Web application firewalls (WAFs) and standard firewalls play a critical role in network security. No matter the size of a network, these measures of security must be in place to ensure the utmost safety of not only the individual user but of sensitive data and entire networks and infrastructures.
What is the difference between a web application firewall and a firewall? A web application firewall (WAF) protects public facing web applications like websites and APIs against vulnerabilities and malicious attacks. While a traditional firewall protects against network attacks.
Web application firewalls and standard firewalls not only differ in the type of protection they offer but also in overall function. The remainder of this article will discuss other key differences between a WAF and a regular firewall.
10 Key Differences Between WAFs and Firewalls
1. While both are firewalls, they function in different ways.
To understand what makes WAF and a Firewall different, it is best to first understand what a WAF and a Firewall is.
A WAF is defined as a web application firewall and is used to sift through data, monitoring, and (sometimes) blocking traffic coming from or going to the application. A firewall, on the other hand, is used to serve as a border of security between a trusted network and an untrusted network.
For the most part, WAF is primarily focused on the security of an application, whereas the traditional firewall is focused on the security of a network.
2. WAFs and firewalls are placed in different locations on the network.
Generally, a standard firewall is placed on the edge of the network, acting as a barrier between known and trusted networks, and any unknown networks.
WAFs are placed before applications and servers, offering protection from any threats generally designed to attack servers. This can be considered the fundamental difference between the two, as this difference dictates the primary roles of each.
Firewalls act much in the same way that a country’s border acts: scanning for things that are not allowed to come in or out. WAF acts in a similar manner but more oriented to the application-side of the network.
3. WAFs and firewalls protect against different threats.
Standard firewalls are designed to permit or deny access to networks, thus preventing attacks from unauthorized permission. Some examples of a firewall doing this include blocking pornographic or questionable content from school computer labs and logging into a LAN of computers in a computer lab.
WAF generally focuses on threats aimed at HTTP/HTTPS applications and servers. These threats include:
- DDOS attacks
- Attacks via SQL injection
- XSS, or cross-site scripting attacks
4. Both WAFs and firewalls focus on different layers of the OSI model.
The OSI model is a graphic representation of the inner-workings and function of a standard network. It could be considered the encyclopedic map of the network.
Firewalls typically focus on layers 3 (Network) and 4 (Transport) of the OSI model. Layer 3 generally concerns the transfer of packets between nodes in the network. Layer 4 of the OSI model concerns the transfer of data to a destination host via a source.
WAF’s focus is primarily on layer 7 (Applications), which is the level closest to the user. Layer 7 is typically the software or interface with which the user is interacting with the network.
5. Each differs in the amount of access control offered.
Because a WAF’s primary function does not include limiting or restricting access or permissions to a network, it does not offer access control. This, however, is one of the standard firewall’s primary functions.
These settings are often customizable to suit the user’s needs. Often, a firewall will be enacted to deny access to folders, websites, and networks—only allowing those with proper credentials permission.
6. WAFs and firewalls run different algorithms.
Since each of these firewalls differs in design and function, a person could expect that the algorithms that each of these firewalls run are also different.
This holds true, as WAFs run Anomaly Detection algorithms, Heuristics algorithms, and Signature-Based algorithms. Standard firewalls, on the other hand, run Proxy algorithms, Packet-Filtering algorithms, and Stateless/Stateful Inspection algorithms.
These algorithms essentially define the key roles that each the WAF and Firewall play in the network.
7. Both WAFs and Firewalls have DDOS protection in different areas.
DDOS, or Denial-of-Service attacks, are the type of attacks that can leave a network crippled and in critical condition. This type of attack is exactly what the name implies: it denies access to a network, usually by flooding access points to the point of overload.
Each of these firewalls offers some protection toward DDOS attacks; however, the location or focus of the protection offered differs between the two. Since WAFs deal primarily with applications, their DDOS protection focuses on the application layer (layer 7 of the OSI model).
Similarly, since the standard firewall’s focus is on the base levels of the network (layers 3 and 4), DDOS protection is at the network layer.
8. WAFs and firewalls have different modes of operation.
WAF is able to operate in two different modes: Passive Mode and Active Inspection.
- Passive Mode essentially means that the WAF operates passively, that is, without action. This effectively renders the application network not secure, and should only be used for testing purposes only.
- Operating in Active Inspection Mode, a WAF will continuously scan and protect against any threats on the application level.
A standard Firewall also has two modes: Routed Mode and Transparent Mode.
- The Routed Mode is the firewall’s main mode, operating on layer 3, executing static and routing protocols, and acting similar to a network router.
- Transparent Mode works on layer 2 only and allows the transparent forwarding of data due to the bridging of interfaces, completely bypassing layer 3.
9. WAFs and firewalls have different levels of application protection.
Because they are different in design, function, and location, WAFs and firewalls also differ in the amount of protection offered at the application level.
As firewalls operate on levels 3 and 4 of the OSI model, the focus of its protection permits minimal attention to the application level. This allows firewalls to focus on the data transfer between networks, validating addresses, and data packets.
A WAF’s primary function is to protect the application layer (level 7) of the network, thus providing security to the entire application layer of the network. The application layer includes applications, servers, software, and interfaces with which the user has direct access to the network.
10. Each has different use cases.
The protection offered by each of these firewalls gives each of them a different use case. WAFs are generally placed in zones that have contact with the internet, protecting HTTP/HTTPS applications and servers. The focus of its protection is the safety of the application or server. WAF is designed to enhance firewalls, rather than acting as a replacement.
Firewalls are generally used to protect the individual user, as well as the network of individuals (such as a LAN, or an IT network). Traditional firewalls are highly effective but offer protection only at the most basic level of the network. For this reason, a WAF is often used in conjunction with a firewall for increased security amongst multiple layers of the network.
With multiple firewalls in place, a network becomes more secure, with strongholds against possible threats to numerous locations within it.
Many of the cloud providers have cloud enabled WAFs to protect web workloads on their cloud services. With customisable rules from OWASP Top 10 vulnerabilities to more detailed rules dealing with a range of threats.
- Amazon Web Services WAF
- Microsoft Azure Web Application Firewall
- Google Cloud Armor
- Cloudflare WAF
Content Distribution Networks also use WAFs to protect their customer’s web traffic with leaders in this field being Cloudflare and Akamai.
Web application firewalls and traditional firewalls, while similar in definition, are fundamentally different and designed with unique roles for a network.
Knowing the key differences between them is important to understand which solution is best for any scenario that may present itself when setting up a network—and be just the line of defense necessary to prevent a crippling cyber attack.