What Is a Web Application Firewall (WAF)?

by Cody Johnson, Senior Strategic Programs Manager, Rackspace Technology

Web Application Firewall

It’s hard to feel like you have a full grasp of cybersecurity, especially as threats are always evolving. However, becoming more familiar with cybersecurity solutions allows you to build a strong understanding of how cyberattacks work.

I spoke to Adam Brown, Information Security Architect at Rackspace Technology®, to have him explain exactly how a web application firewall (WAF) works in straightforward, no-frills language and what part it plays in the ever-changing cybersecurity world.

What is a firewall?

Let’s begin with defining the firewall. Firewalls utilize what are known as access control lists (ACLs) to gate entry and control access to your web application server. And in this scenario, your web application server represents your online business.

If you imagine a facility, firewalls should act as a gate security check and ensure no uninvited guests or goods get in. Legacy firewalls are like having a security guard sitting in a booth doing visual checks of people trying to access your premises. The check is only as sophisticated as a guard looking at cars and passengers from the booth.

This first layer of security is packet filtering, with the car representing the data packets, or information, that is traveling through to reach the application.

A WAF explained

A WAF provides real-time protection by blocking bots, scrapers and crawlers from reaching your application. With a WAF, you’ll have less unwanted traffic, which translates to smoother online operation.

Thinking of the metaphor mentioned above, the WAF operates in much the same way as a security inspector, but this time the inspector comes up close to the vehicle to perform a close inspection. And this is no cursory exterior once-over — the inside of the car (or data packet in actuality) is examined like a crime scene. These checks are akin to application layer protocol validation.

A WAF provides better web protection than an intrusion prevention system (IPS) alone as it has a broader scope of inspection options. Using the analogy from earlier, you can think of an IPS like a sniffer dog. If there’s a substance in the car that the dog has been trained to find, the dog will become suspicious if they pick up a scent of that substance. The WAF is more sophisticated than that. It looks for everything and can detect the presence of everything regardless if it is hidden from sight or scentless. A WAF is most effective as one component of a defense-in-depth approach, which means using multiple layers of technology as part of your cloud security management program.

Real-world use cases for a WAF

A WAF can protect applications against known security threats like SQL injections, where attackers insert malicious code to manipulate existing data on your system. A successful attack of this nature can result in voided transactions, deleted data or sensitive data exposure. But if you have deployed a WAF, it uses input validation and database-level protections to prevent SQL injections.

A WAF can also block credential stuffing. This is when stolen credentials are used to log in and launch an attack. The application may not be coded to recognize and prevent this type of attack, but with a WAF in place, it is safe and secure.

A WAF can also spare you from distributed denial of service (DDoS) attacks. In a DDoS attack, hackers overwhelm the application with requests. This results in the slowdown or complete shutdown of your application. And an application that’s not available, or is performing poorly, usually translates into lost revenue.

As threats are constantly evolving, the advantage of a WAF is that it can protect against unknown threats. It recognizes threats that use authorized protocols such as HTTP, while legacy firewalls cannot do this. Over time applications change, so a WAF needs to be maintained with rules and configuration options to ensure it provides the best level of defense.

Take the next step

Take the next step toward protecting your applications with our 15-question security self-assessment. You’ll receive a professional consultation where a cloud expert reviews your results and provides recommendations on addressing security gaps.

Take our 15-question security self-assessment