How Does a WAF Work?
A WAF safeguards applications by inspecting, filtering, and blocking potentially harmful HTTP/S traffic: some go even further, by preventing unauthorized data from leaving the application as well. The WAF achieves this by analyzing the four critical components of HTTP interactions:
- GET requests: These are used to fetch data from the server.
- POST requests: Used to send data to the server, typically to modify its state.
- PUT requests: Used to send data for creating or updating resources on the server.
- DELETE requests: Used to request the removal of data from the server.
Collectively, if any of these components match a fail state – or the HTML header contains suspicious indicators – the connection is dropped.
This is made possible by a server architecture called reverse proxy: reverse proxies are installed between clients (like a device, or email client) and an enterprise’s application’s internal servers. When a client requests a piece of data from a protected application, the WAF analyzes the request itself, and the context around it. In doing so, it caches the original request – we’ll discuss shortly how this caching can be used to improve performance. Once a request is verified as safe, the WAF establishes its own connection with the internal application, and passes it through.
Able to inspect all traffic entering and exiting the application, the WAF distinguishes between safe and malicious traffic according to policies. These are explicit rules that are set in place to dictate what type of traffic is allowed where. WAFs are available via software, hardware, or as-a-service solutions. No matter the underlying architecture, WAF policies need to be tweaked and tailored to suit the specific requirements of one or multiple web applications. Traditional WAFs require manual updates to these rules in order to stay effective against new vulnerabilities, whereas more modern WAFs leverage machine learning to automate updates.
Key WAF Features
WAFs are able to deliver the following core features:
Attack signature database
Attack signatures are identifiable patterns that are indicative of malicious activity; this can include specific request types, unusual server responses, or flagged malicious IP addresses. Traditional WAFs depended heavily on databases of these patterns, while newer tools offer a greater breadth of detection tools.
Traffic pattern analysis
Machine learning allows for baselines of normal traffic patterns to be established. Once set up, these engines are then able to spot deviations from normal behavior – which can signal a potential attack, even if there’s no malicious pattern to match it to.
Application Profiling
In the same way that day-to-day traffic can be analyzed for abnormalities, application profiling allows for patterns to be formed around the application’s own behavior. This looks at the application’s usual request parameters, what URLs it handles, which APIs it communicates with, and the data types it handles. With all of this data corralled into normal baselines, the WAF can then detect and block requests that may slip through to the application itself.
Content Delivery Network Integration
Since WAFs are positioned at the network edge, incorporating a CDN allows the WAF to be situated much geographically closer to the end-user. CDNs work by caching a website through multiple globally distributed points of presence (PoPs): when an app user logs on and requests data, a CDN is then able to return data from the closest point. This helps ensure optimal performance.
Next-Gen WAF Features
AI-Powered False Positive Reduction
Application and user profiling are able to detect deviations from normal application and user behavior – but that doesn’t guarantee the alert generated is a genuine indication of compromise. This is how false positives are created, and it’s a major drain on security resources. Next-Gen WAFs address this issue by implementing another layer of analysis; this looks at the wider context of the device, user, or API that’s responsible for an abnormal request. It can then take a more varied response – whether that’s sending a CAPTCHA request, or identifying precisely which API key is exposed and therefore vulnerable.
API Identification and Protection
Users and bots are no longer the only things transferring data into and out of applications: APIs are now a huge part of the data ecosystem. WAFs need to offer comprehensive API discovery and protection. Next-Gen WAFs incorporate API protection by including customizable rules and alerts for API changes and compliance oversight.
Types of WAF Deployments
The features boasted by different secure WAF tooling depend on their underlying deployment – and, like everything else in network security, there’s more than one way to achieve traffic interception and security.
Network-based WAF
Typically deployed as hardware, this type is installed on-premises to minimize latency. While effective, it is the most costly option due to the need for physical equipment, which must also be stored and maintained.
Host-based WAF
Fully integrated into an application’s software, this type is less expensive than network-based WAFs and allows for greater customization. However, it demands significant local server resources, is complex to set up, and can incur high maintenance costs. Additionally, the server hosting the WAF often requires hardening and customization, which can be time-consuming and expensive.
Cloud-based WAF as a Service
This is a cost-effective and straightforward solution that largely avoids upfront investments, offering a subscription-based WAF-as-a-service model. Updates are handled by the provider, usually at no extra charge or effort for the user. However, because a third party manages the WAF, it’s crucial to ensure the service allows for sufficient customization to align with your organization’s business rules.
Common Threats Mitigated by WAF
WAF threat mitigation relies entirely on the rules and AI engine it’s based on: assuming a correct setup, the following are some of the most common threats.
Injection Attacks
SQL injection attacks are able to take advantage of vulnerabilities within an application’s input fields to inject malicious SQL code into a database query. This allows attackers to manipulate the database, potentially gaining unauthorized access to data, modifying or deleting records, or executing administrative operations. While SQL isn’t the only language used for injection attacks, it’s certainly the most common.
A WAF negates this threat by being able to scan requests for SQL keywords or unexpected characters in user inputs, before they reach the application and interact with the database.
Broken Authentication and Session Management
This describes a whole suite of security risks across the user identity and access control process. It could be insufficiently protected credentials stored in un-hashed format, insecure session IDs that allow attackers to steal and reuse tokens, or sessions that don’t terminate properly.
A WAF can prevent all of these through a variety of different rules: from rate-limiting requests (and therefore blocking credential stuffing requests) to cross-referencing login details against commonly-stolen passwords. Other rules can ensure sessions are invalidated after logout or timeout, blocking further requests with the same token.
Cross-Site Scripting (XSS)
Often called XSS, those attacks are among the simplest to set up and automate against vulnerable sites and apps. A WAF is able to enforce strict rules on input fields to prevent <,> or script elements – commonly seen in most XSS attacks. Pattern recognition also allows WAFs to identify Indicators of Attack outside of specific tags.
App Components with Known Vulnerabilities
Given today’s app ecosystem, it’s exceedingly common for downstream app components to spring data leaks. WAFs are able to detect if a component with known vulnerabilities is in your environment, as long as that WAF employs a regularly-updated threat intelligence database.
WAF vs. Traditional Firewalls: Understanding the Differences
A firewall is a generic term for any firmware that filters incoming and outgoing traffic on a network. There are several categories within this broad definition that differ in the type of protection they provide. These include stateful inspection, packet filtering, proxy servers, and next generation firewalls (NGFW).
WAF is a specific type of firewall, distinguished by the way it filters data packets. WAF inspects the application layer of the network and can prevent many attacks that are invisible to other types of firewalls. For example, a SQL injection attack would not be detected by a regular firewall because it does not inspect payloads of application requests, such as SQL queries.
Unlike a traditional firewall that can block traffic from specific IP ranges, geographies, etc., WAFs let you define rules that exclude specific types of application behavior that appear to be malicious.
Best Practices for Implementing a WAF
WAF rules are the fundamental building blocks that govern how the firewall functions. But they’re far from the only focus that your WAF management needs to have.
Understand Your Application’s Threats
Each application has a unique threat profile influenced by its functionality, user base, and level of exposure. Begin by identifying the most prevalent and critical threats to your application. For instance, eCommerce platforms are more likely to be targeted by SQL injection attacks, due to their large databases of customer details. API providers, on the other hand, may need to keep a closer eye on parameter tampering vulnerabilities.
Analyze Traffic Patterns
Study your application’s typical traffic behavior to distinguish between legitimate and malicious activity. This analysis allows you to define precise rules to address specific threats effectively. If your WAF is AI-powered, this automatically establishes a baseline of normal traffic and application behavior.
Leverage Managed Rule Groups
Most WAF providers ship their tools with preconfigured rulesets – but check whether they also provide Managed Rule Groups. These are predefined sets of rules that are continuously maintained by the providers. These rule groups address a wide range of threats, including the OWASP Top 10, while also freeing up considerable admin resources.
Prioritize Scalability and Performance
Once up and running, it’s vital to regularly assess the WAF’s configuration and performance. Keep an eye on the KPIs indicative of your security team’s success, like MTTR, while also monitoring any long-term changes to the application’s latency.
With regular check-ups, it’s possible to ensure your WAF supports your application’s growth and user experience even as the organization and user base change.
Choose Next-Gen WAF Capabilities with Check Point CloudGuard
Check Point CloudGuard leverages advanced AI to provide proactive protection across web traffic and APIs, ensuring robust security for modern applications. By distinguishing between API types, endpoints, public-facing versus internal systems, and newer versus legacy components—CloudGuard enables precise tailoring of security measures to specific mission-critical needs.
To see just how important API protection is for application security, explore the 2024 GigaOm Radar Report here. Ensure GDPR and PII compliance and bring content awareness to the edge by monitoring sensitive data usage, with inbuilt identification of PII, financial records, healthcare information, and login credentials. Explore how CloudGuard lines up against other WAF market leaders – or, if you’d like to explore it in-depth, sign up for an in-depth CloudGuard demo today.
Feedback