A WAF (Web Application Firewall) controls access to a web application. It denies access to incoming hostile requests, and also blocks outgoing traffic that is caused by malicious activity. (For more information, see What is a Web Application Firewall?)
There are a variety of WAF products available today. Some vendors offer dedicated hardware appliances. Other products include software WAFs that can be run on commodity hardware. The newest products are cloud security platforms which include next-generation WAFs. These have many advantages compared to previous WAF solutions. (For more information, see What is a next-generation WAF?)
A Web Application Firewall (WAF) is usually deployed inline in front of the backend network that it protects. The most common, and generally most effective, configuration is as a reverse proxy. The WAF serves as the intermediary between clients and the backend network.
When the WAF is deployed as a reverse proxy, clients do not communicate directly with the backend system. Instead, they communicate only with the WAF. Usually, the clients do not know that this is occurring; to them, this process is transparent.
Incoming client requests and outgoing server responses pass through the WAF in both directions. This allows the WAF to deny traffic that violates its security policies; it blocks all traffic that is deemed hostile or is otherwise disallowed.
A WAF can filter traffic according to several different strategies:
- Negative security model
- Positive security model
- Advanced capabilities
What is a negative security model?
WAFs analyze and scrub traffic by enforcing rulesets against the requests. Traditional WAFs were based on a negative security model: the WAF allows all incoming requests unless they match predefined threat signatures, or otherwise violate a security rule.
A negative security model has many problems, including:
- It cannot protect against zero-day exploits, or any other attack that hasn’t yet been added to the threat database.
- Attackers can bypass the WAF’s filtering by modifying an attack just enough so that it no longer matches known signatures, or it evades detection in other ways.
- It cannot protect against all types of attack. For example, among the OWASP Top 10 Web Application Security Risks, three of them (A2 [Broken Authentication], A5 [Broken Access Control], and A7 [Cross-Site Scripting]) are not effectively covered by a negative security approach. And even those risks that could be covered by a negative security model rule, such as A1 [Injection], are often not implemented in enough depth to provide truly robust protection.
Unfortunately, many WAFs being offered today are still primarily negative-security products. Therefore, they cannot provide full protection.
What is a positive security model?
For robust protection, a WAF (such as AWS Web Application Firewall) must also include a positive security model. Requests that pass the negative-security rules are further scrutinized to see if they match the characteristics of legitimate user requests. If anomalies are found, the traffic source might be blocked immediately, or (depending on the anomaly) it might be allowed, but subjected to more intensive scrutiny going forward, with less tolerance for future irregularities.
Advanced capabilities, beyond negative or positive security
As mentioned above, WAFs were initially based on negative security models. Positive security models were introduced later.
Today, some WAFs include more advanced capabilities. Although strictly speaking, these are also forms of negative or positive security, they are sufficiently different in their approach and power that they are usually categorized separately. They are described in more detail here: What is a next-generation WAF?