Web application firewall (WAF) is a traffic filtration tool that works on application layer and is used to protect web applications.
WAF helps to protect web applications by filtering and tracking traffic between web applications and the Internet. WAF works on the 7th (Application) layer of the OSI model. That means that it is not intended to protect from all types of attacks. This method of attack mitigation is usually a part of a set of tools which together form an integral defense.
WAF is usually placed before web applications, working as a kind of shield between the application and the Internet. When proxy protects client’s data, WAF can be called “reverse-proxy” as it protects server’s data passing clients through itself before providing access to the resource.
WAF works on a set of rules. These rules are aimed to protect against vulnerabilities in the application by filtering malicious traffic. It is valued in particular for the speed and simplicity with which these rules can be changed, allowing for a faster response to changing attack vectors.
As it was already said before, WAF works on the application layer, which means that it deals with data stream, not network stream after it was received by the host. As a result, it is usually applied after decryption so it has full access to the content of the request and response. WAF tends to focus on signatures that are unique to web applications more, rather than IDS/IPS. It is also more likely to check things like JSON or XML format validation. WAF will pay attention to things that are not right, instead of looking for what is wrong.
Unlike WAF, IDS/IPS (intrusion detection/protection systems) work on network layer. While decryption is possible in some configurations, it is not expected in the same way as in the case of WAF, and if it is absent, then IDS/IPS can simply miss the attack on the web application. IDS/IPS can analyze all network layers, which allows it to look for things like IP fragmentation attacks which WAF cannot detect. Also, because IDS / IPS can monitor all traffic, it is not limited to just web application protocols and has a wider range of signatures. Thus, IDS/IPS may not have the same detailed set of web application signatures as WAF.
These are two intersecting technologies: in the event of an attack, both IDS / IPS and WAF will react to some traffic. For some only WAF or IDS / IPS. But there is also a chance that the attack will just fly past both of them.
As one can already understand, WAF is a very useful tool that protects against many types of attacks. Among them are such as:
Of course, this list is incomplete, WAF will be able to protect you from a much broader range of types of attacks.