Skip to main content

Do I Need a Firewall or a Web Application Firewall?

March 21, 2016

In typical consultant fashion, the answer is: ‘yes' or 'it depends'.  It’s important to know the difference between these functions and it’s important to know what you are protecting before you can make that decision.  However, the short version comes down to this: you should have a firewall protecting your network and if you are hosting web applications you definitely should consider a WAF (Web Application Firewall).  It’s important to note that a WAF does not replace a firewall though; they are independent devices or functions which complement each other.

A Firewall, at it’s most basic level, is a device or appliance with a collection of rules that you have created which dictate who can talk to who.  For example, you may create a rule that defines that external servers can talk to port 25 on your internal mail server, or that port 80 and 443 are open to the web server you are hosting behind your firewall.  It can log the traffic and you can use that later for auditing or reporting purposes.  A next-gen firewall will take that a step further and is where people start to get confused between the two.  Newer firewalls can understand applications and be able to dynamically track or watch for traffic based on application type, instead of just a single IP and port.  They can identify users from a directory service (Microsoft Active Directory, for example) and use that for more useful reporting and dynamic policy creation.  These firewalls may even block malware or watch for data patterns that you want monitored (social security numbers) to secure web applications or user content, which is something traditionally associated with only WAFs.

A Web Application Firewall (WAF) does not do the things a firewall does.  It’s focus is on the applications themselves, to provide highly granular and customizable logic for protecting the web application and the data behind the scenes.  For example, a web application may have several known vulnerabilities, but may no longer be supported by the vendor.  As such, no patches are going to be issued to fix those holes.  Often these are vulnerabilities that are standard across web applications and the Open Web Application Security Project (OWASP) lists (SQL Injection, Cross Site-Scripting, field/cookie validation).  WAFs are aware of these types of attacks, can monitor and learn about what specific vulnerabilities may be in use against your application and then generate rules to block those vulnerabilities and attacks.  Even if an application has no known vulnerabilities, a WAF will monitor for potential attacks, and block or log these attacks depending on the administrators preferences.  Logging can be kept local or sent to a SIEM, and then that logging can be used to refine the existing policies.  As attacks against your web applications change over time, your WAF rules can be adapted.

Ideally, you would have both of these in your environment.  The firewall to protect your network and the web application firewall to provide specific application/vulnerability aware protection.  Both devices will overlap in some places.  WAFs and next-gen firewalls can protect data exfiltration in some regards, but a WAF may be better depending on the situation.  WAFs and next-gen firewalls can have ACLs and SSL inspection, but a next-gen firewall may be better depending on the usage.

Next-Gen Firewalls

  • Your primary firewall
  • Identify application traffic regardless of where it comes in from or it’s destination
  • Use Microsoft AD to add user information to traffic and policies
  • Packet and application protocol aware

Web Application Firewalls

  • Inspects traffic at Layer 7
  • Can model and learn rules based on the web application
  • Protects web applications from OWASP vulnerabilities
  • Application and content aware

Related Blogs

December 05, 2014

Know Your Firewall

Firewalls have been around for decades, and many organizations have had the same firewall technology in place for just as long. Even with the evolutio...

See Details

March 17, 2014

AutoIT Scripting in POS Malware

Over the past few years, using AutoIT scripting language to create and install malware has become more prevalent. This trend has made its way into the...

See Details

September 25, 2014

"Shellshock" Vulnerability in Bash Allows Unauthorized, Remote Code Execution

On September 24, a critical vulnerability - CVE-2014-6271 - was made public. This vulnerability, dubbed “Shellshock,” exposes a weakness in which cert...

See Details

How Can We Help?

Let us know what you need, and we will have an Optiv professional contact you shortly.

Privacy Policy

Related Insights

July 25, 2017

Next-Gen SecOps

Use a proven methodology to plan, build and run your next-gen security operations.

See Details

July 21, 2015

Application Security Solutions

Learn how Optiv can help with web, email and application protection.

See Details

Stay in the Know

For all the latest cybersecurity and Optiv news, subscribe to our blog and connect with us on Social.


Join our Email List

We take your privacy seriously and promise never to share your email with anyone.

Stay Connected

Find cyber security Events in your area.