What is a Web Application Firewall (WAF)?
A stateful firewall filters traffic based on IP addresses, ports, connection state, etc. However, if a firewall filters traffic based on IP addresses, ports, or connection state alone, it will not be possible to detect many intrusions. For example, it cannot detect whether an unwanted protocol is trying to bypass the firewall in an allowed port or any protocol is being abused. Many times, we need to understand application-layer protocols like HTTP, FTP, DNS, etc., and filter traffic based on that. Web Application Firewalls are developed for that purpose.
A Web Application Firewall, or WAF, is an appliance, server plugin, or filter that monitors the incoming and outgoing traffic from an application or service and filters it according to predefined rules. A WAF can look through certain traffic up to layer 7 of the OSI reference model and filter traffic based on that.
How do Web Application Firewalls (WAF) work?
There are mainly two types of Web Application Firewalls (WAF):
- Network-based Web Application Firewalls
- Host-based Web Application Firewalls
What are Network-based Web Application Firewalls?
Network-based Web Application Firewalls act on the application layer of the OSI reference model and can inspect the contents of traffic and block specific traffic, such as certain websites. They can also look through the traffic to detect the presence of malware or possible network intrusions, offload encryption from internal servers, manage and consolidate authentication, and block traffic that violates policies. Network-based Web Application Firewalls are also known as proxy-based firewalls.
A forward proxy server intercepts all the traffic from or to an internal network behind it and can filter them based on policies. For allowed traffic, it changes the source IP address of the outgoing traffic to its own IP address and sends it to external servers. The external server sends the response to the Forward Proxy server and the Forward Proxy server then forwards the packets to the appropriate internal clients. A reverse proxy, on the other hand, intercepts all the traffic coming from external clients to the internal servers behind it. The outside requesting clients cannot see the IP address of the requested internal server behind the Reverse Proxy Server and thus provides security. You can find more on how forward proxy servers and reverse proxy servers work here: How do proxy servers work?
Just like Proxy servers, a proxy-based Web Application Firewall intercepts the traffic between the requesting clients and requested servers and filters them as per some predefined set of rules. It can use stateful inspection technology or Deep Packet Inspection (What is Deep Packet Inspection?) to monitor and analyze the incoming and outgoing network traffic. It can understand a number of application layer protocols like HTTP and FTP and detect signs of malware or network intrusions.
A proxy-based firewall prevents the outside network from directly communicating with the inside network. Information packets do not pass through proxy firewalls. Instead, the Web Application Firewall acts as an intermediary. A proxy-based firewall has its own IP address. The outside computers first …
0 Comments