A Web application firewall (WAF) is an online security solution that monitors, filters or blocks data packets as they travel to and from a Web application. For Example: Each and every request that comes to server is first authenticated by WAF then forwarded to Web Server to process the request. If Authentication is failed by WAF, an action is taken on that request defined by WAF and request is not forwarded to Web Server.
A web application firewall is usually deployed between the web servers and the Internet. It filters each incoming and outgoing message. The web application firewall scans and stops such messages and requests. For example, it can protect an application/server from Internet-based threats such as:
- SQL injection attacks
- XML injection
- Cross-site scripting (XSS)
The WAF’s operation is usually based on one the three security models:
- Blacklist or negative security model – This is continuously checking web traffic for anomalies, unusual behavior, and common web application attacks. At first, most traffic is allowed to pass while keeping anomaly scores for each request and logging as much information as possible (IP addresses, application sessions, and user accounts). If the firewall detects requests with high anomaly scores (according the rules set by the Web admin), they are either logged or rejected altogether. This model is best used when all kinds of traffic is expected and it’s very difficult to create rules for each kind. This model is particularly useful to deter DoS (Denial of Service) attacks.
- Whitelist or positive security model – In this only Web traffic WAFs let through is that which is known to be valid while rejecting/blocking everything else. While this seems easier to implement, this type of firewall requires knowledge of the web applications you are protecting. Most importantly, the kind of traffic that’s expected from these applications. Therefore, positive security models work best with applications that are rarely updated. This keeps maintenance efforts of the model to a minimum.
- Hybrid security model – This applies both the negative and positive models.
Mostly all WAFs have similar features, but major differences in them are user interfaces, deployment options, or requirements within specific environments.
Open-source solutions are available to the public for general usage.