Some of the most serious security threats come from attacks that target vulnerabilities in enterprise applications. Security regulations, including PCI DSS, require organisations to use application firewalls to protect against these attacks. Automated scanners and bot programs web scrape site data for replication, diluting brand equity. Yet conventional firewalls and intrusion-detection/prevention systems don’t detect all of these threats, which are often difficult and costly to mitigate.
A web application firewall, or WAF, protects web applications much in the same way a traditional firewall protects a network. It controls the input and output, as well as the access to and from the asset it is protecting. However, traditional network firewalls, and even Intrusion Prevention Systems (IPS), evaluate IP packets or protocols without an awareness of the application payload so they cannot provide protection to the application layer. Without an awareness of the HTML data payload these layer 3 devices cannot recognise and overcome the types of application layer threats that make web applications vulnerable to attack.
Unlike traditional firewalls that usually block access to certain ports or filter by IP address, web application firewalls look at every request and response within the different web service layers such as HTTP, HTTPS, SOAP, and XML-RPC. The meticulous inspection of web traffic that web application firewalls perform has also earned them the nickname “Deep Packet Inspection Firewalls”.