WAF stands for Web Application Firewall.
It helps to protect web applications (websites) after filtering traffic between web applications and the Internet.
It helps to protect applications from multiple attacks we have listed below known ones.
- Cross-site forgery
- Cross-site-scripting (XSS)
- File inclusion
- SQL injection
WAF behaves like a shield between web application/website and the Internet. During this process, a proxy server is also used to protect client’s machine identity. WAF may be considered as reverse-proxy and can protect servers by making clients pass through WAS
WAP contains multiple sets of rules usually referred as policies these policies help to protect vulnerabilities in web applications/websites from malicious traffic.
WAF policies can be modified for faster response to different attacks such as on DDoS rate limiting can be quickly implemented.
Type of WAF that helps to protect against known attacks. Their model is referred as Negative Security Model.
Type of WAF which allows only traffic that is pre-approved. In other words, there is a list of traffic and the only traffic is allowed which is in list. Their model is referred as Positive Security Model.
Both type WAFs have separate advantages and disadvantages. There is another model based WAFs which is known as hybrid security model it implements both blacklisted and whitelisted WAFs.
Usually, there are 3 ways of implementing WAFs
- Network-Based WAFs
- Host-based WAFs
- Cloud-based WAFs?
Hardware-based WAFs are referred as Network-Based WAFs, due to hardware which is locally installed there is very little latency. On the other hand due to dedicated hardware, these are relatively expensive plus they require maintenance and space.
Host-Based WAFs are fully integrated into some software, when compared to Network-Based WAFs these are less expensive and more customizable. On the other hand, they consume lots of server resources, usually have high maintenance costs and are a little complex to implement.
Super easy to implement and less costly. Implementation is hardly only DNS redirect. Usually, they are from third parties and are upgraded from time to time to protect against the latest threats.