Web Applications are very common these days. One cannot host a successful service without running their web application. So-called black-hat hackers love overtaking these applications and just as we protect ourselves from viruses and bacteria, we have to do the same to our web applications.

Hackers are much more interested in attacking servers than workstations though. This is for quite a few reasons. Firstly, servers are much more powerful, they are running 24/7 and have much better internet bandwidth. So, let’s take a look at what is WAF.

What is WAF?

WAF (shortened for Web Application Firewall) protects web applications by monitoring, filtering and blocking potentially harmful traffic and attacks that can overtake or exploit them. On an enterprise level, WAFs are deployed to an application or group of applications to provide a layer of protection between the application and the end-users.

At a very basic level, they apply a set of rules to an HTTP conversation. These rules are generally good against cross-site scripting and SQL Injection, but also cover file inclusion and cross-site forgery. If you are familiar with the proxy concept, which protects the end-user machine’s identity, you could think of WAF as a reverse-proxy. It protects the server from exposure by analyzing clients before passing them through a virtual shield.

The previously mentioned sets of rules are referred to as policies. These rules filter out malicious traffic. Algorithms which these are running off of are usually pretty quick and take just a few milliseconds to execute.

Different WAFs

WAFs are split into two categories – ones that operate based on the blacklist and the others that operate based on a whitelist. These are the complete opposites. The ones that operate on blacklist protect the application against known attacks. Whitelist ones do not operate on those only.

WAFs do not necessarily have to be implemented using blacklist or whitelist mode only. There are even more different parameters which are important when implementing WAF. One of these is the platform they are running on. It can be either network-based, host-based or cloud-based. There is no perfect solution, but each one brings its advantages and trade-offs.

A network-based WAF is the rarest one of three. It is generally hardware-based and runs locally, which minimizes the overall latency. Network-based WAF requires physical space, storage, and regular maintenance. They are also the most expensive WAF implementation.

A host-based can be fully integrated into an application’s software. It is not as expensive as the network-based method and also allows for more customizability. There are some trade-offs one has to make when considering it though. They consume resources of local servers and they are costly to maintain. Last but not least, is the cloud-based solution. It is affordable and easy to implement. Sometimes, it is as simple as changing DNS to redirect the traffic. They offer updates all the time, which makes it easy to include the latest rules when new threats are discovered.

WAF Components

WAF applications consist of two key modules – Detection and Protection.

Detection is the starting and probably the most important aspect of a WAF service. It is all about continuous scanning. This process discovers our application’s weaknesses. There are also stages in which our WAF protocol is checking whether some parameters were changed from their default values.

Protection consists of DDoS Migration, SSL certificate verification, and platform-specific rules. There is not too much to explain here, as everything is happening in the background. After finishing both the processes, the web application should be protected against all the attacks.

Final Words

WAF may not be the most complex set of tools but for sure does what it promises perfectly. With some tweaking and proper planning, it can help you concentrate on improving user experience, while it completely protects your servers from malicious attacks.

Featured image via Hacker Noon