How does WAF work?

WAF usually resides in front of web servers, by placing a filtration barrier between the targeted server and the attacker. the WAF is able to protect against attacks like cross-site forgery, cross-site scripting and SQL injection in real time. Learn more about mlytics Enhanced Security feature.

Working model

  • Positive Security Model – PSM or Whitelisting only allows web traffic according to specifically configured criteria. For example, it can be configured to only allow HTTP GET requests from certain IP addresses. This model can be very effective for casting a wide metaphorical fishing net for blocking possible cyber-attacks, but just as fishing nets also catch a lot of matter that a fisherman can’t sell, whitelisting will block a lot of legitimate traffic. Whitelisting model firewalls are probably best for web applications on an internal network that are designed to be used by only a limited group of people, such as employees.

  • Negative Security Model – NSM or Blacklisting uses pre-set signatures to block web traffic that is clearly malicious, and signatures designed to prevent attacks which exploit certain website and web application vulnerabilities. For example, if a number of IP addresses send a lot more packets than is typical for that many IP addresses being used to surf a website, a blacklisting firewall can effectively prevent DDoS attacks. Blacklisting model web application firewalls are a great choice for websites and web applications on the public internet because those targets can get a lot of legitimate web traffic from unfamiliar client machines. OWASP CRS works in NSM WAF.

  • Hybrid Model – Some web applications can also be configured according to a hybrid security model that blends both whitelisting and blacklisting. Depending on all sorts of configuration specifics, hybrid firewalls could be the best choice for both web applications on internal networks and web applications on the public internet.

Previous article:
« What is a web application firewall (WAF)?