A Web Application Firewall (WAF) solution offers protection for web servers. Your WAF will monitor traffic between the Internet and your web application, then filters or blocks traffic based on a set of rules/policies.
Web application firewalls protect from attacks including SQL injection, cross-site-scripting (XSS) and cookie poisoning and are an essential component of your defensive strategy.
Here is our list of the best web application firewalls:
- AppTrana Managed Web Application Firewall EDITOR’S CHOICE A Fully Managed WAF provided by Indusface with bundled application scanner, CDN and managed custom security rules with Zero WAF False-positive assurance backed with SLA and 24×7 support.
- StackPath Web Application Firewall (FREE TRIAL) A Cloud-based firewall that is part of an “edge” solution.
- Sucuri Website Firewall (LEARN MORE) Part of a suite of offsite application security services that also includes DDoS protection.
- Fortinet FortiWeb An edge service bundle that offers a web application firewall, an SSL off-loader, and a load balancer in a cloud service, an appliance, or VM.
- Imperva Cloud WAF A cloud-based web application firewall with an onsite equivalent appliance called Imperva WAF Gateway.
- Barracuda Web Application Firewall Available as a SaaS system, a private cloud, an appliance, or a VM, this WAF also includes vulnerability scanning and data loss prevention.
- Prophaze WAF-as-a-Service A web application firewall with specialized routines for managing and security Kubernetes clusters.
- MS Azure Web Application Firewall A cloud-based WAF that can protect web servers anywhere. This is a metered service.
- F5 Essential App Protect A cloud-based WAF that is aimed at non-technical customers, so it is easy to set up and manage.
- Cloudflare WAF Cloud-based solution that can be combined with DDoS protection.
- Akamai Kona Site Defender Combines an offsite WAF and DDoS protection.
The Best Web Application Firewalls
Many web application firewall providers try to capture as much of the market as possible by offering their WAF systems in as many configurations as possible. So, in many cases, the same WAF can be provided as a software package that runs on a virtual machine, as a network appliance, or as a cloud-based SaaS system. It is also possible to get a cloud-based WAF as a fully managed service.
AppTrana from Indusface provides a fully managed Web application firewall bundled with content acceleration and CDN over the cloud. All you will have to do is route your traffic via the AppTrana Service hosted in multiple regions in AWS data centers by Indusface.
AppTrana comes out of the box with optimized core managed rule sets that can be put in blocked mode instantly based on the optimized core rule set Indusface has developed by doing security assessments of thousands of other websites. Once onboarded, customers can do an on-demand automated security assessment of the website and get instant visibility into whether they are already protected by WAF or require custom security rules.
Those requiring custom rules can be requested from the centralized portal and the 24×7 MSS team from Indusface will create a custom rule with Zero WAF false-positive assurance and protect them. Website performance is enhanced via a bundled CDN included in the service. AppTrana plan is available as a subscription service along with a 14-day free trial. Free Trial registrations are automatically enrolled into a free forever Basic plan which includes automated security scanning twice a month for your website.
AppTrana Managed Web Application Firewall is our top choice in this roundup because it includes the services of a team of experts that excel in the field of network protection. The service includes many other security services in addition to the usual web application firewall functions. The technical team of Indusface that works on this service filter out the chatter of security device reporting, taking a great load off the technical managers of client companies.
The location of this service in the cloud also removes the need for you to buy in and manage specialist hardware on-site to protect your network.
Start 14-day Free Trial: indusface.com/products/application-security/web-application-firewall/
The Web Application Firewall is one of a suite of cloud-based services offered by StackPath who specialize in “edge technology.” This term refers to the technique of pushing connected services out to the edge of your network, and then and little beyond. StackPath is a subscription-based Cloud service that captures all of your traffic before it reaches your Web server.
The offsite configuration of StackPath provides extra protection for your Web server as any malicious code doesn’t even get a chance to touch your resources.
The Web traffic heading to your website gets diverted to arrive at the StackPath server first. The three fundamental defenses offered by this service are: IP address assessment, browser validation, and the use of content based routing rules. This methodology focuses on the likelihood of incoming requests coming from dubious sources. The source filtering also shuts down any DDoS attack attempts.
Only validated traffic gets forwarded on to your Web server. All of that processing takes place so quickly that regular users don’t experience any connection speed impairment. StackPath offers the Web Application Firewall for free for the first month of service.
The Sucuri Web Application Firewall is part of a suite of website protection measures. The Sucuri cloud-based protection system is an online service. Your website’s address is hosted at Sucuri’s server, also all of your Web traffic goes there first.
The Sucuri service filters out malicious traffic through a range of techniques. The company maintains a database of attack signatures, which is constantly updated, so your website benefits from protection strategies learned by Sucuri when it is defending other sites.
The service package includes performance optimization and DDoS protection. The Sucuri server blocks malicious traffic and forwards all bona fide requests onto your Web server. This process happens so quickly that visitors will not notice any slowing in the delivery of your Web pages.
Delivery performance is enhanced by caching, which means even if your site is down for maintenance, visitors will still be able to access your Web pages. The Sucuri Web Application Firewall is available as a subscription service, and pricing starts from $9.99/month for their basic package. View plan details on their website.
The FortiWeb WAF from Fortinet is offered as a SaaS system, as a VM-based software package or as an appliance. The software for the WAF is also available for private cloud hosting and can be implemented as a container-based system.
The FortiWeb system operates a DDoS protection service when accessed as the cloud service or as an appliance. The web application firewall examines all traffic traveling to the network and deploys AI-based machine learning to detect suspicious activity. FortiWeb also uses a threat intelligence feed to keep up to date with the latest hacker attack strategies and looks for patterns of behavior that deviates from the calculated norm and seems to be leading towards a typical attack.
The WAF can be combined with an SSL off-loader and a load balancer. The cloud service is charged for by subscription and its dashboard can be accessed through any standard browser from anywhere. The network appliance version is available in eight models that vary in capacity from 25 Mbps to 20 Gbps.
Imperva is a major player in the cybersecurity industry and its WAF services are comprehensive. The online version of Imperva’s web application firewall acts as a proxy server, catching all incoming traffic and cleaning it up before passing it on to the protected web server.
The Imperva Cloud WAF service is partnered by other web enhancement services, such as a content delivery network (CDN), which speeds up the delivery of web pages and also provides constant availability should the main server go down for maintenance or get damaged in some way. The WAF includes a virtual patching service, which applies all patches needed on the protected system and provides site availability while the web server is bounced.
Imperva offers a managed service option for its Cloud WAF, which includes specialists and technicians to run the security software. An on-site version of the Imperva security service is available on a range of network appliances, called Imperva WAF Gateway.
The Barracuda Web Application Firewall is available as a SaaS system, an appliance, as a virtual appliance, or for installation on a private cloud account. This flexibility of implementation means that the WAF could be suitable for businesses of any size.
The WAF channels all traffic for a web server – both inbound and outbound. It is able to spot and block traffic-based attacks, malware, and on-page attack attempts. The service uses both blacklisting, to block hackers, and whitelisting, to allow access to valid users only from specific devices.
The traffic monitoring system of the Barracuda WAF also provides data loss prevention. This enables businesses to comply with data protection standards, such as PCI DSS. Inbound traffic is blocked if malformed connection requests are detected, signifying a DDoS attack. In these circumstances, the WAF server absorbs and discards volume attacks, allowing genuine connection requests through.
The network appliances offered by Barracuda vary in capacity from 25 Mbps to 10 Gbps.
Prophaze WAF-as-a-Service is a cloud-based proxy server that acts as a web application firewall. The Prophaze service includes AI routines that refine detection rules by adjusting the baseline of standard behavior. This feature helps to reduce the number of false alarms and helps to give genuine site visitors unrestricted access.
The Prophase system itself operates with Kubernetes containers and is also able to monitor the performance and security of your own system’s Kubernetes activities as well as performing traditional hacker activity detection.
You don’t need to be an expert to use the Prophaze WAF. The company aims its product at small businesses, so it is designed with non-technical users in mind. The screens in the dashboard are accessed through any standard browser and they are clear and well laid out.
Features include DDoS protection and virtual patching. It hardens the protected system and prevents data loss, aiding towards compliance to GDPR, HIPAA, CCPA, PCI-DSS, and SOC2.
The Prophaze service is charged for by subscription with three plans available. The highest plan, called SaaS has multi-tenant capabilities, making it suitable for use by MSPs. You can get a free trial of the Prophaze WAF-as-a-Service.
Microsoft Azure is a well-known hypervisor system that is one of the most successful cloud platforms available. Like AWS, the Azure division of Microsoft doesn’t just offer the platform system for cloud services, it also produces a range of software that provide utilities to other systems. The Web Application Firewall is one of these products.
As with any WAF, this service acts as a proxy. All of your inbound traffic flows through the Azure server first, it is inspected, and suspicious traffic gets blocked, with all other traffic passed on to your web server. This edge service model also makes the Azure WAF an excellent facility for DDoS protection and load balancing. All outbound traffic from your web server also gets routed through the WAF, which examines traffic for data loss events. So, this is a complete two-way web traffic security service.
The system automatically tracks for the top ten vulnerabilities as logged by the Open Web Application Security Project (OWASP). It has standards rules embedded in it, but your server administrator can adjust these and add on custom rules as well.
What makes Azure different from the other edge services in this list is that it isn’t charged for by subscription. Instead, it has a metered charge rate. This fact and the absence of set up charges makes this an excellent service for startups and small businesses as well as the largest corporations in the world.
The price tariff of Azure WAF is calculated on a combination of an hourly rate and a data throughput rate and charged monthly in arrears. That’s a much lower upfront cost than other cloud-based subscription WAFs, which expect the subscription fee to be paid in advance. What’s even better is that the first 10 TB of data per month is free for all but the lowest traffic levels and businesses with a lot of traffic gets up to 40 TB of throughput per month for free. The Azure Web Application Firewall can be examined as part of a 12-month Azure free trial.
F5 is a long-established cybersecurity service provider and it owns NGINX, Inc, the producer of the widely-used Nginx web server system. F5 and NGINX expertise contributed to the joint production of the F5 Essential App Protect cloud-based web application server.
The technology behind F5 Essential App Protect came from an adaptation of the F5 Application Security Manager – a pre-existing WAF that was delivered on a network appliance. The appliance version of the firewall still exists and it is now called the BIG-IP Advanced WAF. The NGINX version is an add-on for the Nginx Plus web server system and so is delivered as a software download.
F5 Essential App Protect has been designed with non-technical users in mind, so it is easy to set up and manage through a dashboard that is accessed through any browser.
Features of the Essential App Protect WAF include a threat intelligence feed from F5 Labs and full protection for APIs, pages, and web services. F5 offers a 15-day free trial of Essential App Protect which has processing volume limits placed on it.
Cloudflare has become very successful at protecting web hosts from DDoS attacks and they extend their protection with a web application firewall. This is an online service that is very widely used. Their servers manage 2.9 million requests every second on behalf of their large customer base.
The benefit of subscribing to a widely-used cloud WAF like Cloudflare is that the company can apply economies of scale to its threat research. An attack attempt on one customer instantly ripples through to a blacklist entry for all web servers protected by Cloudflare. If you have a cloud-based server central to your enterprise or as a content delivery system included in your web presentation, then Cloudflare can cover that as well. Integrating full Cloudflare DDoS protection alongside your WAF subscription is a very simple task.
Akamai is a world leader in DDoS mitigation and it integrates full DDoS protection with its web application firewall in a cloud service called Site Defender. A great benefit of combining both of these services in one security product is that you won’t need to have your traffic routed through two different companies in order to get genuine requests arriving at your web server.
As one of the leaders in online security products, Akamai often is the first to discover new exploits. As a customer of Site Defender, you benefit from this “ahead of the curve” information immediately with tighter and smarter blocks on hacker traffic.
What Attacks do WAFs protect against?
A web application firewall, or WAF, needs to protect your web server and its content from the following categories of attacks:
- Cross-Site Scripting (XSS) – malicious HTML code inserted into a web page input field by a hacker
- Hidden field manipulation – hackers rewrite the source code of a web page to alter values held in hidden fields and then post the amended code back to the server
- Cookie poisoning – altering parameter values held in cookies to corrupt data passed between web pages
- Web scraping – automated data extraction from web pages
- Layer 7 DoS attacks – overwhelming a web server by recursive application activity
- Parameter tampering – altering values in the parameters to a web page call
- Buffer overflow – user input that overwrites the code in memory
- Backdoor or Debug options – developer feedback reports for web page testing that can be used by hackers for access to the processor
- Stealth commanding – an attack on the operating system of a web server
- Forced browsing – the hacker gains access to backup or temporary folders on the webserver
- Third-party misconfigurations – manipulation of content inserts provided by other companies
- Site vulnerabilities / SQL injections – queries entered in user authentication fields
Although a WAF works as a front end to a website, a number of essential access control functions that your web host needs are not provided by this technology. WAFs focus on HTTP code and the request procedures for other internet applications, such as FTP. In these cases, the secure versions of these application protocols, HTTPS and SFTP, are also covered.
Here’s how do WAFs Work
WAFs look for irregularities contained in incoming requests and block malformed or devious constructs. A WAF is not responsible for load balancing between a cluster of servers. Although some types of DDoS attacks use HTTP, most use lower-level methods. So, a WAF will protect you against HTTP and FTP application-level/layer 7 DDoS attacks, but not those carried out by other strategies.
A WAF needs to be a part of your web hosting protection strategy. It can be implemented as a hardware solution or as software.
Proponents of software WAFs argue that you already have sufficient hardware available, you just need to extend the capabilities of your existing equipment in order to get a Web application firewall. However, the ideal location for the WAF is in front of your servers, and most software solutions are installed directly on the Web server.
The best place to put your WAF is on the router that acts as a gateway between your network (and thus, your server) and the internet. This strategy implies that the best option would be a router that has an integrated WAF. This would be a standalone piece of equipment and it would prevent damaging traffic or hacker exploration reaching your precious server.
Software vs Hardware WAF Considerations
So, which should you choose to control costs? Software WAFs are cheaper than hardware solutions. However, don’t think that there are no hardware costs to installing WAF software on your servers. You probably planned your server hardware capacity and so adding on an extra function will take up disk space, use memory and tie up CPU processors. You may have to extend your server capacity in order to host a WAF, so there are hardware costs involved.
Onsite skill sets are also a consideration. It is probable that your system administration staff are all familiar with your server’s operating system, but would be clumsy around a new device’s firmware. Users of hardware WAF tend to treat them as black boxes and intervene in their operations a lot less than they do with software WAFs — which could be a good thing.
Both hardware and software WAFS come with patches and update support. However, updating the software versions usually requires your consent and management for each install, whereas hardware WAFs tend to get updated directly by the provider, leaving you without time-consuming patch management issues.
Generally speaking, both hardware WAF and software WAFs perform the same tasks. Hardware WAFs keep extra load off your servers and they can continue to work even when you want to take one of your servers down. A hardware WAF is more reliable and can be left alone to do its job. Although hardware WAFs are probably better options than software WAFs, administrators tend to prefer the accessibility and customizability of software WAFs.
Web application firewall functions
Not only should you scan all user activity when a web page is live, but you need to check the code of your web pages, including off-the-shelf plug-ins provided by external companies. Coding errors and validation oversites are known as zero-day vulnerabilities. They are non-standard paths that could allow a hacker access to your web server. If hackers discover these security flaws before you or the provider of inserted code sees the problem, you will be subjected to a zero-day attack that might not be covered by your WAF.
The value of a WAF lies in the rules that it applies to user responses. These rule settings execute validation procedures that protect your web server from malicious activity by laying out activities to spot and dictating actions to take when an exploit is discovered. Rules will be written to specifically block well-known attack strategies. However, extra, more flexible rules in the WAF’s routines are useful for identifying zero-day threats.
See also: Best free port scanners
WAF vs next-generation firewalls vs intrusion prevention systems
Hackers are getting increasingly more sophisticated and, thankfully, so are cyber defense systems. However, you might be confused about the different categories of network protection that are now available.
The distinction between an intrusion prevention system (IPS) and any type of firewall is very easy to spot. The firewall defends the boundary of a system, whereas the IPS monitors traffic within the network. An IPS is an advanced form of an Intrusion Detection System (IDS). While an IDS spots suspicious activity, an IPS includes procedures to shut it down.
Next-generation firewalls usually include many of the techniques used by IPSs. That is, they record all activity rather than just examining each packet as it passes through the gateway. However, NGFWs sit at the gateway between the network and the outside world, while IPSs focus on traffic within the network. A WAF specifically examines Web traffic, carried through the HTTPS and SSL protocols. In short, the NGFW looks at traffic entering the network, while the WAF guards the webserver.
Hardware-based vs Cloud-based WAFs: Pros and Cons
The choice of your own piece of equipment or a cloud infrastructure solution can often come down to your own preferences for each configuration. For example, some people are uncomfortable outsourcing elements of their network and the security functions of a web host are particularly sensitive topics.
Cloud-based WAFs Cons
The WAF stands in front of all of your other devices and so it has to be the target of your URL. That means that you no longer have direct control over your traffic because all DNS records will direct website visitors to the cloud infrastructure first.
Where cloud WAFs are offered by companies that include other front-end security services, combining these into one package makes sense. For example, if your chosen WAF provider doesn’t have a DDoS protection service, you will need to forward your traffic to a second cloud service in order to get fully covered from all threats. Taking out a WAF cloud service can lock you into one online security company for all of your online protection and limit your options.
WAFs examine the contents of packets, so they have to strip off all encryption protection first before they can perform their main task. This means that you have to hand over your SSL certificate to the cloud WAF provider, effectively surrendering all of the data security functions that protect your web host, your content, and the safety of your customers.
You need to have a lot of faith in your cloud WAF provider in order to be prepared to let this third party stand in between you and your customers.
Cloud-based WAFs Pros
On the other hand, the reputation and expertise of the top cloud WAF providers means that you don’t need to be worried about being let down. The companies on our list specialize in networking and security services. Their accumulated expertise is a lot greater than you could get for your own company in-house. There is probably more risk to your website’s availability and security if you try to cover all of the complicated tasks that these issues involve.
Cloud-based solutions can be paid for on a monthly basis, spreading the cost of your web application security. In some cases, you only get charged for your web throughput, so you can defer paying for your protection until the end of the month when the service level has been calculated and invoiced.
If you already outsource parts of your operation, you have already come to terms with the cloud-based method of operation and so it would not be too difficult to outsource your WAF as well. You may need to switch from existing providers if combining other services, such as DDoS protection and load balancing, with your new WAF makes better logistical and economic sense.
Hardware-based WAFs Cons
When considering the cost of a hardware WAF, you need to add on the expenses of installing, housing, protecting, and maintaining it. Online WAFs get updated automatically, so they are always up-to-the-minute and ready to tackle the latest emerging threat. Getting that level of preparedness on your own WAF device can be expensive.
Most hardware WAF vendors offer an update service. The fixes to new threats are sent to your WAF device over the internet automatically and it will renew its firmware without your intervention. In the case of some new threats, other equipment and software on your network may need updating, and the support service of your WAF provider will give you those, too.
This process is called “virtual patching” and it is the WAF version of classic firewall database updates. However, although all of the hardware suppliers in our list provide virtual patching, not all of them include that service for free. Where the update service is included, it is usually only free for the first year. After that, you must pay extra for support of your in-house WAF.
The upfront cost of buying a hardware WAF can be an inconvenient expense when struggling to get your new web company operational. If you forgo this application security solution initially, you may get lulled into the belief that it is an unnecessary extra even when you get to the point where you have cash to spare. This is a dangerous scenario, because you will only realize that you need WAF protection once you have been hit by an attack. By then, your website will be blocked by search engines for containing malicious code and you will be sent out of business.
Hardware-based WAFs Pros
If you are running your own web server, you probably already know a lot about networking and internet systems. You may need a load balancer once you put on extra servers to deal with demand. If that is the case, you could buy a combined web cache, load balancer, and WAF combined and get all of your front-end requirements dealt with by one device.
Having your own WAF means you don’t have to surrender your web address to a third party. If at some point you do need extensive DDoS protection, then your URL will have to go to the DDoS mitigation provider. However, in this case, you won’t need to limit your choice of DDoS protection to that provided by your cloud WAF company. You won’t be committed to directing your URL to provide your WAF.
Choosing a web application firewall solution
Whether you prefer to have your own WAF on your network, or you think it would be better to go for a cloud-based WAF solution, this review has given you five options to consider. Selecting new equipment, software, and services for your company can be very time-consuming. In this guide, we have taken care of that first phase for you.
Your next task is to narrow down your options. The added extras that each of these WAF vendors offer will direct you towards that choice. The capacity of each service is also an important consideration and you should factor in scalability so that your future expansion plans are accounted for.
Make the decision on whether to go for a dedicated hardware or cloud-based WAF and then check out each of the five listed in that category. Overlooking the protection that a dedicated web application firewall offers your organization would be a mistake. Don’t wait until it is too late and your site has already been attacked. Get a WAF in place now to keep your website online.
Web Application Firewall FAQs
What is the difference between a normal firewall and a WAF?
Network and endpoint firewalls operate at a lower stack level than web application firewalls. As the name suggests, WAFs examine attributes at the Application Layer (Layer 7), whereas typical firewalls work at the Network Layer (Layer 3). So, each looks at different characteristics of incoming traffic. Another major difference between these two services is that a typical firewall integrates into the architecture of a network gateway (or computer network interface) but WAFs have a reverse proxy configuration.
What are WAF rules?
WAF rules are a list of things that the firewall needs to look out for. They are specific characteristics in web traffic and the specific places to look for them in the data stream. Rules are also called “policies.” They include the action to take on detection of an attack attempt, which usually just involves not passing that traffic on to the server being protected.
What are the 3 types of firewalls?
The three types of firewalls are packet filters, stateful packet inspection, and proxy server firewalls.
- Packet filters look at the technical features of all packets traveling in and out of a network and drop those that don’t match a given pattern or do match a list of blacklisted characteristics.
- Stateful packet inspection (SPI), also, known as dynamic packet filtering, also operates at the Network Layer, but it records individual packet characteristics so it can spot attacks that are split across several packets.
- A WAF is a proxy server firewall because all traffic is directed through the WAF on its way to the server. It operates at the Application Layer and substitutes the protected server’s IP address with its own.