In today’s evolving threat landscape, it’s important to understand the way your cybersecurity solutions work—and the way they work with other solutions. This is especially true when it comes to web application firewall (WAF) and network firewall solutions, which stand guard against advanced cybercriminal activity including sophisticated and innovative cyberattacks. Knowing the right way to protect your organization from threats to your web applications and network can be the difference between staying secure and dealing with the aftermath of an attack.
A web application firewall (WAF) is a hardware appliance, virtual appliance or cloud-based service that resides in front of web-facing applications to detect and protect against a variety of malicious attacks. A WAF is focused on Layer 7 web application traffic (HTTP/S) and protects applications in internet-facing zones of the network.
A WAF can use many techniques to understand whether traffic should be allowed to pass through to an application or should be blocked. Some of those techniques are part of a negative security model that is based on block lists of known signatures, and some belong to a positive security model that is based on allow lists driven by machine-learning and behavioral-based algorithms. Most WAFs rely on negative security models only. Some more advanced WAF use a combination of a positive security model with a negative security model.
Lastly, WAFs are transitioning from standalone tools into fully-integrated web application and API protection (WAAP) offerings that include a suite of capabilities, including protecting APIs, bot management and mitigation capabilities, application Layer 7 DDoS protection, client-side protection and more.
Network firewalls protect against unauthorized access to a computer network. Network firewalls prevent unauthorized access by creating and separating a secure zone from a less secure zone. They use configuration and access control policies to control communications between the two zones. Network firewalls usually operate at OSI Layer 3 and 4 and focus on network protocols such Domain Name System (DNS), File Transfer Protocol (FTP), Simple Mail Transfer Protocol (SMTP), Secure Shell (SSH) and Telnet.
A network firewall and a web application firewall (WAF) are both security solutions that help protect against cyberattacks, although they differ in the way they work, the internet layer and protocols they monitor and the types of attacks they are designed to protect against. WAFs secure web traffic by filtering and monitoring HTTP traffic (OSI layer 7) between web applications and end-users. They employ a different set of security policies to detect and prevent attacks such as injection, cross-site scripting, server-side request forgeries, and other web application attacks. In contrast, network firewalls monitor and control Network and Transport layers traffic (OSI Layers 3 and 4) based on pre-defined security policies to ensure unauthorized traffic is denied entry.
While both solutions play crucial roles in cybersecurity, their main differences lie in their features and functionalities. A WAF plays a vital role in securing web applications and can defend against web-related attacks. Typically, a WAF is deployed in front of web servers to protect against complex HTTP- and HTTPS-based attacks that may target application vulnerabilities. On the other hand, a network firewall predominantly complements network security by preventing unauthorized access to networks through its intrusion-prevention features.
Not properly securing web applications can have severe implications for organizations. When a web application is compromised, hackers can gain access to sensitive information, modify application functionalities or shut down systems, compromising critical business data. Therefore, deploying both a WAF and a network firewall is essential for the complete protection of web applications. WAFs protect against web app-specific threats by filtering malicious HTTP and HTTPS traffic, while network firewalls secure web applications' back-end infrastructure.
Network Traffic vs. Application Traffic
Network traffic and application traffic are two concepts in cybersecurity that are critical to understand. Network traffic refers to the flow of data packets between devices in a network, while application traffic refers to the flow of data between applications on the same or different hosts. Unauthorized access to this traffic represents a significant threat to organizations. It occurs when a cybercriminal gains access to an application or network without authorization. For application traffic, such access can occur if a person exploits vulnerabilities in an application. In contrast, network attacks target unauthorized access and aim to access network resources, compromising the system and causing damage or disruption.
Mitigating these threats is obviously important. Intrusion prevention systems and firewalls are deployed to prevent network attacks. Meanwhile, web application firewalls (WAFs) inspect and filter HTTP traffic to an application, blocking malicious traffic that could cause harm. It's important to note that both network and application traffic are potential targets in a cyberattack, emphasizing the significance of robust cybersecurity measures. Having suitable tools in place, such as WAFs, firewalls and IDPSs, is essential to protect against unauthorized access and mitigate vulnerabilities, ensuring crucial data stays safe from cyberattacks.
Layer 7 vs Layer 4 & 3 Protection
Layer 7 protection and Layer 3 and 4 protections are both critical components of network security protection mechanisms. Layer 7 protection refers to an application-level protection mechanism that focuses on observing the application's traffic, recognizing patterns, and rejecting malicious traffic that doesn't conform to the traffic's typical application. In contrast, Layer 3 and 4 protections refer to network-level protection that is based on standard TCP/IP and UDP protocol suites, focusing on controlling the flow of traffic based on the source and destination IP addresses and ports. The key difference between the two methods is that Layer 7 protection focuses on rejecting anything that is not explicitly allowed by application protocols. Layers 3 and 4, on the other hand, focus on restricting traffic that does not match pre-defined rules based on IP addresses, ports or protocols.
Unauthorized Access Vs. Web Attacks
Unauthorized access and web attacks are two distinct cybersecurity concepts. Unauthorized access refers to unauthorized entry into a system or network without permission, often with the intention to steal, modify or destroy information. Examples of unauthorized access include:
- Password cracking
- Use of stolen credential
- Physical theft of devices or hard drives
On the other hand, web attacks focus on exploiting vulnerabilities in web applications, aiming to access web applications' sensitive data or services via security loopholes. Examples of web attacks include:
- SQL injection
- Cross-site scripting (XSS)
- Server-side request forgery (SSRF)
The key difference between the two is the target and type of attacks. While unauthorized access focuses on gaining access to a system or network infrastructure, web attacks concentrate on the application layer. In both cases the aim of the attackers is to steal data or impact the performance of the application and the organization network. But the methods and type of attacks are different – while attacks on the network layer we will see malicious actors trying to infect the organization network with viruses, worms, malware to take control over different functionalities and endpoint devices and servers, or turn “recruit” them to a botnet, in attacks on the web application layer, we will see the use of injections and all sorts of http manipulations to try to get to the application database, take over end-user accounts, or manipulate the web application performance and functionality. Understanding the difference between unauthorized access and web attacks is crucial to implementing effective cybersecurity measures to prevent their occurrence.
ネットワークファイアウォールとWAFは、さまざまな脅威を防御し、互いに補完し合います。WAFはネットワークファイアウォールに依存し、ネットワークレイヤ3および4で攻撃に対する防御を行います。
Next-generation firewalls (NGFW) add additional capabilities, including antivirus, anti-malware, intrusion prevention, URL filtering, and certain application security capabilities to their network firewall functionality.
しかし、NGFWのユーザーはWAF/WAAPに対し、公開済および未公開のAPIの防御とボット管理/防御機能のほかにも、より包括的なアプリケーションの防御の提供を求めています。
比較表:WAFとネットワークファイアウォール
|
WAF |
IPS |
対象 |
Web applications – OSI layer 7 (HTTP/S) |
Network protocols at layer 3 and 4 of OSI model (Network and Transport layers) |
役割 |
インターネット接続ゾーンのWeb対応アプリケーションの防御 |
内部ネットワークの防御。ネットワークを安全なゾーンと安全性の低いゾーンに分け、安全なゾーンへの不正アクセスを防止。 |
機能 |
XSSとCSRFに対するWebアプリケーション防御、APIセキュリティ、ボット防御、API検出 |
DNS、FTP、SMTP、SSH、Telnetの防御。NGFWはアンチウイルス、アンチマルウェア、IPS機能、一部のアプリケーションセキュリティ機能を追加。 |