Web applications drive digital transformation, remote work, and employee productivity. The ability to connect to critical web-based applications from anywhere gives workforce members a way to work synchronously and asynchronously. At the same time, threat actors target these applications because they act as access points to a company’s networks and systems. A web application firewall (WAF) protects applications from attacks that exploit the application layer, supporting other security technologies.

What is a web application firewall (WAF)?

A WAF is an application firewall that applies rules to web traffic for HTTP/HTTPS communications to filter, monitor, and block malicious traffic. A WAF is able to provide additional security beyond a traditional firewall because it gives visibility into encrypted and unencrypted traffic traveling between the application and the public internet. The rules, called policies, can detect known types of malicious requests and block outgoing traffic by analyzing user, session, and application activity.

According to the Open Web Application Security Project (OWASP), WAFs can be deployed to protect either a specific application or set of web applications. They also come in different forms, including:

  • Appliance
  • Server plugin
  • Filter
  • Customized to an application

Click to watch our MDR demo

What is the difference between WAF and a firewall?

Although both WAFs and firewalls monitor for malicious traffic, they protect different assets and work differently.


A traditional firewall sits at the edge of the organization’s network to monitor traffic between trusted and untrusted networks. An organization sets a list of approved websites or IP addresses. Then the firewall denies requests and data transfers from anything not on the list.

The rise of cloud led to the Next-Generation Firewalls (NGFWs) that go beyond traditional traffic filtering to examine the traffic for malicious activity.

Generally, they are used to:

  • Limit access to risky websites
  • Segment networks
  • Record events
  • Alert organizations to potential intrusions

Firewalls sit at the network and transport layers, meaning that they only monitor network traffic coming into and out of nodes and destination hosts. These layers are closer to the public internet.


The rise of Software-as-a-Service (SaaS) applications limits traditional firewall capabilities to external-based threats. A WAF sits at the application layer, where the user interacts with the software and network. WAFs traditionally sit between an application or server and the traditional firewall. This means that malicious traffic needs to get through two different firewalls before getting to the application itself. As a WAF usually protects a few web applications, the policies applied can be much more granular and targeted versus FWs.

Which attacks can a web application firewall protect against?

WAFs offer protection beyond just what traffic enters and exits a network. It can be used to protect against the OWASP Top Ten Web Application Security Risks that can lead to attacks. Some specific types of attacks that WAFs protect a company from include:

  • Cross-site scripting (XSS): targeting user browser while they input information then placing malicious code into the page which the user may accidentally download
  • SQL injection: exploiting vulnerabilities in web application login tables as a way to gain access by stealing credentials
  • Malware: using a web application vulnerability or social engineering methodology to inject malware like Trojans, ransomware, and spyware
  • Man-in-the-Middle: using unsecured WiFi connection to sit between the user and application to steal data transferring between the two
  • Denial of Service (DoS): specially crafted requests can trigger a crash by overwhelming a server, usually by triggering a logic flaw via a buffer overflow or flooding the server with incomplete requests.

How does a WAF work?

WAFs usually use algorithms to detect known malicious types of traffic. Organizations need to set policies that tell the WAF what is considered suspicious before it can protect the organization from a security incident.


These are the rules that tell the WAF what type of vulnerabilities or traffic behavior that the organization believes is risky. They also tell the WAF what action to take when one of these types is detected.


The WAF scans all requests sent to the web application. It identifies and filters malicious requests as defined in the policies. The WAF looks at the headers and content of all packets. In some cases, it can require additional challenge requests, like CAPTCHAS, that prove the activity comes from a human and not a bot.


If the WAF detects malicious requests, it blocks the activity. For example, if the requestor fails to appropriately respond to the challenge question, the WAF will block any further requests, mitigating the risk of a DoS attack.

What are the three security models for WAFs?

Organizations using a WAF can choose one of three security models when trying to mitigate web application attack risks.

Positive Security Model

A positive security model is one where the organization’s policies take a “deny all” approach, allowing requests based on specific inputs. While this provides heightened security by rejecting requests not specifically approved, it can also lead to end-user issues by denying legitimate requests not on the list.

Negative Security Model

With a negative security model, the organization allows all activity except for traffic it chooses to specifically deny. While this eliminates the end-user issues, it means that the organization may not detect all risky activity and creates a burden for the IT department that needs to keep updating the deny list.

Hybrid Model

In this model, the organization uses a combination of positive and negative security measures. It might require additional configurations on the front end, but it often reduces the problems associated with using a single security model for the WAF.

Mitigating Security Risks with WAF

Having an easy-to-configure WAF that enables a hybrid security model gives organizations additional defense-in-depth security. With Alert Logic’s WAF as a service, organizations can perform a website or IP address search to manage websites and appliances. Alert Logic’s web security experts will focus on creating and managing the policies and rulesets, allowing organizations to focus on the operational elements of their web applications. Additionally, Alert Logic’s deny log dashboard provides visibility into risky activity, giving organizations a way to set baselines and detect malicious traffic more precisely. Full visibility into malicious using a WAF is increasingly important to reducing the likelihood that a malicious actor will be able to successfully deploy a web application attack.

Click to watch our MDR demo

Rod Mercado
About the Author
Rod Mercado
Rod Mercado is a Senior Product Marketing Manager at Alert Logic where he drives strategy and enables sales and partner teams around Managed Detection and Response (MDR). In his 20-year career in the IT industry, he has held roles at Forcepoint, Dell Technologies, IBM, and Hewlett Packard. Based in Austin, Texas, Rod is passionate about technology and communicating Alert Logic’s value to current and prospective customers.

Related Post

Ready to protect your company with Alert Logic MDR?