How to Choose a Web Application Firewall

Sep 27, 2018 | Insights, Managed Services

Web application firewalls or WAFs can protect your website and web applications from a variety of attacks and intrusions that your network firewall can’t. Depending on the WAF your security team chooses, it can protect against XSS attacks, SQL injection, session hijacking and buffer overflows. If your website or application processes payments, it’s especially important to have a WAF, and it is a necessary standard to comply with PCI-DSS. Even if you don’t process payments, a WAF can protect against fraud and prevent malicious actors from tampering with your website and your applications.

Deployment Options

Inline or active appliances are placed on the traffic path directly between the requestor and the web application server. The advantage to choosing an in-line WAF is that it can be used to stop a live attack. On the flip side, in-line WAFs can slow traffic, and they are also more likely to block legitimate traffic. The other option is a passive WAF, also known as tap/span WAFs. These are placed outside the path and monitor traffic from a tap/span port. These types of WAFs cannot block attacks, but they can be set up to communicate with other systems that can be used to block traffic, such as the network firewall.

In today’s world of hybrid infrastructure environments, you may want a WAF that protects servers both on site and in the cloud. For this, consider a cloud-based WAF, or a WAF that allows you to use an API to monitor VM traffic.


If high availability is important for your web site and applications, you’ll want to take latency into account (in-line WAFs). Another feature that can slow traffic down is how the WAF processes SSL traffic. This traffic must be decrypted so that the WAF can process the HTTP data. WAFs handle this task differently. Some can offload SSL computation, dedicating CPU resources to other tasks. Others may support hardware-based SSL acceleration. It will also be essential that the WAF does not become a single point of failure. Can multiple WAF nodes be configured? How many are possible?

Detection Techniques

Most WAFs employ a combination of detection techniques. The more options the better. These include signature matching, normalization, and APIs for building custom detection. Additionally, some WAFs are capable of behavioral analysis. They learn your normal traffic patterns and detect anomalies specific to your website or application. With this type of WAF, suspicious traffic can be detected regardless of rules and signature updates. When evaluating WAFs, be sure to ask potential vendors to supply you with proof of false positives to negative rates and third-party test results. This will give you a better idea of how successful the WAF’s detection features are and provides a quantitative method for comparing the efficacy of multiple WAF products.


WAFs can block traffic in several ways. Investigate the options available and make sure they meet your security needs. These include:

  • Connection intermediation – traffic is intercepted, and network protocol connections are terminated on the WAF
  • Connection interruption – traffic is intercepted, but not terminated on the WAF
  • Connection reset – traffic is intercepted, and relevant TCP connections are reset
  • WAF alerts other devices to block suspicious traffic

Additionally, for WAFs that support blocking, be sure to understand the different approaches to blocking traffic. Does it only block traffic at the HTTP level? Can it also block specific sessions, users, or IP addresses? Can blocking be manually disabled for specific users? Some WAFs can also support cryptographic URL encryption to protect application-specific URLs. Another desirable protection feature some WAFs provide is protecting hidden form fields on web pages from being manipulated.


Depending on the WAF you choose, it may need to rely on other firewalls or routers to provide protection when attacks do occur. Make sure your WAF is compatible with your other networking equipment. You many also want the WAF to communicate with other systems over a dedicated management network so that network administrators can easily monitor activity.

Policy Management

Whatever WAF you choose, ensure it allows you to modify the rules or policies that govern the WAF’s behavior. Usually, the more flexibility you have to change policies, the better. For example, you may want to define rules differently for different types of applications. Your team may want to apply looser policies to applications in beta mode for testing. Some other features you may be interested include the ability to roll back to older versions of policies if new versions do not work out, the ability to export a policy as a file and import it to other systems, and the ability to combine detection and prevention. Other options include change logs and role-based policies.

Logging & Reporting

The way a WAF logs data and its reporting interface may very well be the deciding factor in your decision. How detailed are the logs? Does the WAF keep separate logs for normal traffic and potentially malicious traffic? Does it log all sessions and navigation details? The more details provided, the easier it is to investigate incidents. Where will the logs be stored? Access logs are usually downloaded as files, but some WAF providers also provide a database. In addition to traffic logs, many WAFs also provide event logs that record all suspicious transactions. Are the WAF’s log formats supported by your organization’s SIEM systems?

In addition to what is being logged, be sure to investigate what types of reports are possible and compare these to your security team’s expectations. Check to see if reports can be generated on demand, on schedule, or both. Check report formats and the types of filters that can be employed to quickly drill down to data that is important to your team. User-friendly presentations and report distribution methods may also be important to your company.


While WAFs are often implemented to comply with security standards like PCI-DSS, the WAF itself must also be configured to comply with any information security standards your organization might follow. Ask potential providers how sensitive data can be removed from logs and if sanitation is configurable. Ask if the WAF can be configured to automatically detect sensitive data. What methods of data obfuscation are available? Click here to read about the PCI-DSS requirements for WAFs.


Depending on the scope of your own security operations team, a WAF provider’s support team can be critical to your decision-making process. If you don’t have a 24×7 security team monitoring your network, you’ll want to ensure the vendor has a 24x7x365 Security Operations Center or SOC. A knowledgeable and responsive SOC team can help you detect traffic anomalies and analyze threats. Also ask how often the vendor updates their software and how the updates are performed. Timely updates are critical to WAF performance.

Data Foundry offers WAF and IDS services for its colocation customers. See our network services page to learn more.