What is a Web Application Firewall (WAF) and Why Use it?

In this article you will learn:

• What is the difference between a firewall and a web application firewall (WAF)?
• What is a web application firewall (WAF)?
• What does a WAF protect against?
• Benefits of WAF
• How does a WAF work?
• AWS WAF introduction, benefits and more
• Comprehensive security with StormIT deployment architecture

The difference between a firewall and web application firewall

The main difference between a firewall and a web application firewall (WAF) definition is that a firewall usually protects network and transport layers (layers 3 and 4). A WAF offers protection on the application layer (layer 7).

What is a web application firewall (WAF)?

Organizations and users are increasingly relying on web applications (e.g., web portals, enterprise web apps, business automation web solutions, eCommerce web apps, etc.). A WAF monitors HTTP/HTTPS requests and protects these web applications from malicious activities on layer 7 of the OSI model. Hence, a WAF is a necessary protection against a growing number of web security threats.

Types of WAF

In this article, you will mainly learn information about cloud-based WAFs.

• Network-based (NWAF): Traditionally hardware-based in an on-premises environment.
• Host-based: WAF is implemented as an additional application or plugin on a web server.
• Cloud-based: WAF protection is transferred to an external cloud supplier. WAF is provided as part of the access network (DNS, CDN, or Load Balancer).

What does WAF protect against?

A WAF should protect against the most common malicious web attacks, such as:

Common web application attacks and code injection techniques:

• SQL injection (SQLi): This can be done by entering a malicious code in SQL statements, via web page input (e.g. the user gives you an SQL statement that you will unknowingly run on your database). This malicious code can alter, steal or delete database data.
• Cross-site scripting (XSS): A malicious script is injected into the code (e.g. HTTP, JavaScript, etc.) of a trusted website, allowing potentially sensitive user data such as cookies to be accessed. The code modified by this attack is not executed on the server but on the user's side.
• Remote file inclusion (RFI): RFI is the process of embedding external files through vulnerabilities implemented in the web application. If the process allows modification of the path to a processed file (for example, if the path is included as a parameter), the attacker can use this path to input an external malicious file.
• And more web application attacks and threats from the OWASP Top 10 publication.

DDoS attacks on layer 7 (HTTP Flood):

These are composed of requests (HTTP GETs and DNS queries are popular) that are designed to consume application resources (memory, CPU, bandwidth). An example is an attacker who continuously uses a website functionality (submitting a contact form or any API requests) that they know causes database and application processing so that the underlying web service is busy with malicious requests and can’t deliver to other users anymore. Read more in our article about DDoS protection.

Bad Bots:

Bad bots are often programmed to do a variety of malicious jobs. They can try to break into user accounts, steal data, submit meaningless data through online forms, and perform other malicious activities. Bad bot activity is most often manifested by an abnormal increase or decrease in visits in unusual periods with a high rate of immediate leave (bounce).

Benefits of WAF

• Completes other protective systems such as firewalls and intrusion prevention systems.
• Lower costs for cloud security by avoiding the need for expensive dedicated hardware or IT security staff.
• Filters and monitors traffic on the application layer (layer 7) which is not possible with any other type of firewall.
• Prevents unauthorized transfer of sensitive data away from the application.
• Reduce the risk of downtime, data theft and security breaches.
• WAF can be scaled to protect against the largest DDoS attacks on layer 7.

How does a WAF work?

A WAF is usually placed logically between users and web servers and analyzes and compares network traffic with the vulnerability database. A WAF creates a set of rules designed to protect your website and detects unwanted traffic. It usually blocks this traffic but can be set up to only monitor it.

Want to find out how a WAF can help your particular use case?

AWS Web Application Firewall(AWS WAF)

The AWS WAF is a cloud-based solution that helps prevent attacks on the application layer 7 and a great web application firewall example. Due to the specific nature of these attacks, with an AWS WAF you can easily create customized rules against malicious requests which could have characteristics like being disguised as good traffic or coming from bad IPs, unexpected geographies, etc.

AWS WAF protection is tightly integrated with AWS services that AWS customers use to deliver content such as Amazon CloudFront CDN, the Application Load Balancer (ALB), and the Amazon API Gateway. But AWS WAF can be also used for the protection of services from other providers, but your content has to be served through the CloudFront distribution network.

How does an AWS WAF work?

You use an AWS WAF to control how an Amazon CloudFront distribution, an Amazon API Gateway, an Application Load Balancer or an AWS AppSync GraphQL API responds to web requests.

What can an AWS WAF do?

• Blocking of malicious traffic: SQL injection (SQLi), Cross-site scripting (XSS), Remote file inclusion (RFI), DDoS attacks on layer 7, Bad bots based on applied rules.
• Traffic filtering: Rate-based rules, Ip and geographical filtering, Actions on HTTP/HTTPS traffic (allow/block), Regex and String match support.
• Monitoring: Amazon CloudWatch metrics/alarms and sampled logs.

Types of rules

Before choosing the right type of security rules, you should understand what vulnerabilities your web application has. If you need help finding this out, contact us for a consultation.

1. AWS Managed rules

You can select from a variety of AWS managed rule groups to protect your application from multiple threats. These rules are written by security experts who have extensive and up-to-date knowledge of threats and vulnerabilities.

These managed rules include:

• Use case specific rules for protection based on your web application characteristics, such as the application OS or database type.
• Rule groups that can help you mitigate some of the common threats in the OWASP Top 10 publication.
• An IP reputation list acquired from the Amazon threat intelligence team to block known malicious IPs.

2. Custom rules

You can write custom rules specific to your web application/database to block undesired patterns in parts of the HTTP/HTTPS request, such as headers, method, query string, URI, body and IP address. These custom rules can be used together with AWS Managed Rules.

3. AWS Marketplace Rules

You can also find rules created by security vendors that have built their own rule sets on an AWS WAF on the AWS Marketplace.

4. Advanced Automated Mitigations

AWS provides the AWS WAF Security Automations Solution which automatically deploys a set of AWS WAF rules that filter common web-based attacks, but also provide advanced log analysis. This automated solution leverages AWS WAFs APIs to react to threats detected from logs, honeypot URLs, and more to automatically update rules and block malicious IP addresses. An example of this is shown below.

Benefits of AWS WAF

Easy to deploy:

If you are already using services like Amazon CloudFront or Application Load Balancer, you can be up and running with an AWS WAF within a few minutes. And you don’t have to re-architect your whole network infrastructure when starting with an AWS WAF, which is sometimes necessary for WAFs from other providers. There is also no additional software to deploy, any DNS configuration or SSL/TLS certificate to manage.

Affordable:

As for other AWS services you pay only for what you use based on how many rules you deploy and how many web requests your web application receives, but you can look at our offer at the end of this article and get an AWS WAF in one of our StormIT bundles.

Managed service and rules:

The AWS WAF is a fully managed service, so you don’t have to worry about scaling and updates/patches. With Managed Rules for your AWS WAF, you can quickly get started and protect your web application or APIs against common threats. Managed rules are automatically updated so you can spend more time building applications.

Comprehensive security with StormIT deployment architecture

StormIT team helps organizations protect their websites and applications against all commonly known attacks and exploits by leveraging the protection of AWS Services, such as AWS WAF and AWS Shield.

This reference architecture below includes several AWS Edge Services that the StormIT team recommends using because it can help you improve your web application’s resiliency against known web application attacks, but also secure your application and infrastructure in other ways. This architecture is intended for those who use only AWS services.

Here is an example of StormIT's recommended architecture for those who use servers outside of the AWS Cloud.

We offer AWS Edge Services (Amazon CloudFront, AWS WAF, Amazon Route 53 and AWS Shield) in our special bundles, so you can leverage overall security for your applications. The pricing of these bundles is mainly based on your monthly data transfer and we provide special pricing for organizations transferring as little as 1 TB of data per month.

You can read more about our offers here: