Skip to the main content.
Talk to sales Start for free
Talk to sales Start for free

2 min read

What is a WAF?

What is a WAF?

Web application firewalls (WAFs) are powerful tools that help protect web applications by filtering and monitoring HTTP traffic between the application and the internet. As a layer 7 defense in the OSI model, WAFs safeguard applications from various attacks, including cross-site forgery, cross-site scripting (XSS), file inclusion, and SQL injection.


How WAFs work

WAF acts as a shield between the web application and the internet. Unlike a proxy server that protects a client's identity, a WAF functions as a reverse proxy. It ensures that client requests pass through the WAF before reaching the server, protecting it from exposure.

WAFs operate by employing a set of rules known as policies. These policies filter out malicious traffic and protect the application against vulnerabilities. WAFs' flexibility lies in their ability to quickly modify policies, allowing for a swift response to evolving attack vectors. 


Blocklist vs allowlist WAFs

WAFs can operate based on either a blocklist or an allowlist approach. Blocklist WAFs, or negative security model WAFs, protect against known attacks. On the other hand, allowlist WAFs, or positive security model WAFs, only admit traffic that has been pre-approved. 

Both blocklist and allowlist approaches have their advantages and drawbacks. To address this, many WAFs offer a hybrid security model, combining elements of both approaches to provide complete protection.


Types of WAF implementations

WAFs can be implemented in three different ways, each with its own benefits and considerations:


Network-based WAFs

Network-based WAFs are typically hardware-based solutions. Installed locally, they minimize latency and offer protection. However, they tend to be the most expensive option since they require the storage and maintenance of physical equipment.


Host-based WAFs

Host-based WAFs are integrated directly into an application's software. This approach is more cost-effective compared to network-based WAFs and offers greater customization. However, host-based WAFs consume local server resources, which can impact performance. Additionally, their implementation complexity and maintenance costs may require engineering expertise.


Cloud-based WAFs

Cloud-based WAFs provide an affordable and easily implementable alternative. These WAFs are typically a turnkey service requiring a simple DNS change to redirect traffic. Cloud-based WAFs have minimal upfront costs, as users pay for security as a service monthly or annually. However, users must entrust the responsibility to a third party, which may limit their control over certain WAF features.

Go deeper:

The 3 stages of an APT attack 

Newly exposed zero-day vulnerability puts Internet at risk 


Advantages of cloud-based WAFs

Cloud-based WAFs offer several advantages that make them a popular choice for businesses:

  • Affordability: With a pay-as-you-go pricing model, cloud-based WAFs eliminate the need for upfront hardware investment, making them cost-effective for businesses of all sizes.
  • Ease of implementation: Cloud-based WAFs can be implemented quickly and easily by making a simple DNS change. This eliminates the need for complex configurations or extensive engineering resources.
  • Scalability: Cloud-based WAFs provide scalable protection, allowing businesses to handle increased traffic and adapt to changing user demands without additional hardware or infrastructure.
  • Continuous updates: Cloud-based WAFs are regularly updated to defend against the latest threats. This ensures that businesses can access up-to-date security measures without needing manual updates.
  • Reduced maintenance: With a cloud-based WAF, businesses can offload maintenance and infrastructure management responsibility to the service provider, reducing their operational burden.

See also: HIPAA Compliant Email: The Definitive Guide  


Subscribe to Paubox Weekly

Every Friday we'll bring you the most important news from Paubox. Our aim is to make you smarter, faster.