A WAF in networking environments is a web application firewall that identifies malicious activity in web traffic and blocks threats to websites, web services, web servers, and web applications. A WAF in networking offers a different kind of protection than a standard firewall, which serves as a filter for internal and external network traffic.
What is a web application firewall?
A web application firewall is a security solution that provides an essential layer of defense for websites, web applications, mobile applications, and APIs. A WAF in networking environments monitors and filters both incoming and outgoing HTTP traffic to identify threats such as malware, malicious bots, zero-day exploits, and other web-related attacks that seek to access resources, compromise security, or degrade availability.
What are the benefits of a WAF in networking?
Digital transformation has made a WAF an essential component of a comprehensive cybersecurity program. For every enterprise engaged in ecommerce or doing business over the internet, a WAF helps to prevent attacks designed to gain unauthorized access to IT environments or to steal confidential customer records and sensitive data such as credit card numbers. Banks, retailers, and other organizations that accept payment cards can use a WAF to help with compliance with the Payment Card Industry Data Security Standard (PCI DSS), a set of regulations designed to protect the security of customers and their payment cards. Companies may also use a WAF to secure mobile applications, protect Internet of Things (IoT) networks, and enhance overall cybersecurity.
How does a WAF work in networking?
As a reverse-proxy technology, a WAF sits between the internet and an organization’s websites and web apps, filtering web traffic and applying predefined security rules and policies to internet-facing zones of the network to identify potentially malicious communication. A WAF analyzes the headers, query strings, and body of HTTP requests (e.g., GET requests, POST requests, PUT requests, and DELETE requests) searching for malicious requests, suspicious patterns, and known threats. When a match is found, the firewall can block the request and alert security teams. WAFs deploy a set of rules or policies that help to identify malicious traffic. Security policies can be quickly implemented and modified to respond to evolving attack vectors. During a DDoS attack, for example, a WAF in networking environments can quickly implement rate limiting to mitigate excessive requests.
What are the different types of WAF deployment models?
Security teams may deploy several types of WAFs in networking environments.
- Network-based WAFs are usually appliances installed locally to minimize latency. These WAFs are typically among the costliest WAF options and require IT teams to manage storage and maintenance of physical equipment.
- Cloud-based WAFs offer a turnkey option that allows for fast deployment, minimal up-front costs, and a predictable monthly subscription fee. Cloud-based WAFs offer access to real-time threat intelligence and may be deployed either as an in-line solution or as an API-based, out-of-path service.
Software-based, or host-based, WAFs are deployed as a virtual appliance or agent in a public cloud, in a private cloud, or on-premises. Host-based WAFs are typically less expensive to operate than network-based WAFs but allow more customization than cloud-based WAF solutions.
What is a WAF in networking vs. a network firewall?
A WAF in networking is different from the network firewall. WAFs use a rule-based system to evaluate Layer 7 traffic — the application layer — to defend against web-related threats. Traditional firewalls for network security operate at Layers 3 and 4 to inspect and filter network traffic, and prevent unauthorized access to IT environments.
What threats can be stopped by a WAF in networking scenarios?
A WAF can traditionally identify and block a broad array of web-related threats and common attacks, including many of the threats outlined by the Open Worldwide Application Security Project. The OWASP Top 10 Web Application Security risks are:
What are common features for a WAF in networking?
- Threat mitigation. A WAF in networking can protect web applications against a broad range of threats, including security misconfiguration, SQL injection, and cross-site scripting.
- DDoS mitigation. When a distributed denial-of-service (DDoS) attack sends an overwhelming number of requests designed to cause a website or application to slow down or crash, a WAF can help to quickly implement rate limiting to maintain availability and allow legitimate traffic to access services.
- API protection. Hackers frequently target application programming interfaces (APIs) in an effort to gain unauthorized access or to disrupt applications performance. By monitoring and analyzing incoming API traffic, WAFs can help to block potentially abusive requests.
- AI/ML pattern analysis. When analyzing web traffic patterns with artificial intelligence and machine learning technologies, WAFs can uncover and block attacks that do not conform to the patterns of known attacks.
- Monitoring and logging. By using a WAF to monitor traffic and analyze logs, security teams can better understand the nature of threats against web assets.
- Application profiling. WAFs can better identify and block potentially malicious requests by profiling applications to understand the structure of the software, the most common queries and URLs, and the types of data allowed.
Frequently Asked Questions (FAQ)
A blocklist is a negative security model that blocks traffic and specific IP addresses based on threat intelligence and signatures to protect against known attacks. An allowlist WAF operates on a positive security model, only admitting traffic that has been preapproved. Allowlists are more efficient to operate but may block legitimate traffic, while blocklists require more effort to manage but are more precise. Many WAFs in networking scenarios adopt a hybrid security model, which uses both blocklists and allowlists.
A WAF protects web applications by analyzing each HTTP/S request at the application layer. A next-generation firewall (NGFW) is designed to monitor traffic going out to the internet from websites, email accounts, and SaaS applications.
Why customers choose Akamai
Akamai is the cybersecurity and cloud computing company that powers and protects business online. Our market-leading security solutions, superior threat intelligence, and global operations team provide defense in depth to safeguard enterprise data and applications everywhere. Akamai’s full-stack cloud computing solutions deliver performance and affordability on the world’s most distributed platform. Global enterprises trust Akamai to provide the industry-leading reliability, scale, and expertise they need to grow their business with confidence.