Do I Need a Firewall or a Web Application Firewall?

In typical consultant fashion, the answer is: ‘yes' or 'it depends'.  It’s important to know the difference between these functions and it’s important to know what you are protecting before you can make that decision.  However, the short version comes down to this: you should have a firewall protecting your network and if you are hosting web applications you definitely should consider a WAF (Web Application Firewall).  It’s important to note that a WAF does not replace a firewall though; they are independent devices or functions which complement each other.

A Firewall, at it’s most basic level, is a device or appliance with a collection of rules that you have created which dictate who can talk to who.  For example, you may create a rule that defines that external servers can talk to port 25 on your internal mail server, or that port 80 and 443 are open to the web server you are hosting behind your firewall.  It can log the traffic and you can use that later for auditing or reporting purposes.  A next-gen firewall will take that a step further and is where people start to get confused between the two.  Newer firewalls can understand applications and be able to dynamically track or watch for traffic based on application type, instead of just a single IP and port.  They can identify users from a directory service (Microsoft Active Directory, for example) and use that for more useful reporting and dynamic policy creation.  These firewalls may even block malware or watch for data patterns that you want monitored (social security numbers) to secure web applications or user content, which is something traditionally associated with only WAFs.

A Web Application Firewall (WAF) does not do the things a firewall does.  It’s focus is on the applications themselves, to provide highly granular and customizable logic for protecting the web application and the data behind the scenes.  For example, a web application may have several known vulnerabilities, but may no longer be supported by the vendor.  As such, no patches are going to be issued to fix those holes.  Often these are vulnerabilities that are standard across web applications and the Open Web Application Security Project (OWASP) lists (SQL Injection, Cross Site-Scripting, field/cookie validation).  WAFs are aware of these types of attacks, can monitor and learn about what specific vulnerabilities may be in use against your application and then generate rules to block those vulnerabilities and attacks.  Even if an application has no known vulnerabilities, a WAF will monitor for potential attacks, and block or log these attacks depending on the administrators preferences.  Logging can be kept local or sent to a SIEM, and then that logging can be used to refine the existing policies.  As attacks against your web applications change over time, your WAF rules can be adapted.

Ideally, you would have both of these in your environment.  The firewall to protect your network and the web application firewall to provide specific application/vulnerability aware protection.  Both devices will overlap in some places.  WAFs and next-gen firewalls can protect data exfiltration in some regards, but a WAF may be better depending on the situation.  WAFs and next-gen firewalls can have ACLs and SSL inspection, but a next-gen firewall may be better depending on the usage.

Next-Gen Firewalls

• Your primary firewall
• Identify application traffic regardless of where it comes in from or it’s destination
• Use Microsoft AD to add user information to traffic and policies
• Packet and application protocol aware

Web Application Firewalls

• Inspects traffic at Layer 7
• Can model and learn rules based on the web application
• Protects web applications from OWASP vulnerabilities
• Application and content aware