Application Firewall (WAF)
Protect your apps, APIs, and data against the most prevalent cyberattacks—zero-day vulnerabilities, app-layer DoS attacks, threat campaigns, application takeover, and bots.
Attacks to apps are the leading cause of breaches—they are the gateway to your valuable data. With the right WAF in place, you can block the array of attacks that aim to exfiltrate that data by compromising your systems.
How does a web application firewall (WAF) work?
A WAF protects your web apps by filtering, monitoring, and blocking any malicious HTTP/S traffic traveling to the web application, and prevents any unauthorized data from leaving the app. It does this by adhering to a set of policies that help determine what traffic is malicious and what traffic is safe. Just as a proxy server acts as an intermediary to protect the identity of a client, a WAF operates in similar fashion but in the reverse—called a reverse proxy—acting as an intermediary that protects the web app server from a potentially malicious client.
WAFs can come in the form of software, an appliance, or delivered as-a-service. Policies can be customized to meet the unique needs of your web application or set of web applications. Although many WAFs require you update the policies regularly to address new vulnerabilities, advances in machine learning enable some WAFs to update automatically. This automation is becoming more critical as the threat landscape continues to grow in complexity and ambiguity.
The difference between a web application firewall (WAF), an intrusion prevention system (IPS) and a next-generation firewall (NGFW)
An IPS is an intrusion prevention system, a WAF is a web application firewall, and an NGFW is a next-generation firewall. What’s the difference between them all?
An IPS is a more broadly focused security product. It is typically signature and policy based—meaning it can check for well-known vulnerabilities and attack vectors based on a signature database and established policies. The IPS establishes a standard based off the database and policies, then sends alerts when any traffic deviates from the standard. The signatures and policies grow over time as new vulnerabilities are known. In general, IPS protects traffic across a range of protocol types such as DNS, SMTP, TELNET, RDP, SSH, and FTP. IPS typically operates and protects layers 3 and 4. The network and session layers although some may offer limited protection at the application layer (layer 7).
A web application firewall (WAF) protects the application layer and is specifically designed to analyze each HTTP/S request at the application layer. It is typically user, session, and application aware, cognizant of the web apps behind it and what services they offer. Because of this, you can think of a WAF as the intermediary between the user and the app itself, analyzing all communications before they reach the app or the user. Traditional WAFs ensure only allowed actions (based on security policy) can be performed. For many organizations, WAFs are a trusted, first line of defense for applications, especially to protect against the OWASP Top 10—the foundational list of the most seen application vulnerabilities.
A next-generation firewall (NGFW) monitors the traffic going out to the Internet—across web sites, email accounts, and SaaS. Simply put, it’s protecting the user (vs the web application). A NGFW will enforce user-based policies and adds context to security policies in addition to adding features such as URL filtering, anti-virus/anti-malware, and potentially its own intrusion prevention systems (IPS).
While a WAF is typically a reverse proxy (used by servers), NGFWs are often forward proxys (used by clients such as a browser).
Learn the benefits of F5 WAF
WHY ADVANCED WAF?
Protect against the most prevalent attacks on your apps, without having to update the apps themselves.
MODERN APPS NEED A HOLISTIC APPROACH TO MANAGEMENT
Analyze, troubleshoot, auto-scale and control every app, service and F5 device (virtual and physical) in any environment—all from a centralized, role-specific single pane of glass.