A web application firewall or WAF offers protection for web servers.
Your WAF will monitor traffic between the Internet and your web application; it then filters or blocks traffic based on a set of rules/policies.
Web application firewalls protect from attacks including SQL injection, cross-site-scripting (XSS) and cookie poisoning and are an essential component of your defensive strategy.
Choosing a WAF can seem daunting which is why we’ve created this guide. Our experts have put the leading application firewalls to the test assessing things like; features, reliability and ease of setup.
Here is our list of the best web application firewalls (many with a free trial):
- AppTrana Managed Web Application Firewall (FREE TRIAL) A Fully Managed WAF provided by Indusface with bundled application scanner, CDN and managed custom rules with Zero WAF False-positive assurance backed with SLA and 24×7 support.
- StackPath Web Application Firewall (FREE TRIAL) A Cloud-based firewall that is part of an “edge” solution.
- Sucuri Website Firewall (LEARN MORE) Part of a suite of offsite protection services that also includes DDoS protection.
- Cloudflare WAF Cloud-based solution that can be combined with DDoS protection.
- Akamai Kona Site Defender Combines an offsite WAF and DDoS protection.
- Amazon Web Services WAF Front end for those who operate Amazon Web Services, including Application Load Balancer and the Amazon content delivery network.
- Incapsula Web Application Firewall Offsite WAF that combines DDoS protection from one of the world’s leading cybersecurity companies.
- 1 What Attacks do WAFs protect against?
- 2 How do WAFs Work?
- 3 WAF configurations
- 4 Web application firewall functions
- 5 The Best Cloud-based WAFs
- 6 The Best Hardware-based WAFs
- 7 Hardware-based vs Cloud-based WAFs: Pros and Cons
- 8 Choosing a web application firewall
What Attacks do WAFs protect against?
A web application firewall, or WAF, needs to protect your web server and its content from the following categories of attacks:
- Cross-Site Scripting (XSS) – malicious HTML code inserted into a web page input field by a hacker
- Hidden field manipulation – hackers rewrite the source code of a web page to alter values held in hidden fields and then post the amended code back to the server
- Cookie poisoning – altering parameter values held in cookies to corrupt data passed between web pages
- Web scraping – automated data extraction from web pages
- Layer 7 DoS attacks – overwhelming a web server by recursive application activity
- Parameter tampering – altering values in the parameters to a web page call
- Buffer overflow – user input that overwrites the code in memory
- Backdoor or Debug options – developer feedback reports for web page testing that can be used by hackers for access to the processor
- Stealth commanding – an attack on the operating system of a web server
- Forced browsing – the hacker gains access to backup or temporary folders on the webserver
- Third-party misconfigurations – manipulation of content inserts provided by other companies
- Site vulnerabilities / SQL injections – queries entered in user authentication fields
Although a WAF works as a front end to a website, a number of essential access control functions that your web host needs are not provided by this technology. WAFs focus on HTTP code and the request procedures for other internet applications, such as FTP. In these cases, the secure versions of these application protocols, HTTPS and SFTP, are also covered.
How do WAFs Work?
WAFs look for irregularities contained in incoming requests and block malformed or devious constructs. A WAF is not responsible for load balancing between a cluster of servers. Although some types of DDoS attacks use HTTP, most use lower-level methods. So, a WAF will protect you against HTTP and FTP application-level/layer 7 DDoS attacks, but not those carried out by other strategies.
A WAF needs to be a part of your web hosting protection strategy. It can be implemented as a hardware solution or as software.
Proponents of software WAFs argue that you already have sufficient hardware available, you just need to extend the capabilities of your existing equipment in order to get a Web application firewall. However, the ideal location for the WAF is in front of your servers, and most software solutions are installed directly on the Web server.
The best place to put your WAF is on the router that acts as a gateway between your network (and thus, your server) and the internet. This strategy implies that best option would be a router that has an integrated WAF. This would be a standalone piece of equipment and it would prevent damaging traffic or hacker exploration reaching your precious server.
Software vs Hardware WAF Considerations
So, which should you choose to control costs? Software WAFs are cheaper than hardware solutions. However, don’t think that there are no hardware costs to installing WAF software on your servers. You probably planned your server hardware capacity and so adding on an extra function will take up disk space, use memory and tie up CPU processors. You may have to extend your server capacity in order to host a WAF, so there are hardware costs involved.
Onsite skill sets are also a consideration. It is probable that your system administration staff are all familiar with your server’s operating system, but would be clumsy around a new device’s firmware. Users of hardware WAF tend to treat them as black boxes and intervene in their operations a lot less than they do with software WAFs — which could be a good thing.
Both hardware and software WAFS come with patches and update support. However, updating the software versions usually requires your consent and management for each install, whereas hardware WAFs tend to get updated directly by the provider, leaving you without time-consuming patch management issues.
Generally speaking, both hardware WAF and software WAFs perform the same tasks. Hardware WAFs keep extra load off your servers and they can continue to work even when you want to take one of your servers down. A hardware WAF is more reliable and can be left alone to do its job. Although hardware WAFs are probably better options than software WAFs, administrators tend to prefer the accessibility and customizability of software WAFs.
Web application firewall functions
Not only should you scan all user activity when a web page is live, but you need to check the code of your web pages, including off-the-shelf plug-ins provided by external companies. Coding errors and validation oversites are known as zero-day vulnerabilities. They are non-standard paths that could allow a hacker access to your web server. If hackers discover these flaws before you or the provider of inserted code sees the problem, you will be subjected to a zero-day attack that might not be covered by your WAF.
The value of a WAF lies in the rules that it applies to user responses. These rule settings execute validation procedures that protect your web server from malicious activity by laying out activities to spot and dictating actions to take when an exploit is discovered. Rules will be written to specifically block well-known attack strategies. However, extra, more flexible rules in the WAF’s routines are useful for identifying zero-day threats.
See also: Best free port scanners
Related: Best intrusion detection tools
Most software WAFs are now implemented as cloud services. These services charge a monthly rate with different plans to suit different websites. Here is a run-down of the best cloud-based WAFs on the market today:
AppTrana from Indusface provides a fully managed Web application firewall bundled with content acceleration and CDN over the cloud. All you will have to do is route your traffic via the AppTrana Service hosted in multiple regions in AWS data centers by Indusface.
AppTrana comes out of the box with optimized core rule sets that can be put in blocked mode instantly based on the optimized core rule set Indusface has developed by doing security assessments of thousands of other websites. Once onboarded, customers can do an on-demand automated security assessment of the website and get instant visibility into whether they are already protected by WAF or require custom rules.
Those requiring custom rules can be requested from the centralized portal and the 24×7 MSS team from Indusface will create a custom rule with Zero WAF false-positive assurance and protect them. Website performance is enhanced via a bundled CDN included in the service. AppTrana plan is available as a subscription service along with a 14-day free trial. Free Trial registrations are automatically enrolled into a free forever Basic plan which includes automated security scanning twice a month for your website.
The Web Application Firewall is one of a suite of cloud-based services offered by StackPath who specialize in “edge technology.” This term refers to the technique of pushing services out to the edge of your network, and then and little beyond. StackPath is a subscription-based Cloud service that captures all of your traffic before it reaches your Web server.
The offsite configuration of StackPath provides extra protection for your Web server as any malicious code doesn’t even get a chance to touch your resources.
The Web traffic heading to your website gets diverted to arrive at the StackPath server first. The three fundamental defenses offered by this service are: IP address assessment, browser validation, and the use of content rules. This methodology focuses on the likelihood of incoming requests coming from dubious sources. The source filtering also shuts down any DDoS attack attempts.
Only validated traffic gets forwarded on to your Web server. All of that processing takes place so quickly that regular users don’t experience any connection speed impairment. StackPath offers the Web Application Firewall for free for the first month of service.
The Sucuri Web Application Firewall is part of a suite of website protection measures. The Sucuri cloud-based protection system is an online service. Your website’s address gets hosted at Sucuri’s server, also all of your Web traffic goes there first.
The Sucuri service filters out malicious traffic through a range of techniques. The company maintains a database of attack signatures, which is constantly updated, so your website benefits from protection strategies learned by Sucuri when it is defending other sites.
The service package includes performance optimization and DDoS protection. The Sucuri server blocks malicious traffic and forwards all bona fide requests onto your Web server. This process happens so quickly that visitors will not notice any slowing in the delivery of your Web pages.
Delivery performance is enhanced by caching, which means even if your site is down for maintenance, visitors will still be able to access your Web pages. The Sucuri Web Application Firewall is available as a subscription service, and pricing starts from $9.99/month for their basic package. View plan details on their website.
Cloudflare has become very successful at protecting web hosts from DDoS attacks and they extend their protection with a web application firewall. This is an online service that is very widely used. Their servers manage 2.9 million requests every second on behalf of their large customer base.
The benefit of subscribing to a widely-used cloud WAF like Cloudflare is that the company can apply economies of scale to its threat research. An attack attempt on one customer instantly ripples through to a blacklist entry for all web servers protected by Cloudflare. If you have a cloud-based server central to your enterprise or as a content delivery system included in your web presentation, then Cloudflare can cover that as well. Integrating full Cloudflare DDoS protection alongside your WAF subscription is a very simple task.
Akamai is a world leader in DDoS mitigation and it integrates full DDoS protection with its web application firewall in a cloud service called Site Defender. A great benefit of combining both of these services in one product is that you won’t need to have your traffic routed through two different companies in order to get genuine requests arriving at your web server.
As one of the leaders in online security, Akamai often is the first to discover new exploits. As a customer of Site Defender, you benefit from this “ahead of the curve” information immediately with tighter and smarter blocks on hacker traffic.
The Amazon AWS web application firewall (or AWS WAF) is only available to customers of the company’s Web Services. These include the Application Load Balancer and the Amazon content delivery network. As Amazon Web Services are cloud-based, this WAF is an add-on to your existing subscription. The price model is very tempting. You don’t pay a lump sum each month. Instead, you get charged for each security rule that you set up and for the number of web requests that your server receives in a month.
Incapsula is a leader in DDoS protection and the company adds full DDoS filtering to its WAF, not just application-layer protection. The company has 25 data centers around the world, which ensures that this cloud-based WAF is monitored around the clock.
The cheapest WAF plan offered by Incapsula works out at $300 per month. Being based elsewhere, keeping the threat database updated is not your problem. Incapsula takes care of that. The company will also send you through patches to help you defend your web applications, which you can schedule to be applied at your server’s quiet times.
The Best Hardware-based WAFs
The hardware solution to web application firewalls involves a piece of network equipment that needs to go in front of the web infrastructure.
As all traffic in both directions will pass through this appliance first, you need to make sure that the model you choose has the capacity to handle your web server’s typical request throughput rate. When assessing WAF appliances, you should first measure the demand on your server in terms of both data throughput in Mbps and the number of transactions. As SSL transactions take more processing, you should look at the maximum number of SSL transactions per second (TPS).
This WAF is aimed at smaller businesses with units that have a throughput of 100 Mbps dealing with 440 SSL TPS, going up to a model that can process 10 Gbps and 9,000 SSL TPS. As an example of the range, take a look at the X2020, which gives you a throughput of 500 Mbps for a price of $4,200. This unit can deal with 2,200 SSL TPS.
The higher models in the range are mutually compatible. You can buy the X85210, which has a throughput rate of 5 Gbps, and then upgrade it later via a software patch to turn it into the X10K model, which allows a 10 Gbps throughput. You can also opt for a cloud-based version of SecureSphere.
Barracuda is a good solution for a small- to mid-sized web-based business. This appliance is a little pricey, but the purchase price includes a full year of system updates. The Barracuda box is automatically updated when the company detects new threats and exploits. The Barracuda box has some extra features, which include caching for faster content delivery and load balancing. You can add on full DDoS protection for a fee.
The Barracuda WAF is available in a range of sizes, each with different capacities. For example, the Model 360 will give you a throughput of 25 Mbps and it can handle 2000 SSL TPS. Your purchase of the 360 will set you back $6,350, including that first year of virtual patching. Support for subsequent years costs $1,350 per year.
The Netscaler MPX range comes with capacities ranging from 500 Mbps up to 200 Gbps. The cheapest model is the MXP 5550, which gives you a throughput of 500 Mbps and can cope with 1,500 SSL TPS. This unit costs $4,000, but that price doesn’t include a virtual patching contract, which is an added extra.
The Citrix Netscaler appliance also acts as a load balancer for small enterprises. Netscaler is also available as a cloud service.
If you have a small web enterprise and you are shifting up to the mid-size league, you will need to upgrade a lot of your equipment. This could be a good chance for you to check out the Fortinet FortiWeb appliance. This device integrates the WAF with a load balancer and an SSL offloader. If you are expanding out to multiple servers, you are going to need a load balancer anyway, so while you are in the market for a new bit of kit, it makes sense to get the web application firewall off your list of things to buy as well and get both built into the same box.
The FortiWeb range includes eight models with increasing throughput capacity. The entry-level model is 100D. This has a throughput rate of 25 Mbps. The top-of-the-range model is the 4000E. This has a throughput of 20Gbps. FortiWeb also operates a cloud version of its web application firewall service.
The BIG-IP ASM is aimed at large companies. Unfortunately, F5 doesn’t give an SSL TPS rate for its models, but an HTTP one instead. The 10200 model can process 75,000 HTTP TPS and has a throughput of 5 Gbps.
BIG-IP ASM helps your server perform faster by dealing with the SSL encryption of HTTPS and SFTP. This function is known as “SSL offloading.” The F5 package includes threat protection that benefits from deep threat analysis and dynamic learning, so you don’t have to invest too much time in reading through reports to work out which addresses to blacklist because the appliance will do that for you.
Hardware-based vs Cloud-based WAFs: Pros and Cons
The choice of your own piece of equipment or a cloud solution can often come down to your own preferences for each configuration. For example, some people are uncomfortable outsourcing elements of their network and the security functions of a web host are particularly sensitive topics.
Cloud-based WAFs Cons
The WAF stands in front of all of your other devices and so it has to be the target of your URL. That means that you no longer have direct control over your traffic because all DNS records will direct website visitors to the cloud service first.
Where cloud WAFs are offered by companies that include other front-end security services, combining these into one package makes sense. For example, if your chosen WAF provider doesn’t have a DDoS protection service, you will need to forward your traffic to a second cloud service in order to get fully covered from all threats. Taking out a WAF cloud service can lock you into one online security company for all of your online protection and limit your options.
WAFs examine the contents of packets, so they have to strip off all encryption protection first before they can perform their main task. This means that you have to hand over your SSL certificate to the cloud WAF provider, effectively surrendering all of the security functions that protect your web host, your content, and the safety of your customers.
You need to have a lot of faith in your cloud WAF provider in order to be prepared to let this third party stand in between you and your customers.
Cloud-based WAFs Pros
On the other hand, the reputation and expertise of the top cloud WAF providers means that you don’t need to be worried about being let down. The companies on our list specialize in networking and security services. Their accumulated expertise is a lot greater than you could get for your own company in-house. There is probably more risk to your website’s availability and security if you try to cover all of the complicated tasks that these issues involve.
Cloud-based solutions can be paid for on a monthly basis, spreading the cost of your web application protection. In some cases, you only get charged for your web throughput, so you can defer paying for your protection until the end of the month when the service level has been calculated and invoiced.
If you already outsource parts of your operation, you have already come to terms with the cloud-based method of operation and so it would not be too difficult to outsource your WAF as well. You may need to switch from existing providers if combining other services, such as DDoS protection and load balancing, with your new WAF makes better logistical and economic sense.
Hardware-based WAFs Cons
When considering the cost of a hardware WAF, you need to add on the expenses of installing, housing, protecting, and maintaining it. Online WAFs get updated automatically, so they are always up-to-the-minute and ready to tackle the latest emerging threat. Getting that level of preparedness on your own WAF device can be expensive.
Most hardware WAF vendors offer an update service. The fixes to new threats are sent to your WAF device over the internet automatically and it will renew its firmware without your intervention. In the case of some new threats, other equipment and software on your network may need updating, and the support service of your WAF provider will give you those, too.
This process is called “virtual patching” and it is the WAF version of classic firewall database updates. However, although all of the hardware suppliers in our list provide virtual patching, not all of them include that service for free. Where the update service is included, it is usually only free for the first year. After that, you must pay extra for support of your in-house WAF.
The upfront cost of buying a hardware WAF can be an inconvenient expense when struggling to get your new web company operational. If you forgo this protection initially, you may get lulled into the belief that it is an unnecessary extra even when you get to the point where you have cash to spare. This is a dangerous scenario, because you will only realize that you need WAF protection once you have been hit by an attack. By then, your website will be blocked by search engines for containing malicious code and you will be sent out of business.
Hardware-based WAFs Pros
If you are running your own web server, you probably already know a lot about networking and internet systems. You may need a load balancer once you put on extra servers to deal with demand. If that is the case, you could buy a combined web cache, load balancer, and WAF combined and get all of your front-end requirements dealt with by one device.
Having your own WAF means you don’t have to surrender your web address to a third party. If at some point you do need extensive DDoS protection, then your URL will have to go to the DDoS mitigation provider. However, in this case, you won’t need to limit your choice of DDoS protection to that provided by your cloud WAF company. You won’t be committed to directing your URL to provide your WAF.
Choosing a web application firewall
Whether you prefer to have your own WAF on your network, or you think it would be better to go for a cloud-based WAF solution, this review has given you five options to consider. Selecting new equipment, software, and services for your company can be very time-consuming. In this guide, we have taken care of that first phase for you.
Your next task is to narrow down your options. The added extras that each of these WAF providers offer will direct you towards that choice. The capacity of each service is also an important consideration and you should factor in scalability so that your future expansion plans are accounted for.
Make the decision on whether to go for a hardware or cloud-based WAF and then check out each of the five listed in that category. Overlooking the protection that a web application firewall offers your organization would be a mistake. Don’t wait until it is too late and your site has already been attacked. Get a WAF in place now to keep your website online.