Web Application Firewall

April 15, 2021

What is a Web Application Firewall (WAF)?

A Web Application Firewall (WAF) is a security device designed to protect organizations at the application level by filtering, monitoring and analyzing hypertext transfer protocol (HTTP) and hypertext transfer protocol secure (HTTPS) traffic between the web application and the internet.

A WAF acts as a reverse proxy, shielding the application from malicious requests before they reach the user or web application. Part of a comprehensive cybersecurity strategy, a WAF helps protect the organization from a variety of application layer attacks, including Cross Site Scripting (XSS), SQL injection, Zero Day attacks, and Denial of Service (DoS)/Distributed Denial of Service (DDoS) attacks.

2021 CrowdStrike Global Threat Report

Download the 2021 Global Threat Report to uncover trends in attackers’ ever-evolving tactics, techniques, and procedures that our teams observed this past year.

Download Now

Web Application Firewall vs Network Firewall

A WAF differs from a network firewall in terms of the type of protection it provides and how that security is applied. Put simply, a WAF protects the organization at the application level by analyzing all HTTP/HTTPS communication, whereas the network firewall acts as a barrier that prevents unauthorized access to the network on a whole.

On a technical level, the key difference between a WAF and a traditional firewall pertains to where the operational layer of security is applied as defined by the Open Systems Interconnection (OSI) model. WAFs protect from attacks at OSI model Layer 7, or the application level. Network firewalls operate at OSI model Layers 3 and 4, which focus on data transfer and network traffic.

How Does a Web Application Firewall Work

A WAF operates according to a set of rules or policies defined by the network administrator. Each WAF policy or rule is designed to address an application-level threat or known vulnerability. Taken together, the policies work to detect and isolate malicious traffic before it reaches a user or application.

There are three main types of web application firewalls:

  1. Blocklist Web Application Firewall: A blocklist WAF, or negative security model, protects against known attacks by denying access to traffic.
  2. Allowlist Web Application Firewall: An allowlist WAF, or positive security model, admits only traffic that is on a pre-approved list.
  3. Hybrid Web Application Firewall: A hybrid WAF applies elements from both the blocklist and allowlist models.

Why do organizations need a Web Application Firewall?

Many organizations face increased security risks at the application level due to the shift to the cloud and increased use of web-based software or SaaS applications. In addition, remote work trends, which have accelerated due to COVID-19, an explosion of connected devices and the implementation of new “bring your own device” policies have introduced new digital threats occurring in the application layer. Incorporating a WAF within the cybersecurity strategy is one way that organizations can address attacks aimed at web applications and application programming interfaces (APIs).

While WAFs do not protect organizations from all digital threats, they do address those aimed at the application level. These include:

  • Cross site scripting (XSS): A code injection attack in which an adversary inserts malicious code within a legitimate website. The code then launches as an infected script in the user’s web browser, enabling the attacker to steal sensitive information or impersonate the user.
  • DoS and DDoS: A DoS or DDoS attack is a malicious, targeted attempt to flood a network with false requests in order to disrupt business operations.
  • SQL injection: An SQL injection attack is similar to XSS in that adversaries leverage a known vulnerability to inject malicious SQL statements into an application. This, in turn, allows the hacker to extract, alter or delete information.
  • Zero-Day attacks: A Zero Day attack occurs when a hacker exploits an unknown security vulnerability or software flaw before the software developer has released a patch.

Web Application Firewall Deployment Options

A WAF can be implemented one of three different ways:

  1. Network-based WAF: A low-latency hardware solution installed locally on the network. While effective, this option requires significant storage and typically carries high maintenance costs, making it one of the more costly deployment options.
  2. Host-based WAF: A customizable solution that is integrated into the application software. While less expensive than a Network-based WAF, this option is often more complex to deploy and still consumes considerable resources.
  3. Cloud-based WAFs: The most affordable deployment option, Cloud-based WAFs are turnkey solutions offered by the cloud provider, such as Amazon Web Services (AWS). In this model, implementation and updating is the responsibility of the cloud provider. While this lowers complexity for the organization and reduces the burden on the IT team, the business relinquishes some control to the third-party organization. As a result, the organization may not be fully aware of the threats the WAF is uncovering. There may also be limitations on how the solution is integrated within the organization’s broader cybersecurity strategy.

CrowdStrike and AWS Network Firewall Integration

In late 2020, CrowdStrike announced a new integration with AWS Network Firewall for customers that have CrowdStrike® Falcon XTM and Falcon PreventÔ subscriptions. With this integration, customers are able to leverage CrowdStrike Falcon® platform capabilities by extending threat intelligence and deployment automation to streamline incident response (IR) and simplify operations. This includes adding domain indicators of compromise (IOCs) to the AWS Network Firewall for IR and proactive threat hunting.

Web Application Firewall vs Next-Gen Firewall

A WAF provides protection only from web application attacks. While a WAF is an important part of an organization’s cybersecurity strategy, it is by no means a comprehensive solution and must be supplemented by other security measures.

A next-generation firewall (NGFW) is an advanced firewall option that combines antivirus, network firewall, WAF and other security devices into one solution. Like a traditional firewall, an NGFW can detect and block attacks at the application, port and protocol levels. However, it can also block modern threats such as advanced malware and application-layer attacks. An NGFW also incorporates more advanced features including application awareness, an intrusion prevention system (IPS) and cloud-enabled threat intelligence services.

A next-gen firewall is most comparable to a traditional firewall (not a WAF). While both use both static and dynamic packet filtering and VPN support to ensure security, there are several main differences between the two. An NGFW:

  • Supports deep-packet inspection beyond the existing port and protocol inspection offered by a traditional firewall
  • Offers enhanced control and visibility at the application layer and can filter packets based on applications
  • Is capable of blocking malware before it enters the network
  • Provides added protection against advanced persistent threats (APTs)
  • Establishes a clear upgrade path to address future needs
  • Supports external intelligence sources

Firewall Solutions from CrowdStrike: Falcon Firewall Management

As more organizations look to adopt host firewall capabilities native to the operating system, they often find effective functionality but are faced with complex, cumbersome management and visibility blind spots that can frustrate administrators and open security gaps.

Falcon Firewall Management is an advanced solution from CrowdStrike that provides simple, centralized firewall management, making it easy to manage and enforce host firewall policies.

Delivered via the CrowdStrike Falcon® lightweight agent, single management console and cloud-delivered architecture, Falcon Firewall Management immediately enhances protection from network threats with minimal impact on the host — from initial enablement to ongoing day-to-day use.