Along with the tremendous benefits of cloud computing technologies, organizations and businesses in China are faced with a rapidly evolving digital threat landscape. A Mozilla survey of the top 1 million websites in June 2017 shows a staggering 93.45% earned an F for failure to implement basic measures that would protect them from common attack methods. From now and then, company names appear in news headlines for being hit by serious data hacks which force their business offline or even result in great revenue loss and reputation damage.

Deploying a Web Application Firewall (WAF) as the front line to stop attacks from taking place should be a necessary preventive and detective measure for any organization or business wishing to protect their treasured data.

What is a Web Application Firewall (WAF)

A web application firewall (WAF) is an application firewall for HTTP applications, which applies a set of rules to an HTTP conversation. Generally, these rules cover common attacks such as cross-site scripting (XSS), SQL injection, and application-layer denial of service (DoS), which can lead to data deletion, data change (like replacing prices with wrong prices) or data theft. While a classic firewall is the protection on the NETWORK LAYER, a WAF is the protection on the APPLICATION LAYER from Users to Servers.

web application firewall

WAF deployment options

Usually, there are three common ways to deploy a WAF, that is, hardware-based, software-based and cloud-based solutions, each with advantages and shortcomings. You can select one or make a combination based on your compliance needs and budget.

  • Hardware-based WAF. Comparatively speaking, hardware WAF is easy to install and configure, and it can protect all the servers under the same switch board. But hardware-based WAF solution is the most expensive option among the three due to the purchase, storage and maintenance of physical appliance. However, for high-volume sites that demand high throughput and great bandwidth, hardware WAF is a good option.
  • Software-based WAF. This option is less expensive with easier upgrade path (some open source software WAFs are available online) and more flexible than an appliance. But a software-based WAF also consumes server resources and might generate high maintenance cost in some cases. Anyhow, even for open source software WAFs, you need evaluate which one best suits you business compliances and need also engineering time to learn, install, configure and maintain it. 
  • Cloud-based WAF. Among the three WAF offerings, a cloud-based WAF is the cheapest and easiest to deploy. If you are already on a public cloud like Aliyun, Azure or AWS, you can directly purchase a WAF service from your vendor. Meanwhile, cloud-based WAFs can get consistently updated to protect against the newest threats without any additional work or cost on the user’s end. Cloud-based WAF would be a good solution for small organizations or businesses.

A WAF, if deployed well, will definitely serve as an effective security control for web applications. Nevertheless, under no circumstance should a WAF be regarded as a one-for-all solution against all web attacks as in this fast changing digitally connected world where web applications are constantly developing and innovative attacks come springing up. In the next few articles, more security control methods that complement WAF will be introduced.