WAF. A Knight in Shining Armor

Today we continue the blog series dedicated to various types of firewalls. In the first post we described basic categories of firewalls, gave a firewall mode overview and stated advantages and potential drawbacks of the types mentioned. In this post we will talk in detail about Web Application Firewall – WAF.


Each year more and more organizations move their operations to websites and web applications and maintain their information in the cloud, inevitably exposing sensitive data to sophisticated cyber attacks. To protect applications and stay compliant with regulatory requirements many companies implement Web application firewalls.

WAFs address threats attacking enterprise’s custom web applications and data. They include protection techniques designed specifically for web security. Traditionally WAF is the most effective tool for protecting organization’s internal and public-facing applications. Web applications can be deployed locally (on-premises) or remotely (hosted, cloud, or as a service). WAFs are aimed at blocking hacking attempts, monitoring access to web applications and collecting logs for compliance, auditing and analytics.


What is WAF?

WAF is different from traditional network firewall, NGFW (Next Generation Firewall) and IPS (Intrusion Prevention System). It provides protection at more granular level. It protects web servers and enterprise’s specific web applications against attacks at the application layer and nonvolumetric attacks at the network layer. It also identifies and patches “self-inflicted” vulnerabilities in custom-developed applications. Customization of rules to a given application allows to identify and block many attacks. WAFs are able to prevent XSS (Cross-site Scripting), SQL injection, session hijacking, buffer overflow, RFI (Remote File Inclusion), and cookie poisoning. They may also include protection techniques against DDoS (Distributed Denial of Service) attacks. Additionally some WAFs protect against directory traversal, forced URL browsing, etc.

Threat Vectors

Web applications are vulnerable to many threats, that are not always recognized by regular network firewalls, NGFWs and IPSs. The most common attacks are as follows:


SQL Injection attacks are used by malicious users as a way to obtain access to restricted data or to embed malicious code onto a web server. This technique triggers the back-end database to execute the injected commands and allow unauthorized users to gain access to sensitive information contained in the database. In case of embed malicious code the infected web server will spread malware to unsuspecting clients.

Cross-site Scripting (XSS)

Cross-site Scripting attacks enable a wrong-doer to obtain sensitive information, or compromise a web server. The attacker inserts Javascripts in the pages of a trusted site and alters its content. Then the vulnerable website is used as a vehicle to deliver malicious script to the victim’s browser. The attacker exploits the trust a user has for a website.

Cross-site request forgery (CSRF)

Cross-site request forgery attacks force end users to make information alterations they did not intend. It can be updating personal data, posting content, or initiating false transactions. An attacker provokes a user to transmit a malicious HTTP request, including the victim’s session cookie, to a target application or website. The vulnerable website trusts it without the user’s consent. In this case the attacker exploits the trust a website has against a user’s browser.

Sensitive Data Exposure

In case a web application does not properly protect sensitive data in transport and at rest, attackers can steal or manipulate the data to conduct identity theft, credit card fraud, or other crimes. This type of vulnerability deals with lack of encryption of sensitive data, such as credit card numbers, authentication credentials, Social Security Numbers (SSN), tax Ids, etc.

Directory Traversal

Directory Traversal attacks allow to access restricted files and directories and execute commands outside of the web server’s root directory. An attacker manipulates a URL in such a way that the website reveals the confined files on the web server.

WAF Deployment

WAF can be run as physical, virtual or software appliance, server plug-in or cloud-based service. In the current moment cloud services are mainly suitable for small and midsize businesses (SMBs), while large enterprises are more likely to invest in purpose-built physical or virtual appliances.

WAF can be deployed in front of a web server or integrated directly on a web server. Most often a WAF is deployed in-line, as a reverse proxy, but also can be deployed in bridge mode, mirror mode (being positioned out of band) or act as a transparent proxy. In case of mirror mode deployment a WAF is working on a copy of the network traffic.

Each WAF deployment is different based on a use-case. It depends on primary goal of the technology implementation – whether it is used for virtual patching, HTTP audit logging, tracking sensitive data or application vulnerability identification. For some WAFs hybrid deployment mode is available offering in-line deployment combined with deploying sensors out-of-line to collect audit data and then communicate with agent application installed on a specific web server. Many WAF products support not only single but also multiple web server deployments.

How does WAF work?

Operating on application level, WAF functions as a flexible barrier between end users and applications. It monitors and filters both in-bound and out-bound HTTP traffic and blocks activity that contradicts with configured set of security rules. A WAF intercepts and analyzes every HTML, HTTPS, SOAP and XML-RPC data packet. Inspecting data traffic for unfamiliar patterns allows to detect and block new unknown attacks. This way WAF provides capabilities beyond those offered by NGFW and IPS, which cover only known vulnerabilities.

Integration with Other Security Technology

WAF integrates with other information security technology, such as application vulnerability scanners, DDos protection appliances, database security solutions, web fraud detection, SIEM (Information and Event Management). Consolidation of WAFs with other security technology allows to maximize the detection and threat blocking rate for known and new evolving threats. Fine-tuned customization minimizes false positives and ensures accurate anomaly detection. This ultimately helps to mitigate risks and significantly minimize enterprise’s attack surface.

WAF Limitations

With all the benefits that WAF can offer come difficulties in deployment and ongoing software management. To provide expected level of application and data security WAF should be effectively deployed and managed. This involves appropriate maintaining of firewall policies and customization of security rules, which in turn demands advanced level of WAF administrators’ skills.

There are issues that draw attention in the process of WAF deployment and implementation:

Ineffective Policies. Firewall policies and capabilities obviously should keep pace with new emerging threats, which is not always the case. Another problem is the lack of information and documentation on which policies are effective, so users have to put extra effort and time in figuring out what’s working and how to improve.

Customization of Security Rules. It takes time to determine all the necessary rules to block or allow traffic passing through the applications. Rules are also have to be kept constantly updated as code changes and new functionality emerges. Blocking legitimate requests creates false positives leading to a malicious attack going ignored in this pool of irrelevant alerts.

Skills Gap. Customers often struggle to keep existing devices up and running since not all organizations have in-house skills to use a WAF correctly and effectively. Outsourcing WAF management is not always the best decision either. When choosing a WAF deployment, especially for compliance needs, administrators have to prioritize critical features which are best suited for the organization’s current needs. After deployment and configuration process the WAF requires team’s high technical proficiency to function efficiently and add sustainable value to the enterprise’s security system.

Moving Operations to the Cloud. As more and more companies are moving their applications and data into public cloud infrastructure, they inevitably have to migrate Web Application Firewall and associated policies to this new and fundamentally different architecture. The problem is that not all vendors provide sustainable substitution for the on-premises appliance, or they can be unable to offer the APIs an organization needs to realize deployment scenario in the dynamic cloud environment.


Web application firewalls are a common security tool used by enterprises to protect web applications against malicious exploits, impersonation, known vulnerabilities and new evolving threats as well as to identify self-inflicted vulnerabilities of custom-developed applications. It also helps to meet compliance requirements. And while this technology is definitely a must for companies aiming at securing their web resources, it is not sufficient when it comes to database security.


In our upcoming posts we will discuss Database Access Firewall and why Web Application Firewall alone is not able to completely secure databases.


    Read the entire firewall series:

  1. Fifty Shades of Firewall
  2. WAF. A Knight in Shining Armor
  3. Save the Database from the Dragon
  4. WAF + DAF = Happily Ever After