Website Protection: What a WAF Can and Can’t Do
Website protection is a top priority, particularly for organizations that rely on web assets directly for revenue. For most of those organizations, a WAF is the tool of choice to protect web assets. However, there are several common misconceptions about what a WAF can and can’t do. And, given the potential consequences of a successful cyberattack, the price of overconfidence can be high.
This article will explain what a WAF is, how it protects web applications and websites, and which threats it can and can’t protect against.
What is a WAF?
A Web Application Firewall (WAF) sits between a website or web application and the Internet and protects it by monitoring and filtering traffic. This happens in one of three ways:
- Blacklist WAFs use a list of markers associated with past attacks to identify and block threats.
- Whitelist WAFs take the opposite approach — they block everything unless it meets specific criteria.
- Hybrid WAFs both blacklists and whitelists to distinguish between legitimate and malicious traffic.
When working correctly, WAFs monitor all incoming traffic and filter anything that could be a threat.
Three types of WAF
- Host-based WAFs are software-based solutions installed locally on the same web server as the assets they protect. While host-based WAFs are low cost and flexible, they require dedicated expertise to install and maintain.
- Network WAFs are hardware devices that plug directly into a web server. These devices are expensive and require complex ongoing management but offer very low latency.
- Cloud WAFs are essentially WAF-as-a-service delivered by a security vendor. They require no customer setup or maintenance, are low cost, and offer greater protection than other WAFs due to filtering traffic before it reaches protected websites and web applications.
How WAFs Boost Website Protection
An estimated 30,000 web applications and websites are hacked every day, primarily to steal sensitive information. Given that data breaches cost European organizations between $3.9 - $4.5 million on average, it’s no surprise attacks against web assets are considered a top threat faced by today’s organizations.
Protection at Layer 7
WAFs boost web application and website protection by blocking attacks that target the application layer — that’s OSI layer 7. Common attacks include SQL Injection (SQLi), Cross-Site Scripting (XSS), and Cross-Site Request Forgery (CSRF). Since cloud WAFs filter traffic before it reaches the server, they can also mitigate DDoS attacks that target the application layer.
If you’re thinking, “shouldn’t websites be resistant to these attacks already if they’re coded securely?” — you’re partly right. Secure coding practices, code reviews, and penetration testing are all essential security precautions that help prevent cyber incidents and data breaches. However, it’s not reasonable to expect a web asset to be completely secure against all threats.
There will always be new vulnerabilities and threats that can’t be anticipated. Even the best engineering workflows can’t find every bug, especially in the modern world of rapid DevOps pipelines. For these reasons, a WAF is a critical component of any cybersecurity program.
What a WAF Can’t Do
While WAFs add a lot of value to a security program, they are often misunderstood. Some organizations purchase a WAF expecting it to protect their web assets against all attacks… and that simply isn’t realistic.
WAFs protect against application-layer attacks. However, there are numerous ways to attack a web asset that take a more indirect approach. The most obvious example is Distributed Denial of Service (DDoS) attacks, which disrupt web assets by overwhelming their underlying infrastructure. WAFs are ineffective against DDoS attacks, so it’s essential to have DDoS protection in place as well.
Most WAFs also can’t protect against malicious bots. While some bots use direct attacks (the type WAFs are designed to identify and block), many instead abuse legitimate business logic. WAFs simply aren’t designed to identify this type of malicious behavior — which is why bot management software is also critical for web application and website protection.
To find out more about how Link11’s Zero Touch WAF can protect your web assets, visit our website.
- 2020 Data Breach Investigations Report, Verizon, May 2020
- Website Hacking Statistics in 2020, WebARX, September 2020
- The OSI model explained and how to easily remember its 7 layers, Networkworld.com, October 2020
- OWASP Community Pages, OWASP.org
Stay updated on current DDoS reports, warnings, and news about IT security, cybercrime and DDoS protection.
Follow Link11 on Twitter
https://t.co/a0lf7SPB37 Want to see more interesting facts, data and insights from the Cyber- & DDoS Attack threats…
7 Retweets 7Read More
❗ ️Warning: New wave of ransom DDoS attacks by Fancy Lazarus! Are you also affected? Don't worry, there are things…
3 Retweets 3Read More
Electronic Arts has suffered a big data breach resulting in hackers getting away with important source code for gam…
1 Retweets 1Read More
https://t.co/HqsAkp4Wk2 Are you passionate/curious about cybersecurity? Subscribe to our monthly Newsletter and sta…
7 Retweets 4Read More
Proven and robust cyber security can have a positive impact on a company's credit rating - or damage it if the impl…
2 Retweets 2Read More
DDoS attacks are no longer just more persistent and larger, but also significantly more complex. Without proven IT…
10 Retweets 4Read More
Mexico closes lottery websites to people from abroad due to ransomware DDoS threats: Even…
8 Retweets 3Read More
National security expert warns of cyberattacks on Australia's critical infrastructure and expects threat to be "imm…
3 Retweets 0Read More
According to current figures, around 500,000 employees are being sought in the field of cyber security in the US:…
3 Retweets 2Read More