A web application firewall (WAF) protects applications and APIs. WAFs are usually placed in front or before web-facing applications to detect and protect against a variety of malicious attacks. A WAF is focused on web application traffic (HTTP/S) and protects applications in internet-facing zones of the network.
WAFs are available as a service in the cloud or may be deployed as a hardware or virtual appliance in a hybrid topology. The hybrid deployment may span physical and software-defined data centers and private or public cloud-based environments.
A WAF can use many techniques to understand whether traffic should be allowed to pass through to an application or should be blocked, including behavioral algorithms (machine learning and a positive security model) and/or a negative security model.
WAFはスタンドアロンのツールから、完全に統合されたWeb Application and API Protection(WAAP)サービスへと移行しつつあります。これには、APIの防御、ボット管理および防御機能、アプリケーションレイヤ7 DDoS防御、Webアプリケーションセキュリティなどのサービスが含まれます。
Learn more in our detailed guide to WAF security.
Next-Generation Firewalls (NGFW) protect against unauthorized access to a computer network. NGFW add additional capabilities to a traditional network firewall, including antivirus, anti-malware, intrusion prevention, URL filtering, and certain application security capabilities, to their network firewall functionality.
NGFW protect unauthorized access by creating and separating a secure zone from a less secure zone. They use configuration and access control policies to control communications between the two zones.
NGFW and WAFs protect against different types of threats and complement each other.
In the same way a WAF relies on an NGFW or a network firewall to protect against attacks at network Layer 3 and 4; an NGFW requires WAF/WAAPs to provide more comprehensive protection of applications, in addition to protecting published and unlisted APIs and offering bot management capabilities.
| |
WAF |
NGFW |
| 対象 |
Webアプリケーション - OSIレイヤ |
Network protocols at Layer 3 and 4 of OSI model; some NGFW add basic application protection capabilities |
| 役割 |
インターネット接続ゾーンのWeb対応アプリケーションの防御 |
内部ネットワークの防御。ネットワークを安全なゾーンと安全性の低いゾーンに分け、安全なゾーンへの不正アクセスを防止。 |
| 機能 |
XSSとCSRFに対するWebアプリケーション防御、APIセキュリティ、ボット防御、API検出 |
DNS、FTP、SMTP、SSH、Telnetの防御。NGFWはアンチウイルス、アンチマルウェア、IPS機能、一部のアプリケーションセキュリティ機能を追加。 |
Related conten: Read our guide to WAF vs IPS.
その他のリソース