What is a WAF?

A Web Application Firewall (WAF) is a specific type of firewall that protects web applications (like Dropbox, Slack, or Google Cloud) by monitoring, filtering, and blocking HTTP traffic between the applications and the internet.

A WAF filters out malicious traffic by using a set of rules or policies that protect against vulnerabilities such as SQL injection, cross-site scripting (XSS), cross-site request forgery (CSRF), and other web application vulnerabilities.

Most WAFs use rule-based filtering, which means that it operates on pre-defined security rules that are manually inputed. The WAF can then detect known threats athat are based on known attack patterns and signatures.

Some advanced WAFs can use behavioral analysis, anomaly detection, or signature-based detection to identify threats.

The blacklist in a WAF is a list of ‘known bads’ such as IP addresses, domains, or patterns that are deemed malicious.

Whitelists are trusted digital entities.

A WAF aims to protect web applications by targeting Hypertext Transfer Protocol (HTTP) traffic. While a standard firewall, provides a barrier between external and internal network traffic.

Network firewalls offer a broader scope of protection for an organization, covering their entire network. They also operate on Layer 3 or 4 of the OSI model. WAFs are focused solely on protecting web applications and services and operate on Layer 7 of the OSI model.

WAFs can be deployed in several ways depending on the specific use case. Some common deployment options for WAFs include:

On Premise

An organization manages and installs the WAF at their own data center. In this case the organization is responsible for maintenance, updates, and scaling.

Cloud-Based

Many organization prefer a cloud centric approach, these organizations can purchase a WAF through cloud-based/third-party providers and host/manage this service within the cloud.

Other deployment methods

API Gateway Integration, containerized, reverse proxy, hybrid, inline, and integrated WAF in ADC.

Cost

WAF solutions can be very expensive to deploy and scale, especially in large environments.

Alert Fatigue

As WAF solutions typically utilize a large number of policies, blocklist and whitelists they may be prone to significant false positives that can cause alert fatigue.

Investigation time

WAF solutions do not offer much context for incident investigation, as such it can lead to longer investigation times.

Application-Specific Challenges

Each application at a given organization can have individual characteristics or behavior to monitor. Adapting the WAF to these specific behaviors can be challenging.

Darktrace is able to detect if a user performs an unusual modification action to a WAF access control list or rule group. This will provide the security team with have a log of users who accessed the WAF and any changes made to control lists or rule groups Darktrace is also able to enforce access control for users who access the WAF.