What is a Web Application Firewall?

Web application firewalls (WAF) are a type of application firewall that specifically focuses on HTTP applications.

As defined by the Open Web Application Security Project (OWASP), a non-profit focused on improving software security, WAFs are designed to protect websites from attacks that network firewalls and intrusion detection systems can’t, and they don’t require modifications to application source code.

A WAF applies a set of rules to an HTTP conversation, OWASP notes, and these rules generally cover common attacks such as cross-site scripting and SQL injection. While proxies generally protect clients, WAFs protect servers. 

WAFs are typically deployed as a reverse proxy to protect a specific web application or a set of web applications.They can come in the form of an appliance, server plug-in or filter, and be customized to a specific application.

WAFs and Bot Mitigation:

Good bots get along with WAF technology because they generally follow the rules of bot etiquette because their owners do not want to be blocked or banned from sites, while bad bots do not obey such rules. For the cases of bad bots, third-party evaluations place WAFs at 80% to 90% efficacy in detecting and/or stopping bots that attempt to exploit programming flaws such as the OWASP Top 10. However, they are also far less effective against bad bots attacking the OWASP automated threats list because they are not exploiting flaws in programming but business logic, which most WAFs do not sufficiently understand or protect against. 

The biggest issue WAFs have is that although they can help stop some portion of bots, the reality is that bot detection was not what they were designed for. They are designed for application protection. Their rule and policy-based approaches cannot adapt or scale to defend against large scale bot attacks. 

IT Analyst Perspectives on WAFs:

Gartner Magic Quadrant on Web Application Firewalls

According to Gartner, the WAF market is driven by a customer’s need to protect internal and public web applications when they are deployed locally (on-premises) or remotely (hosted, cloud or as a service). WAFs protect web applications against a variety of attacks, including notably injection attacks and application layer denial of service (DoS). 

They should not only provide signature-based protection, but should also support positive security models. WAFs are deployed in front of web servers to protect web applications against external and internal attacks, to monitor and control access to web applications, and to collect access logs for compliance/auditing and analytics. WAFs are most often deployed in-line, as a reverse proxy, because historically it was the only way to perform some in-depth inspections.

Gartner publishes an annual Magic Quadrant for Web Application Firewalls and encourages reviews of WAF technology on its Peer Insights Reviews on WAFs website.

David Monahan of Enterprise Management Associates (EMA)

According to David Monahan of EMA, Web Application Firewalls (WAF) are appliances or software designed to inspect network communications from a client to an application to protect the application and backend database from exploitation. WAFs were created to have a higher degree of interrogation on the application communication flow than traditional application proxies and other firewalls in order to identify interactions with the application that could be fraudulent or malicious. 

WAFs evaluate inputs from the clients looking for exploitation of application code, such as the OWASP Top 10 vulnerabilities, application coding flaws, system misconfigurations, and data leakage. WAFs generally identify these issues through the evaluation of “dangerous” strings submitted to the server or engineered packets and other communication-related abnormalities that match or violate signature based rules or policies.