What is a Web Application Firewall (WAF)?
A Web Application Firewall (WAF) is a specific type of firewall that protects web applications (like Dropbox, Slack, or Google Cloud) by monitoring, filtering, and blocking HTTP traffic between the applications and the internet.
How does a Web Application Firewall work?
A WAF filters out malicious traffic by using a set of rules or policies that protect against vulnerabilities such as SQL injection, cross-site scripting (XSS), cross-site request forgery (CSRF), and other web application vulnerabilities.
Most WAFs use rule-based filtering, which means that it operates on pre-defined security rules that are manually inputed. The WAF can then detect known threats athat are based on known attack patterns and signatures.
Some advanced WAFs can use behavioral analysis, anomaly detection, or signature-based detection to identify threats.
What is Blacklisting and Whitelisting?
The blacklist in a WAF is a list of ‘known bads’ such as IP addresses, domains, or patterns that are deemed malicious.
Whitelists are trusted digital entities.
How is a Web Application Firewall different than a Network Firewall?
A WAF aims to protect web applications by targeting Hypertext Transfer Protocol (HTTP) traffic. While a standard firewall, provides a barrier between external and internal network traffic.
Network firewalls offer a broader scope of protection for an organization, covering their entire network. They also operate on Layer 3 or 4 of the OSI model. WAFs are focused solely on protecting web applications and services and operate on Layer 7 of the OSI model.
What are the deployment options for a Web Application Firewall’s?
WAFs can be deployed in several ways depending on the specific use case. Some common deployment options for WAFs include:
An organization manages and installs the WAF at their own data center. In this case the organization is responsible for maintenance, updates, and scaling.
Many organization prefer a cloud centric approach, these organizations can purchase a WAF through cloud-based/third-party providers and host/manage this service within the cloud.
Other deployment methods
API Gateway Integration, containerized, reverse proxy, hybrid, inline, and integrated WAF in ADC.
What are challenges of implementing and managing WAF solutions?
WAF solutions can be very expensive to deploy and scale, especially in large environments.
As WAF solutions typically utilize a large number of policies, blocklist and whitelists they may be prone to significant false positives that can cause alert fatigue.
WAF solutions do not offer much context for incident investigation, as such it can lead to longer investigation times.
Each application at a given organization can have individual characteristics or behavior to monitor. Adapting the WAF to these specific behaviors can be challenging.
How does Darktrace help manage and support WAFs?
Darktrace is able to detect if a user performs an unusual modification action to a WAF access control list or rule group. This will provide the security team with have a log of users who accessed the WAF and any changes made to control lists or rule groups Darktrace is also able to enforce access control for users who access the WAF.