WAFs vs Network Firewalls – Protection for applications and networks

17 Jan 2022, by Slade Baylis

When it comes to securing your IT systems, there are many potential avenues of attack that you need to carefully consider and protect. This ranges from ensuring applications are kept up to date to protect against emerging vulnerabilities, to locking down your network for only authorised people to access confidential and secure systems. If you don’t take these sorts of steps, you could find out one day that your business grinds to a halt due to an exploited application vulnerability or an insecure port being left open on your network. 

The only thing worse than having this happen to you, is knowing that you could have taken a few easy steps to prevent it from happening in the first place. Different types of methods exist to protect your business from those sorts of situations at multiple points in the road – two commons approaches are through deploying network firewalls and utilising Web Application Firewalls (WAFs). Whilst they sound quite similar, they are actually quite different with regards to the threats they protect against.

In this article, we’re going to break down what they are designed to do, when you should consider using them, and what different options are out there depending on your business and your budget.

Network Firewalls – Protecting the overall network and regulating access to infrastructure

A network firewall is a security solution that protects a network from unwanted traffic. They can be physical appliances specially built for the task, virtual machines that exist within Cloud-base infrastructure, or even just simple pieces of software that can be installed onto a computer or server. One of the most basic features on a firewall is the ability to only allow specific ports to be open, allowing network administrators to have control about what applications can speak to the wider internet (or vice versa).

The main premise to introduce a firewall within your infrastructure is to make sure that traffic from less trusted environments are inspected and authenticated in some way before being allowed into more secure environments. In this way they act as a barrier between the public and private networks, or even between separate private networks if required. Another common feature for most network firewall solutions is to have the ability to detect and block incoming malicious attacks based on sets of pre-programmed rules. That protection is provided through packet-inspection/filtering. To understand what those terms mean though, we’ll first need a quick introduction on how information is sent over networks. 

When information is sent over the internet or over a network generally, that information is broken down into smaller parts called “packets”. Each packet carries some information, details about its destination and source, as well as other information necessary for the information to be reformed once all the packets have been received. By breaking data down into these smaller pieces, data can be sent between two devices without needing a single constantly available connection between them; those packets can take different “paths” to get to their destination and yet they can still be reformed on the receiver’s side correctly (even if they are received out of order!). 

With that understanding, most firewalls today have features that allow them to block maliciously formed requests that are sent over a network. That is achieved by a technology called packet inspection/filtering. That technology allows firewalls to examine and inspect those network packets against an established security ruleset. If those packets match a known attack or exploit, actions are then able to be taken. These actions can include dropping malicious packets or potentially even stopping further traffic from that source from being received at all. 

However, purposely and maliciously malformed packets are only one way that systems can potentially be exploited. A lot of attacks are crafted to exploit vulnerabilities within applications themselves, rather than via maliciously formed packets at the networking layer. Attacks at that level would pass through a firewall easily, as the packets aren’t obviously malicious and appear to be just regular traffic. To prevent against these sorts of attacks further protection is necessary, and that protection comes in the form of Web Application Firewalls (WAF).

Web Application Firewalls – Protecting applications from exploitation and unpatched vulnerabilities

With basically any application that is accessible via the internet, the possibility always exists that a vulnerability either currently exists or will be introduced via a future update. Due to this, it’s important to make sure that your systems are protected from those exploits as they are discovered and documented. 

The first way of doing that is to make sure that your applications are always updated to the latest stable version soon after they are released. However, sometimes those updates might not protect you against all possible threats, or might even leave you vulnerable for weeks or even months whilst the developers work to fix the underlying issue. So what’s the best way to add another level of protection, rather than just relying on your application developer's work ethic? The answer is by adding a Web Application Firewall.

A WAF sits in front of a specific application to monitor and filter traffic between that application and the internet. It does this to act as a shield in front of the application, protecting the application from common exploits that can target web-facing applications, including cross-site forgery, cross-site-scripting (XSS), and SQL injection, just to name a few. Just like a network firewall, it does this by comparing traffic against predefined security rules (often called “policies” in the context of WAFs) and then filtering out anything that violates those policies, such as malicious traffic. 

However, with any sort of security filtering an important question is raised, how does it work to prevent false positives and not block “legitimate” traffic. The answer is different depending on the implementation, but usually any provided WAF will come with the ability to place it into a “learning” mode, were it will monitor traffic for a period of time and then learn what the traffic to the website should look like. By doing this it can then notice discrepancies that can be used to inform what actions it should take, depending on how administrators would like it to behave. 

In short, a WAF's overall purpose is to be able to know what legitimate traffic looks like and disallow any sort of traffic that is only trying to appear legitimate in order to exploit application vulnerabilities.

Affordability vs Protection – Cost vs reward and multi-tiered approaches to protection

When protecting the infrastructure that your business relies on, it’s important to make sure that you don’t just use a single type of protection. Doing so will only protect you from a small subset of all the possible ways you could be targeted and compromised. Instead we recommend using a multi-tiered approach to securing your environments and stopping malicious attacks. By using some form of network firewall to protect the network, as well as a WAF to filter the incoming requests to your applications, you can catch the majority of common attacks that you are likely to face. 

Suggesting that you should have multiple levels of protection is easy though, actually implementing it and doing so affordably is entirely another thing. Whilst network firewalls are generally affordable for most businesses, the cost for dedicated WAF solutions can go up into the thousands. This is why different type of WAF options have emerged, all which aim to provide WAF type services at different price points. This ranges from specialised pieces of hardware that cost thousands of dollars per month to simple premium WordPress plugins that can be installed into your website. As you have probably guessed, the services offered by the cheaper solutions aren’t exactly a like-for-like for the more expensive options, but they go a small way to offering WAF-like protection and are better than no protection at all.

Dedicated WAF Solutions vs Cheaper Software Solutions

On the higher end are dedicated WAF solutions that either are specialised physical appliances, or cloud-based/virtual ones. These solutions are comprehensive in their approach to protecting applications and with the customisation options available to their users. That includes allowing users to specify specialised security rules and set the actions that should be taken when they detect traffic that violates them. As they are premium solutions, they are also much more sophisticated in their approach and ability to determine what is legitimate traffic, and thus much more likely to be able to detect and prevent attacks.

One of the other benefits of having a separate WAF from the server infrastructure that hosts your applications is that malicious requests are able to be stopped before they arrive at your server. With software/plugin based solutions that are installed into the website server, requests need to reach the web server before they can be analysed and checked for malicious signatures. What this means is that server resources (such as CPU or RAM) from the web server need to be used to analyse the traffic. What this could mean is that if enough malicious requests come in, they could act as a pseudo Denial of Service (DOS) attack due to all the resources on the server being used up trying to analyse the traffic.

In addition to the extra resources required to analyse that traffic, website-based software solutions can also slow down your website. Due to not being as sophisticated as dedicated solutions and requiring some of the web-server’s resources, website-based WAF software can introduce seconds of extra load time per page view. This is why if you are able to afford and justify a more expensive solution, we recommend you use those instead.

What solution/s should you choose?

With all the different approaches to choose from, a question emerges -  which options should you choose for your organisation? As usual, the answer depends on your particular needs, budget, and risk assessment. Our recommendation is that all businesses have some form of protection in both categories, even if they are lower end website-based solutions. Even a website-based WAF solution is better than no protection at all! By installing a WAF plugin into your website, you can get some basic protection against common attacks without needing to spend thousands of dollars. 

One common plugin for WordPress is called WordFence, which we’ve previously covered in our Protect your WordPress website with a plugin-based WAF article. 

With regards to network firewalls, even if you choose to forego using a WAF in front of your application/s, every business should look to implement some form of network firewall protection into their infrastructure. Solutions in this realm are much more affordable than their WAF counterparts and can protect against unauthorised access to services that you don’t want open to the wider internet. Due to this, they are practically essential for any kind of web-facing services that you plan on hosting. 

Want to setup a network firewall or WAF within your infrastructure?

If you are interested in adding network firewalls or a WAF to your services with Micron21, contact us on 1300 769 972 (Option #1) or email us at sales@micron21.com. We’ll be happy to walk you through what would be involved and develop a transition plan to get them added to your systems.