What is a WAF (Web Application Firewall)? A Simple Guide

What would you do if a hacker accessed your website and replaced your finely tuned marketing messages with something unprofessional or defamatory?

What would you do if cybercriminals tried to cut off or impede user access to your website by inundating it with requests (called a DoS or Denial of Service attack)?

Incidents like these can be bad enough – leaving reputational damage and unhappy customers in their wake. But things get considerably bleaker if your website collects personally identifying information or payment details. If hackers are able to access individuals’ sensitive information, the organisation who suffered the attack will have much more to worry about than just reputational damage.

Regardless of what your websites or web-based apps do, the best way to keep attacks at bay is to invest in a Web Application Firewall or “WAF”.

What is a Web Application Firewall (WAF)?

A web application firewall prevents hacker attacks on websites and apps

A web application firewall monitors and filters web traffic moving to and from your website or web application, acting as a protective layer around it. WAFs prevent websites and online apps from data breaches, attacks arising from security flaws, unauthorised access attempts, denial of service attacks, and more.

How are WAFs different from “regular” firewalls?

Where “regular” network firewalls are designed to protect your network from hacks and unauthorised access, a WAF is designed to protect your website or web applications from hacks and unauthorised access.

My website/web app is hosted on a server within my network – won’t my network firewall protect it?

Probably not. Though firewalls do monitor incoming and outgoing web traffic on their network, they aren’t set up to inspect that traffic for the same kinds of website-focused hacks and misuse that WAFs are. Despite the similar names and similar jobs, the two systems provide very different protection.

In fact, having a website or web app that’s directly connected to your internal network is all the more reason to invest in a WAF – as we’ll discuss below.

Who Needs a Web Application Firewall?

who needs a waf

If any of the following high-risk factors apply to you, then you should probably consider investing in a WAF:

  • If your site collects personally identifiable information and/or payment details. Any company using e-commerce functions should get a WAF.
  • If your site provides access to a web-based cloud app that processes personally identifiable information including usage data, logins, etc.
  • If your website is self-hosted – i.e., it sits on a server that’s attached to your internal network. In this case, a hacker may use your website as a stepping stone to access your network, opening the door to corporate espionage, cyber reconnaissance, data breaches, and more.
  • If your company is growing beyond a “small business” and into the realms of “medium business” in terms of size or turnover. As a company grows, their public presence grows too, making them potentially more of a target.

Even if you don’t fall into any of the above categories, then we encourage you to carefully consider your website’s level of risk anyway. If you’re a micro- or small business with a static website that’s hosted externally and doesn’t process personal information, it’s unlikely you’ll need a WAF.

But if your company is particularly high profile for its size or you operate in a particularly divisive field, your level of risk is going to be higher.

Why Use a Web Application Firewall?

Web application firewall logo

If your site or web app is particularly high risk (and especially if you fulfil any of the above bulleted criteria), then without a WAF you’re a sitting duck!

Those without WAF protection risk hacking attempts, denial of service attacks, potential data breaches, and any resulting reputational damage.

And that’s before we get into the potential ramifications of such attacks: disaster recovery and “clean-up” fees; a GDPR investigation and potential fine; punitive charges under PCI DSS; and time spent reporting the crime to the police – all of which sap valuable time and money.

We Recommend: SonicWall SMA100 Series Web Application Firewall

sonicwall sma100

Of all of the WAFs on the market, our tech wizards most highly recommend SonicWall’s SMA100 Series.

The SMA100 Series WAF dynamically protects your website and/or web applications from cybercrime. It achieves this by referring to SonicWall’s global cyber intelligence database, keeping both known and emerging threats at bay.

SonicWall’s WAF makes light work of detecting and stopping common attack behaviours in their tracks; including DoS attempts, code injection, cross-site scripting, and session hijacking. As well as carrying out real-time intrusion scanning, the SMA100 Series also establishes a baseline of regular website/app usage so it can flag anomalous behaviour and potential risks quickly.

So for industry-leading WAF coverage, or for an informal and confidential chat about your cybersecurity options, get in touch with the team here at Just Firewalls. We’ll take your current cyber worries on board and find solutions that’ll give you ultimate peace of mind. No techy jargon, just security. Call us on 0808 1644414 or drop us a line  to request a call back.