Network firewall vs. web application firewall (WAF)
When the world closed its doors and started spending more time online, hackers saw a clear opportunity. The costs of data breaches continue to rise and attacks are increasingly difficult to detect. Attackers are getting more and more sophisticated and creative. According to a 2020 report by IBM, it took an average of 228 days to identify a violation. Companies are taking a closer look at the capabilities of their firewalls and are considering combining and combining technologies to fill new security gaps.
If you are wondering what the differences are between your traditional network firewall (the most common firewall) and the newer web application firewall (WAF), this article is for you.
Media source: Giphy
A network firewall acts as a border providing protection between internal and external network traffic.
It has predefined rules that define the allowed traffic on the network. It then examines the source and destination IP addresses and ports to determine whether incoming and outgoing data packets are allowed or not.
A web application firewall (WAF) specializes in protecting website applications and APIs. A WAF protects HTTP (s) traffic and applications in Internet areas of the network.
WAF and Network Firewall serve different purposes and protect different network layers.
Media source: netstraining.com
The WAF and the network firewall are located in different places on the network. The network firewall is located at the edge of the network while the WAF is located directly between the user and the web server.
How it works
WAF protects websites and APIs. It is configured as a reverse proxy and examines all HTTP (s) requests before they reach the web server. It blocks or tests irregular traffic with CAPTCHA tests to ensure that the traffic is coming from a human and not from a bot.
The network firewall protects the network perimeter and filters traffic using protocol information. You can set rules to allow traffic based on things like IP ranges, ports, Internet Control Message Protocol (ICMP) types, and more. It monitors activity from opening a connection to closing.
|Strengths||Customizable rules, conditional filtering, limited download sizes, can decrypt and inspect SSL traffic, IDS and IPS can be integrated, visibility into packet data||Blocks unauthorized protocols, ports and IP addresses, provides VPN support|
|Weaknesses||False positives and false negatives, not very effective in stopping zero-day exploits, not enough protection for publicly accessible websites. Shared servers can cause re-infections.||Has only accept / reject rules, cannot decrypt traffic, slows down during SSL inspection, IDS and IPS are deployed separately, not very effective at stopping “client side” attacks, only has visibility on packet headers creating a vulnerability for SQL injection attacks|
Their functional differences are also illustrated in the OSI model, a universal set of 7 abstract layers that describe how network systems communicate and operate. WAF and network firewall address different network layers.
The WAF focus on layer 7 (application)
The network firewall focuses on layers 3 and 4 (network and transport),
|Layer 7||Application||Human-machine interaction layer, where applications access network services|
|Layer 6||Presentation||Data formatting and encryption location|
|Layer 5||Session||Check ports and sessions and maintain connections|
|Layer 4||Transport||Transmits data using TCP and UDP and other protocols|
|Layer 3||Network||Determines the path taken by the data|
|Level 2||Data binding||Defines how data is formatted on the network|
|Level 1||Physical||Transmission of raw binary streams on a physical medium|
They repel different attacks
WAFs and network firewalls deal with different threats.
Network firewalls defend themselves against
- Unauthorized network access
- Man-in-the-Middle Attacks
- Escalations of privileges
- Network-level DDoS attacks
The WAF defend themselves against
- SQL injection
- Cross-site scripts (XSS)
- Counterfeiting between sites
- Website-level DDoS attacks
- Directory traversal
They run different algorithms
Firewalls run stateless / stateful inspection algorithms, packet filtering algorithms, and proxy algorithms.
WAF performs signature-based algorithms, heuristic algorithms, and anomaly detection algorithms.
WAF and firewall are defined with rules that block or allow traffic accordingly. Depending on the type of deployment you have, it can be preloaded with these rules, or you can create the rules yourself.
A hardware deployment is installed locally on the local area network (LAN). This allows optimal latency and the creation of custom protocols and rules. It is the most expensive due to hardware installation, physical storage requirements, and maintenance.
This software-based deployment is very similar to a network-based deployment, but the firewall is built directly into the application code. These deployments allow for customizable security rules, but require several hours of implementation.
There is no latency because the firewall is installed directly in the application. However, it uses significant local server resources, which can slow down the web application if there is not enough capacity or space.
A cloud-based deployment is fully installed in the cloud and is typically managed by a third party as a SaaS product. This option is the most affordable of the 3 types. The setup is simple and only requires a DNS change.
Ask your supplier
Be sure to ask the vendor questions before accepting your firewall or WAF. There may even be a full package that includes the functionality of both. You will want to know:
- What does it protect from?
- What features are included?
- If this is a network firewall, find:
- VPN (encrypts all traffic) or Proxy Server (changes the IP address to hide the origin of the traffic)
- Stateful Inspection or Deep Packet Inspection (DPI) which can examine inside the packet its contents and headers
- If this is a WAF, look for:
- Content Delivery Network (CDN) – caches website and increases speeds
- API endpoint security
- PCI DDS compliance out of the box , HIPAA or ISO 27001
- An Intrusion Detection System (IDS) or Intrusion Prevention System (IPS) included
- If this is a network firewall, find:
The Sucuri firewall is a cloud-based WAF that ticks all the boxes. It integrates an intrusion prevention system (IPS), protects against DDOS attacks and functions as a reverse proxy. Sucuri WAF uses virtual patching and hardening to deal with evolving security threats and is built on a CDN that improves website speed by 70% on average. Tell us about your needs to know if the Sucuri WAF meets your needs. Learn more.
Mixing and matching hardware and software firewalls is a good idea, but firewalls can’t protect you against everything, especially the human factor. Identity theft and phishing rely on human trust as a way to gain legitimate entry or trick you into clicking a malicious link. Put your I’s and cross your T’s to stay ahead of malicious intent. Try our 30-day free trial and see how a firewall can improve the security of your website.
The only way to stay completely protected from opportunistic attackers is to make sure that you and your employees have basic cybersecurity training. The National Institute of Standards and Technology (NIST) has compiled a list of free training courses, and Sucuri offers fe-mail course to increase your cyber IQ.