Skip to content
Noroff Case Studies

Web Application Firewalls (WAF) Case Study

Author: Anna Aasprong Brekke <AnnaAaBrekke>

Introduction

This case study begins with a general overview of WAF technology, providing insight into its purpose and importance in modern web security. It then focuses on two widely-used tools: Cloudflare WAF and AWS WAF, exploring their key features, integrations, and use cases. Additionally, the study includes a market comparison with other tools, highlighting their strengths and weaknesses.

But what is WAF? A Web Application Firewall (WAF) is like a smart security guard for your website. It monitors all incoming traffic, blocks harmful activities like hacking attempts, and keeps your site safe and running smoothly. WAFs are essential for protecting against common web attacks like SQL injection, XSS, and DDoS.

Usefulness to Developers

  • Time-Saving: Automates security, freeing developers to focus on coding.
  • Integration-Friendly: Easily incorporates into CI/CD workflows.
  • Improved App Stability: Blocks threats that could disrupt application functionality.

Brief History

  • 1990s: Firewalls emerged to protect networks, focusing on packet filtering; web apps introduced new vulnerabilities.This case study begins with a general overview of WAF technology, providing insight into its purpose and importance in modern web security. It then focuses on two widely-used tools: Cloudflare WAF and AWS WAF, exploring their key features, integrations, and use cases. Additionally, the study includes a market comparison with other tools, highlighting their strengths and weaknesses.
  • 1999: First WAF introduced to address web-specific threats like SQL injection and XSS with rule-based HTTP filtering.
  • 2002: ModSecurity released as the first open-source WAF, shifting to software-based solutions.
  • 2006: OWASP Top 10 highlighted major web vulnerabilities, driving WAF adoption.
  • 2010: Cloud WAFs launched (e.g., Cloudflare, Akamai), offering scalable and cost-effective solutions.
  • 2013: PCI DSS mandated WAFs or code reviews for secure web apps, boosting adoption.
  • 2017: Machine learning-powered WAFs emerged, focusing on zero-day threats and behavior analytics.
  • 2020s: Modern WAFs protect APIs, integrate with DevSecOps, and secure CI/CD pipelines.

HTTP/S: The protocol used for transferring data over the web. HTTPS is the secure version, encrypting communication (handshake) between the user and the server.

SQL Injection: An attack where hackers manipulate SQL queries to access or damage a database.

Cross-Site Scripting (XSS): An attack where malicious scripts are injected into a website to trick users or steal data.

DDoS Attack: Distributed Denial-of-Service attack, where an attacker overwhelms a website with excessive traffic to crash it.

API: Application Programming Interface, a set of rules that allows different software systems to communicate with each other.

OWASP Top 10: A list of the ten most critical web application security risks, maintained by the Open Web Application Security Project (OWASP).

Main Features

A Web Application Firewall (WAF) is a security tool designed to protect web applications by filtering and monitoring HTTP/S traffic and preventing common attacks.

FEATUREDESCRIPTION
Protection Against OWASP Top 10 VulnerabilitiesPrevents SQL injection, XSS, and other web-based attacks.
Customizable RulesAllows users to define rules tailored to their specific applications.
Real-Time Threat MonitoringMonitors and blocks malicious activity in live traffic.
Cloud-Based WAF OptionsProvides scalable and hardware-free security solutions.
API SecuritySafeguards APIs and microservices from common threats.!
Automated Threat DetectionUses machine learning to detect zero-day and emerging attacks.

WAF Tools

image

🛠️ Cloudflare WAF

Cloudflare WAF is a cloud-based security solution integrated into Cloudflare’s global content delivery network (CDN). It is designed to protect web applications by monitoring and filtering HTTP/S traffic.

Key Capabilities:

  • DDoS Mitigation: Automatically identifies and blocks large-scale DDoS attacks without manual intervention.
  • OWASP Top 10 Protection: Pre-built rules defend against common vulnerabilities like SQL injection and XSS.
  • Custom Rules: Allows users to define their own rules for specific use cases.
  • API Security: Dedicated protection for REST and GraphQL APIs, ensuring API traffic is secure.
  • Simplified Deployment: As a cloud-based solution, it requires no on-premise hardware or complicated setup.

When to Use Cloudflare WAF:

  • Ideal for businesses looking for a simple, scalable, and cost-effective WAF.
  • Great for protecting applications with minimal technical overhead.

Setting Up Cloudflare WAF

  1. Sign In:
  • Log in to your Cloudflare Dashboard and select your domain.
  1. Enable WAF:
  • Go to Security > WAF in the dashboard.
  • Ensure the WAF is toggled ON for your domain.
  1. Add Rules:
  • Use Managed Rulesets (e.g., OWASP Top 10).
  • Create Custom Rules to block or allow specific traffic patterns.
  1. Set Rule Priority:
  • Arrange rules to ensure proper execution order.
  1. Test and Monitor:
  • Review blocked requests and fine-tune rules via Firewall Events.

image

🛠️ AWS WAF

AWS WAF is a web application firewall integrated with the AWS ecosystem. It offers detailed traffic control for applications running on AWS infrastructure, making it ideal for businesses already using AWS services.

Key Capabilities:

  • Rule Customization: Users can create and modify rules to block specific traffic patterns, tailored to their needs.
  • AWS Integration: Works seamlessly with AWS services like CloudFront, API Gateway, and Load Balancers.
  • Bot Control: Provides features to identify and mitigate harmful bot traffic.
  • Detailed Metrics and Logging: Monitors traffic patterns in real-time using AWS CloudWatch, enabling granular visibility.
  • Flexible Pricing: Pay-as-you-go model ensures you only pay for what you use.

When to Use AWS WAF:

  • Best suited for businesses heavily invested in the AWS ecosystem.
  • Ideal for teams that need granular control over application security.

Setting Up AWS WAF

  1. Log In:
  • Access the AWS Management Console and navigate to AWS WAF & Shield.
  1. Create Web ACL:
  • Define scope (CloudFront or regional resource like ALB).
  • Name the Web ACL and associate it with resources to protect.
  1. Add Rules:
  • Use Managed Rules (e.g., AWS OWASP Top 10) or create Custom Rules for specific traffic patterns.
  1. Set Rule Priority:
  • Arrange rules to determine their execution order.
  1. Review and Save:
  • Review your setup and click Create Web ACL to deploy.

Market Comparison

WAF TOOLSTRENGTHSWEAKNESSESINTEGRATION
CloudflareEasy to use, scalable, DDoS protectionLimited customizationWorks with most CDNs
AWSCustomizable, works with AWS servicesComplex setup for beginnersBest for AWS users
FortinetStrong security, works in any setupExpensive for small businessesConnects with Fortinet tools
ImpervaAdvanced threat detectionHigh costSupports various platforms
ModSecurityFree, highly customizableRequires technical skillsWorks with Apache, Nginx, etc.

Conclusion

Web Application Firewalls (WAFs) are essential tools for keeping websites and apps safe from attacks like SQL injection, XSS, and DDoS. They help protect sensitive data, ensure websites run smoothly, and save developers time by automating security tasks.

Different WAFs, like Cloudflare and AWS, have unique strengths. Cloudflare is simple and easy to set up, while AWS offers more control and works perfectly with other AWS tools. Choosing the right WAF depends on your needs, like how much customization you want or what platform you’re using.

In today’s fast-paced development world, a good WAF does more than block threats—it helps developers focus on building great apps while keeping everything secure and stable.

References

Additional Resources