A Web Application Firewall, as the term firewall implies, is a middleman that sits between web applications on a web server and the Internet. A WAF serves two major functions: preventing malicious traffic from reaching web applications hosted on a server and preventing unauthorized data from leaving the web server. In the Open Systems Interconnection (OSI) seven-layer model, a WAF operates at the application level, which is the seventh and highest level.
Conceptually, a WAF works like a reverse proxy. Proxies typically protect client machines’ identities from web servers by positioning itself in the middle of the data flows between client and server machines. For a WAF, its protection is in the reverse direction: it positions itself in the middle of data flows between the server and client machines to protect the server from potentially malicious traffic originating from clients.
Some of the attacks that malicious clients can launch on web applications include cross-site scripting (XSS), cross-site forgery, SQL injection, file inclusion, and cookie poisoning. To prevent such attacks, a WAF monitors and examines every single data packet going in and out of a web server to ensure that the data packets are safe.
WAFs operate through policies that establish what malicious traffic and safe traffic look like. Broadly, these policies fall into two categories: a block model where traffic resembling known attacks are denied passage through the WAF, and an allow model where traffic that is pre-approved will be granted passage. Most WAFs do not exclusively depend on policies from a single model because each model has inherent weaknesses. Therefore, WAFs tend to employ a hybrid model with both block and allow policies for maximum effectiveness.
There are three major ways to deploy a WAF on a web server: network-based, host-based or cloud-based.
The "Application Layer" is where applications or web pages are run; they face the "end user."
A "Web Application Firewall."
Open Systems Interconnection Model (a seven layer model).