diagram of how a web application firewall works

Web application firewall (WAF)

What is a WAF?

A web application firewall or WAF is a security tool that protects web applications against common web-based threats by monitoring, filtering, and blocking data packets.

What is a WAF?

Web application firewalls (WAFs) are a critical security defense for websites, mobile applications, and APIs. They monitor, filter, and block data packets to and from web applications, protecting them from threats. WAFs are designed (trained) to detect and protect against dangerous security flaws that are most common within web traffic. This makes them essential for online businesses like retailers, banks, healthcare, and social media, which need to protect sensitive data from unauthorized access. WAFs can be deployed as network-based, host-based, or cloud-based solutions, providing visibility into application data at the HTTP application layer.

Since web and mobile applications and APIs are prone to security risks that can disrupt operations or exhaust resources, web application firewalls are designed to counter common web exploits like malicious bots. WAFs safeguard against threats that compromise availability, security, or resources including zero-day exploits, bots, and malware.

How does a WAF work?

A WAF works by inspecting HTTP requests and applying predefined rules to identify malicious traffic. It can be software, an appliance, or a service. The WAF analyzes the following key parts of HTTP conversations:

  • GET requests: These requests retrieve data from the server.
  • POST requests: These requests send data to the server to change its state.
  • PUT requests: These requests send data to the server to update or create.
  • DELETE requests: These are requests to delete data.

The WAF also analyzes the headers, query strings, and body of HTTP requests for malicious patterns. If the WAF finds a match, it will block the request and send an alert to the security team.

Why is WAF security important?

WAFs are crucial for the security of online businesses. They protect sensitive data, prevent leaks, prevent malicious code from being injected into the server, and meet compliance requirements like Payment Card Industry Data Security Standard (PCI DSS). As organizations increasingly use more web apps and IoT devices, attackers try to target their vulnerabilities. Integrating a WAF with other security tools like Cisco Duo 2FA and Cisco malware protection creates a robust defense strategy.

How does WAF contribute to web app security?

Many applications today are created using a combination of home-grown, third-party, and open-source code. WAFs add an extra layer of security to inadequately built or legacy applications and help to enhance secure design practices by blocking common attack vectors and preventing malicious traffic from reaching the application. Below is a list of significant advantages specific to WAFs.

  • WAFs can block malicious traffic before it reaches a web application, preventing data breaches and other attacks.
  • WAFs can help to protect sensitive data, such as credit card numbers and customer Personally Identifiable Information (PII), from unauthorized access.
  • WAFs can help to meet compliance requirements, such as PCI DSS, by blocking traffic that violates those requirements.
  • WAFs can work in conjunction with other security tools, such as an intrusion detection system (IDS), intrusion prevention system (IPS), and firewalls, to create a layered defense that is more effective at preventing attacks.

What is the difference between WAF and other tools?

While network firewalls handle lower layers, WAF focuses on higher layers where web apps are more vulnerable. WAF is vital for robust application security.

What is the difference between WAF and a network firewall?

While network firewalls handle lower layers, WAF focuses on higher layers where web apps are more vulnerable. WAF is vital for robust application security.

Do web applications need a firewall?

By positioning WAF in front of web apps, it safeguards them collectively. Its effectiveness against attacks such as cross-site scripting and injection attacks is a significant feature.

How does the HTTP protocol relate to WAF?

WAF intervenes to scrutinize legitimate requests, thwarting attacks like injection, cross-site scripting, HTTP Flood, and Slowloris, ensuring safer web interactions.

What are the differences between WAF, IPS, and NGFW?

Here are the basic differences between a WAF, an IPS, and a next-generation firewall (NGFW). While an IPS is signature-based and broad in focus, operating at Layers 3 and 4, a WAF operates at the application layer (Layer 7). A WAF protects web applications by analyzing each HTTP request, and traditional WAFs ensure allowed actions based on security policies. NGFWs are advanced firewalls with integrated IPS and application-layer capabilities.

How to protect your environment

Product

Cisco Secure Web Application Firewall (WAF)

Defend your online presence and ensure that website, mobile applications, and APIs are secure, protected, and "always on."

Product

Cisco Secure Firewall

Block modern threats and achieve real-time network security, with unified access control across applications.

Product

Cisco Secure Firewall Management Center

Manage hundreds of firewalls, control policies, and block malware from one dashboard.

How does a WAF protect against vulnerabilities?

A WAF protects against a list of top vulnerabilities, including various forms of bots. Adversaries employ malicious bots to target applications and data, including account takeover, data scraping, and denial-of-service attacks. With increasing API usage, bot attacks on APIs are also growing and conventional mitigation often fails against advanced bot tactics. Combating these threats necessitates a combined cybersecurity approach that integrates WAF along with device fingerprinting, behavioral analysis, bot intelligence, and dedicated API protection. An effective WAF should include bot detection systems that include deep-learning abilities to recognize evolving bots that adapt to evade basic security systems. It's crucial to counteract bad bots with your WAF protection solution.

Below are some of the top WAF vulnerabilities and corresponding defense tactics provided by Cisco advanced WAF and bot protection technology.

Attack categoryExplanation of attack / riskWAF protection technology
Broken user authentication

Weak authentication mechanisms allow unauthorized access. Attackers can exploit this vulnerability to bypass login screens and compromise user accounts.

Examples include unauthorized access to APIs, IP, token, role, and customer-based attacks.

  • Token protection
Excessive data exposure

When sensitive information is improperly stored, transmitted, or disclosed, it becomes vulnerable. Attackers can access confidential data, leading to privacy breaches.

Examples include environment fingerprinting, 5XX internal server errors, and HTTP response headers.

  • Data masking
  • Replace 500 messages
Security misconfigurations

Improperly configured settings, permissions, or defaults create security gaps. Attackers can exploit these gaps to gain unauthorized access or control.

Examples include incomplete or ad-hoc configurations, misconfigured HTTP headers, unnecessary HTTP methods.

  • Data masking
  • Replace 500 messages
  • Autolearning
Broken access control

Broken access control permits unauthorized users to access restricted resources. Attackers exploit this vulnerability to gain unauthorized privileges.

Examples include unauthorized access to APIs, IP, token, role, customer-based attacks, and access to restricted APIs.

  • API catalog validation IP and GEO policies
Injection / cross-site scripting (XSS)

Injection attacks exploit vulnerable inputs. Attackers insert malicious code into systems, gaining unauthorized access or manipulating data by executing unintended commands. XSS vulnerabilities allow attackers to inject malicious scripts into web applications. These scripts execute in users' browsers, compromising their data or sessions.

Examples include SQL injections, XSS, command injection, and directory traversal.

  • Positive security model
  • Negative security model
  • API catalog validation

 

Do WAFs safeguard against known and emerging threats?

WAFs are constantly updated with new rules and signatures to safeguard against both known and emerging security threats through a variety of techniques to detect and block malicious traffic, including:

  • Signature-based detection: This technique uses predefined rules to identify malicious traffic that matches known attack patterns.
  • Anomaly based detection: This technique identifies malicious traffic that does not conform to normal behavior patterns.
  • Machine learning: This technique uses artificial intelligence to identify malicious traffic that is not yet known.

How do WAFs help prevent OWASP top vulnerabilities?

WAFs can help prevent Open Worldwide Application Security Project (OWASP) top vulnerabilities such as SQL injection and cross-site scripting (XSS) by blocking malicious traffic that attempts to exploit these vulnerabilities. For example, a WAF can block SQL injection attacks by filtering out requests that contain malicious SQL code. And a WAF can block XSS attacks by filtering out requests that contain malicious JavaScript code.

What are the different types of WAF deployment with examples?

Here are several WAF deployment options that integrate WAFs into organizational cybersecurity infrastructure in the cloud.

Cloud-based

This is a newer deployment option, where the WAF service is hosted in the cloud and delivered as a subscription.

Cloud-based AWS

Optimal for organizations with limited in-house security resources. Enjoy hassle-free deployment, with a third-party managing WAF security on AWS, allowing you to focus on core activities.

Read the Secure Cloud for AWS Design Guide (PDF)

Cloud-based Azure

A bundled cloud security solution. Quickly deploy security policies in a cost-effective manner, enjoying the benefits of WAF protection without complexities.

Get the Secure Cloud for Azure Design Guide (PDF)

Cloud-based Kubernetes WAF

Scalable application security for continuous integration and continuous delivery/continuous deployment (CI/CD) environments is orchestrated by Kubernetes.

On-premises

This is the traditional deployment option, where the WAF virtual or hardware appliance is installed on site at the organization's data center. Suitable for organizations requiring flexibility, high performance, and advanced security.

Hybrid

This is a combination of the on-premises and cloud-based deployment options, where the WAF appliance is installed on site and the cloud-based service is used to supplement it.