How Web Application Firewalls work
Web Application Firewall, or WAF, is an additional security solution to protect the traffic between your (usually) internal web application server, and the rest of the world. It’s important in environments, where the applications are available from anywhere in the internet, even though the actuall aplication access is allowed only for authorized users.
Firewalls have evolved far from the ancient ones, who blocked traffic between all IP addresses and ports except those whitelisted. But despite multiple modern functionalities, even an option for web traffic filtering, they are far from enough. Their placement is good for perimeter protection, but not good enough for WAF
functions. A WAF needs to be directly in front of web server, as close to it as possible, maybe even on it.
WAF intercepts all the connections between a web server and users, who (try) to connect to it. It analyzes the data in the traffic and can detect advanced attacks, designed specially to break into applications. A WAF can also block attacks, report, and store audit trails of application access. Audit trails might be important, specially if you also have a SIEM, because lots of custom applications don’t create audit trails by themselves or not in a supported format. It also includes policy configuration for securing the traffic to web server.
One example of an attack, which WAF can easily detect, but not other security solitions, is SQL Injection. This attack exploits the vulnerability of applications, that do not check user input thoroughly. Because in the backend of a business application is often an SQL database, a hacker could hide an SQL query inside a normal input field in a web form. Through such a technique he could manipulate the data, or access parts of it, which should not be accessable. Another example of detectable attack is XSS or Cros-Site Scripting. And many more, of course.
WAF silutions were often designed by vendors specialized in application vulnerability detection, or evolved from their tecnologies, which seems only natural. Such are Qualys and Webscale. Now they are both very much oriented in complete cloud security with many additional offerings. Another example of evolution is from different (dynamic) types of application source code security testing, such is a Micro Focus Fortify, one version of it was tightly integrated with SIEMs to provide deep insight into applications – ArcSight AppView.