You might come across the concept of a web application firewall (WAF) and not think much of it. After all, it’s easy to assume it’s something you don’t need or that is already part of your hosting package. However, there’s a bit more to it than that. 

In fact, it’s important to understand precisely what a WAF is so you can decide if it’s a good idea for you. 

Today, we’ll explain all the finer details of web application firewalls. We will provide a definition, explain their benefits, the different types available, as well as how to select one should you decide to get one.

What is a Web Application Firewall (WAF) and What Does It Do?

what is a web application firewall
Image source: Ricardo Gomez Angel/Unsplash

A web application firewall (WAF) is a type of security system that filters and monitors incoming traffic to a website or web application. Its purpose is to block malicious traffic, such as hackers and bots, while allowing legitimate traffic through. 

In other words, a WAF is like a security guard for your website. It checks the identity of each visitor to makes sure they are who they say they are and that they aren’t trying to do anything malicious. 

WAFs can be either hardware- or software-based. They are usually deployed as an additional layer between your website and the Internet so they can intercept and inspect traffic before it reaches your site. 

firewall as protection against ddos attacks schematic
Source: Cloudflare

Most WAFs use a set of directives, also known as a rule set, to determine which traffic they allow through or block. These rules are generally created by the WAF vendor based on common attack patterns. Some WAFs also allow you to create custom rules. 

What’s the Difference Between a Web Application Firewall and a Network Firewall? 

A WAF is different from a network firewall in that is is meant to specifically protect web applications. Network firewalls, on the other hand, aim to protect entire networks and can be either hardware- or software-based. 

While both types of firewalls can filter traffic, a WAF is more comprehensive in that it can also monitor and inspect web traffic for malicious activity. It can also block specific types of attacks, such as SQL injection and cross-site scripting (XSS). 

Benefits of Using a WAF

With key definitions and distinctions in mind, you’re probably wondering what’s so beneficial about using a web application firewall. There are actually five key benefits worth noting: 

  • Improved security: By keeping out malicious traffic, a WAF can help to improve the security of your website or web application.
  • Reduced risk of attacks: Through blocking known attack patterns, a WAF helps to reduce the risk of a successful hack.
  • Improved compliance: Depending on your industry, you may be required to comply with certain security standards, such as PCI DSS. A WAF can help you to meet these standards.
  • Reduced false positives: Many WAFs include features that help to reduce false positives, such as rate limiting and IP reputation checks. This means that you are less likely to block legitimate traffic.
  • Peace of mind: Knowing that your website or web application has another layer of protection can give you peace of mind. It’s basically one less thing to worry about. 

Of course, there’s more to the world of web application firewalls than just a few key features and benefits. There are several types to be aware of as well. 

Types of Web Application Firewalls

There are three main types of web application firewalls that you’ll need to be familiar with before making any purchasing decisions. 

1. Network-based WAFs

A network-based WAF is deployed as an additional layer between your website and the Internet. It inspects traffic as it passes through this layer.

Network-based WAFs are usually hardware-based, which means they require a physical device. However, there are some software-based solutions available. 

2. Cloud-based WAFs

A cloud-based WAF is a type of web application firewall that resides in the cloud. It inspects traffic as it passes through the cloud provider’s network. 

Cloud-based WAFs are usually managed by the provider. This means that they are usually easier to set up and manage than other types. 

3. Host-based WAFS

A host-based WAF is located on the same server as your website or web application. It inspects traffic that moves through the server. 

Host-based WAFs are usually software-based, which means you can add them to any type of server. However, they may require more configuration and management than the two other types mentioned here.

So that’s the three primary types of WAFs, but what about how they operate? That’s what we’ll be discussing next. 

WAF Models of Operation

waf modes of operation
Image source: Michał Jakubowski/Unsplash

Just as there were three main types of WAFs, they actually work in three distinct ways as well. These are typically referred to as their model of operation:

  1. The positive security model, also known as the allowlist model, only permits traffic that has specifically been granted access by the rule set. This type of WAF is more restrictive but can be more effective at blocking malicious traffic. 
  2. The negative security model, also known as the blocklist model, allows all traffic except what is specifically blocked by the rule set. This type of WAF is less restrictive but is less likely to block legitimate traffic. 
  3. The hybrid security model is a combination of the positive and negative security models. It allows traffic that has been specifically allowed and blocks traffic that has been specifically blocked to whatever degree the person setting up the system dictates.

So you hopefully now have a pretty good understanding of what a WAF is and how it works. But before you decide if you’d like to invest in one, we need to talk budget.

Typical Costs of Web Application Firewalls

Web application firewalls are most often available in two pricing types. 

Deployment Costs

Deployment costs include the cost of hardware (if you’re using a hardware-based WAF) and the cost of installation and configuration. These costs can vary depending on the type of WAF you choose. 

Subscription Fees

Most WAF vendors charge annual or monthly subscription fees. These fees generally cover the cost of maintenance, support, and updates. Some WAFs also offer more features for an additional fee. 

How Do You Know If You Need a WAF?

If you’re still not sure if you need a web application firewall, ask yourself the following questions:

  • Do you store sensitive data on your website or web application? If so, you may need a WAF to help protect this data.
  • Do you process payments? If yes, you likely need a WAF to help comply with PCI DSS.
  • Are you required to comply with any security standards? A WAF may be necessary to meet them. 
  • Lastly, are you concerned about the security of your website or web application? If you’re concerned your current security efforts aren’t enough, a WAF can help.

If you answered “yes” to any of these questions, a WAF is likely a good choice for your business. 

How to Choose the Right WAF

When choosing a web application firewall, there are a few things you should consider:

  • Deployment model: First, you need to decide which type of WAF is right for you. Do you want a network-based WAF, a cloud-based WAF, or a host-based WAF? 
  • Security model: Next, you need to decide which security model you prefer. Do you want a positive security model, a negative security model, or a hybrid security model? 
  • Pricing: Finally, you need to consider the cost. WAFs can vary significantly in price, so it’s important to choose one that fits your budget. 

No single WAF is right for everyone. The best way to choose a WAF is to evaluate your needs and then compare the features and costs of different web application firewalls against those needs. 

Most Popular WAF Providers for 2022

With the above in mind, we can now discuss a few of the most popular WAF providers on the market. Be sure to weigh the features and pricing of each before you land on a decision.

1. AWS WAF

amazon aws web application firewall

AWS WAF is a cloud-based web application firewall that offers a positive security model. It’s available as a standalone service or as part of the AWS Shield Standard package. Notable features include:

  • Integrates with Amazon CloudFront, making it easy to deploy and manage.
  • Offers a comprehensive rule set that covers common web attacks.
  • Available in two editions: Standard and Advanced. Standard is included with AWS Shield Standard, while Advanced is available for an additional fee. 

Pricing for AWS WAF starts at $5 per rule per month for the Standard edition and $10 per rule per month for the Advanced edition. 

2. Azure Web Application Firewall 

azure web application firewall

Azure WAF is a cloud-based web application firewall that offers a positive security model. It’s available as a standalone service or as part of the Azure Application Gateway package. Pricing for Azure WAF starts at $0.44 per gateway hour. 

3. Imperva WAF

imperva web application firewall

Imperva WAF is a cloud-based web application firewall that offers a positive security model. It’s available as a standalone service or as part of the Imperva Incapsula package. Pricing for Imperva WAF starts at $59 per site per month for the Imperva App Protect Pro plan. 

4. Cloudflare WAF

cloudflare web application firewall

Cloudflare WAF is a cloud-based web application firewall that offers a hybrid security model. It’s available as part of the Cloudflare Business plan, the pricing for which starts at $200 per month. 

These are just a few of the most popular web application firewalls on the market at the moment. Be sure to research prospective service providers well before committing to a service plan. 

Implementation and Best Practices 

Once you’ve chosen a web application firewall, you need to implement it. The process of implementing a WAF can vary depending on the type you’re using, of course. 

internet diagram

If you’re using a network-based WAF, you need to deploy it on your network. And if you’re using a cloud-based WAF, you need to sign up for an account with the vendor and then configure your website or web application to use the WAF. This usually happens by pointing your domain to the provider’s servers. The process will vary depending on the vendor, but it’s usually pretty straightforward.

If you’re using a host-based WAF, you need to install and configure it on your server. To do this, you will need to have access to your web server’s code and configuration. This is typically accessible via cPanel or some other management suite. If you don’t have this, you will need to work with your development team or hosting provider to get it installed and configured properly.

There are a few things you need to keep in mind: 

  • Take the time to properly configure your WAF: Don’t just turn it on and hope for the best. 
  • Test, test, test: After you configure your WAF, test it to make sure it’s working as expected. You can do this by manually testing your website or web application or by using a tool like WebInspect
  • Keep an eye on your logs: Your WAF will generate logs that can give you insights into what’s happening on your website or web application.
  • Monitor your website or web application for changes: If you see something that doesn’t look right, investigate it.

Note: If you’ve purchased a more all-in-one plan, some of these implementation steps may be completed for you.

Web Application Firewall Best Practices

Once you’ve chosen a web application firewall and set it up, there are a few best practices to keep in mind over the long-term, including:

  • Make regular updates: Make sure you keep your WAF up to date with the latest security patches and updates. Otherwise, it may not be able to protect your website or web application.
  • Monitor your WAF logs: Monitor your WAF logs regularly. This way, you can spot any potential attacks or security issues.
  • Keep testing: Audit the WAF on a regular basis to make sure it’s working properly. You can use a tool like WebInspect or Burp Suite to perform periodic tests.

Final Thoughts: Discovering Web Application Firewalls and Their Role in Your Business 

Today, we’ve covered a lot of ground when it comes to web application firewalls (WAFs). We’ve established that a WAF is a type of security software that helps protect websites and web applications from attacks. They can be deployed in a variety of ways, including on-premises, in the cloud, or as a host-based solution. 

It’s also apparent that when choosing a WAF, it’s important to consider your needs and budget. And after selecting from the most popular options, implementing it properly and following best practices is tantamount.

But what do you think? Do you use a web application firewall? Are you currently weighing your options? Work it out in the comments below.

Author

Nick Schäferhoff

Nick Schäferhoff is an entrepreneur, online marketer, and professional blogger from Germany. He found WordPress when he needed a website for his first business and instantly fell in love. When not building websites, creating content or helping his clients improve their online business, he can most often be found at the gym, the dojo or traveling the world with his wife. If you want to get in touch with him, you can do so via Twitter or through his website.

More articles by Nick Schäferhoff