAF usually approaches detections by using a negative blocking model, where everything is considered a legitimate request unless a specific rule is triggered. Some vendors will use machine learning to detect abstractions of known patterns and trigger rules based on that.
Despite their benefits, web application firewalls can also create trade-offs by adding significant latency to web applications, or in some cases create a false sense of security by limiting the packet size it inspects. In turn, this could potentially allow bad actors to bypass their detections, allowing a threat actor to slip in unnoticed.
Traditionally, a WAF cannot monitor web server responses, or egress. This is a limitation that if not planned for, can cause sensitive data leakage in case of a malicious request. A WAF also does not have any visibility into client-side executions.
Web application firewalls can be deployed in many ways: as physical appliances, managed services that are hosted in public cloud platforms, services that are run on edge runtimes, or more recently, embedded directly into an application through an SDK.
Security is all about layering. A WAF does not magically solve security risks, however, it can be a good layer in the security defence of a web application.
In fact, many industry standard compliance frameworks like PCI DSS, recommend or require having a WAF implemented.