A Web Application Firewall, or WAF, is a special type of firewall used for web applications. A WAF acts as a shield between a web application and the internet, protecting the server by detecting and blocking malicious request traffic.
A WAF does this by filtering, monitoring, and blocking HTTP and HTTPS traffic to and from a web service. Once properly configured and enabled for a service, a WAF helps prevent application-layer (Layer 7) attacks that exploit a web application's vulnerabilities, including SQL injection, cross-site scripting (XSS), and HTTP protocol violations.
WAFs don’t protect against all types of threats and attacks; rather, WAFs are one important element of a wider suite of tools used to protect websites and apps. The rules determining what traffic is deemed safe and what is malicious — in other words, what kind of traffic a WAF will allow or block — are called “policies.”
Each company or person using a WAF can customize policies to their own unique requirements. Policies can be updated quickly and even automatically. This is one of the advantages of a WAF: because policies can be modified easily, there can be a faster response to various types of attack.
WAFs can be implemented in three primary ways: on-premise, cloud, and hybrid.
On-premise WAFs, also known as appliance WAFs, are commonly used. Originally, all WAFs were on-premise and many companies still use on-premise WAFs to protect workloads, particularly older or legacy apps.
Cloud-based WAFs are located either in a vendor-hosted cloud or on the edge of a content delivery network (CDN). Cloud-based WAF solutions are becoming more popular because cloud-based deployment allows for blocking threats closer to the origin before they get onto the network.
Cloud-based WAFs are the fastest way to get a WAF up and running. They are a good option in many cases, including where teams may not have full autonomy over their infrastructure and where organizations have limited in-house IT resources.
Organizations might also choose a cloud WAF because they do not have to deploy software to gain protection. This translates into cost savings: staff do not have to manage software and instead can just focus on preventing threats from compromising their apps and application programming interfaces (APIs).
Hybrid WAFs combine on-premise and cloud-based deployments, providing visibility into web requests directed at apps and APIs in any environment.
Hybrid deployments enable companies to protect both legacy applications that have not been adapted to the cloud and modern distributed applications. This deployment model leverages the mixture of on-premise and cloud to feed production security telemetry to a central management console. This provides a view across all WAF production deployments in easy-to-consume dashboards and reports.
Ideally, regardless of deployment method, the WAF vendor also provides an API that customers can use to feed security data and indicators to third-party security information and event management (SIEM) or security orchestration, automation and response (SOAR) tooling.
Web Application and API Protection (WAAP) is a term used to describe cloud-based services designed to protect these vulnerable web applications and APIs. They protect your web apps and APIs from a wide variety of attacks. A WAAP service should provide protective capabilities that leverage effective web request inspection prior to reaching the app or API endpoint.
A WAAP focuses only on the application layer (Layer 7) of the OSI model, and resides at the outer edge of a network. Cloud WAAP services typically include bot mitigation, WAF, API protection, and DDoS protection.