What Is A Web Application Firewall (WAF)?

A10 Networks Blog

A Web Application Firewall (WAF) is a security firewall technology that protects web applications from HTTP and web application-based security flaws.  WAF systems have specific knowledge of HTTP and web application vulnerabilities and filters or blocks these attacks without ever exposing the web servers or applications.

A WAF is deployed between application servers and network edge routers and firewalls.  The web application firewall functions as a flexible barrier that filters all application access, inspecting both in-bound and out-bound traffic. It is specifically designed to mitigate attacks without blocking legitimate users and without slowing down application performance.

A web application firewall differs from a traditional network firewall in its ability to inspect data at the application level for example, by validating form field input or protecting application cookies. A network firewall and a web application firewall are generally deployed together and provide complementary levels of security.

Threat Vectors

Applications can be vulnerable to many threats that are not detected by regular network firewalls. The impact of these attacks can be quite severe. The Open Web Application Security Project (OWASP) has compiled a list of the top 10 risks that still threaten many web application deployments. The OWASP Top 10 of 2010 is virtually identical to the OWASP Top 10 of 2017 version; the most common attacks have not changed significantly over the years. Here are some examples:

Attack Mitigation Examples

The WAF module offers granular control of Web application data flows. The WAF has various ways of dealing with threat vectors that can be launched at web applications. Here are two use cases:

How A10 Networks Can Help

The A10 Thunder Application Delivery Controllers (ADCs) include a full featured WAF that blocks web attacks before they can reach vulnerable applications. Deployed as a proxy in front of web servers, Thunder ADC inspects web requests and responses and can block, sanitize, or log malicious activity.

The WAF enables a full defense stack with other A10 security mechanisms in order to protect web applications, ensure against code vulnerabilities and prevent data leakage; this aids in regulatory security compliance, such as Payment Card Industry Data Security Standard (PCI DSS) requirements.

A10’s WAF feature is designed to recognize many of today’s threats, with flexibility to customize checks for emerging threats. The WAF is tightly integrated with other A10 security features within the Advanced Core Operating System (ACOS). Instead of integrating 3rd party WAF code, as many other vendors do, A10 has developed the WAF specifically for ACOS.

This approach results in a highly scalable and high performance security solution which is simple to configure.

Robert Keith
July 10, 2018

About Robert Keith

Robert has 30 years of experience in IT technology development and infrastructure management. He was the founder of several infrastructure ventures including Intellivence, MaxSP, Sentrik and most recently was the CTO of Iron Networks. As CTO of Iron Networks in San Jose, CA, he worked directly with many companies in the Silicon Valley to design and architect network, security, and cloud solutions. He worked directly with Microsoft engineering in the design of their cloud architectures including storage, Hyper-V, Systems Center and Virtual Networking. He also worked directly with Hortonworks to design a Hadoop deployment and management system using CentOS and many layered software packages. READ MORE