WAF vs Firewall

I was reading up about firewalls and came across two concepts which confused me- Web Application Firewall and "regular" firewall. I'm not fully sure what the differences are- they both sound like they accomplish the same thing. Does anyone know the difference?

Thanks!


A "regular" firewall typically only looks at layers 3 and 4 of the OSI model. For instance, to allow TCP port 80, allow UDP port 53 from only specific IP addresses, or deny TCP port 25.

For HTTP requests, once the "allow TCP port 80" hurdle is cleared, the firewall is uninterested in what's passed via that connection.


A Web Application Firewall works almost exclusively at layer 7, dealing with security in terms of the content of HTTP requests.

Mainly, they're looking to prevent requests that are outside what should be expected for your web application, using rules applied to incoming HTTP requests to prevent attacks like cross-site scripting, SQL injection, directory traversal, or brute-force authentication attempts. Essentially, their whole purpose is shielding the web server from the kinds of manipulated and malicious requests that attackers might use to compromise your web application.


A very quick and dirty answer for this would be that a Web Application Firewall is a firewall (appliance and/or software) that is purposely designed to protect the transactions of a web application - for example, HTTP(s) queries, database queries, and possibly other traffic related to web application stacks.

To elaborate a bit, though:

A "standard" firewall, that is, a normal OSI layer 4 firewall, filters based on protocol information - for example, IP, TCP, UDP, and ICMP. You can set rules in the firewall to permit based on things such as IP ranges, TCP ports, ICMP types, and so forth. This is generally the most barebones type of firewall you'll find.

A fairly large majority of firewalls (at the time of this writing) also include inspection features higher in the OSI model -- these can and/or will inspect the actual protocol traffic that is traversing the firewall. Examples of this would be AIM, HTTP, SQL, Jabber, and many others. Some will only inspect for potential attacks - others allow you to more granually define permit/deny rules for specific attributes of messages in that protocol. The higher-level inspection and rulebase usefulness tends to be limited depending upon make/model.

A web application firewall (or WAF) is a firewall like the latter - that is, it does its work higher in the OSI stack but is meant to do application-level inspection of the traffic flow and it's specifically geared toward the web application business space. Most WAFs (but not all) aren't meant to supplant a traditional firewall but to enhance it. Normally WAFs act in two different modes - passive inspection and an "active" mode. The passive mode just listens to the traffic and can warn if it spots any known "bad" traffic. Active mode can actively block "bad" traffic when it's spotted while allowing "good" traffic through to the web app. The vendors usually also supply a subscription service that allows the WAF to keep its list of known exploits up-to-date.

Most WAFs and standard firewalls can do essentially the same thing - create a boundary between two networks and permit or deny traffic based on a list of rules. The major difference is that a WAF is geared specially for helping secure web applications and the majority of them aren't meant to take the place of a traditional firewall.

I did say most (but not all) earlier - there is a term/buzzword/marketspeak - called NG Firewall (or "Next Generation" firewall). These things are meant to be firewalls on steroids. They do your standard firewall functions but also perform functions that used to take many separate appliances to do - e.g. firewalling, virus inspection, web application firewalling, Chat/messaging filtering, and firewalling of other application protocols. I haven't tested any so YMMV; I just included it as an example of an appliance that's meant to do both functions and strives to do them both well.