Web Application Firewall (WAF)

Posted on by

A Web Application Firewall (WAF) is used to protect web applications by filtering and monitoring HTTP traffic between a web application and the Internet. It typically protects web applications from attacks such as cross-site forgery, cross-site-scripting (XSS), file inclusion, and SQL injection, among others. This method of defense isn’t designed to stop every form of attack. As with most defenses, it takes more than one defense system to create a strong defense against a range of attack vectors.

When you have a web application firewall in place, it is inserted in front of the web application, where it creates a shield between the web application and the Internet. The purpose of a WAF is to filter out the malicious traffic and let in the safe traffic. 

Source: Cloudflare

Additional Reading: Web Application Security Without Organizational Resistance

Related Terms: Application Proxy, Firewall, Reverse Proxy

Should AN SMB Have A WAF?

If you can afford one, then yes you should implement a Web Application Firewall. Keep in mind that WAF’s need to see unencrypted traffic so you will need another device to decrypt the SSL traffic and then pass the HTTP traffic through your WAF before it is redirected to your webserver.  WAF’s do add a lot of complexity to websites and are not for the faint of heart.
However, employing a Web Application Firewall is best practice to protect your website and your web application from a variety of hacker attacks, according to some security experts. A WAF acts as a proxy and monitors the traffic coming in and out of your website to ensure that hackers cannot access protected content in your website, or worse, break into your website through specially crafted attack packets. In addition, a WAF protects your website’s vulnerabilities that your developers may not have noticed.
 
Hackers are targeting SMBs more and more because they realize that many SMBs lack basic cybersecurity measures. In response, SMB owners need to take control of their websites and increase their overall security. 
 
A side note to SMBs, if you process credit cards in your web application directly without passing them to a 3rd party provider for processing, then you are obligated to deploy a WAF solution for PCI/DSS compliance.

To learn more about WAF, watch this short 3 minute video:

Share this on your social networks. Help Friends, Family, and Colleagues become more aware and secure.