According to Barracuda Networks, 59% of global firms use web application firewalls (WAFs) to protect their servers and applications. But what types of WAFs are there and what does a WAF do? Let’s find out!

When it comes to cybersecurity, there are many options, tools, and technologies available. You can hire security staff to keep an eye on your security defenses or hire a third-party managed security partner (MSP) for that purpose. But if you’re on a budget, there are less expensive options available on the market — one such example is a web application firewall (WAF).

Security tools such as malware detectors, automated vulnerability scanners, and DNS filters are other affordable options for protecting your website, applications, and databases. But we’re not focusing on those in this particular piece.

In this article, we’ll instead cover what a web application firewall is, how it works, and explore the three main types of WAFs.

What Is a Web Application Firewall? WAFs Explained

A WAF is a type of security software or hardware component that filters HTTP/S traffic coming from clients in order to protect a server from malicious traffic. The web application firewall works like a shield that’s placed between a website server and the internet. It continuously monitors the web traffic coming to your web application and blocks anything suspicious.

A WAF protects the servers from attacks such as:

A WAF also prevents data from leaking from the server. While a vulnerability scanner points out the holes in security defenses, a web application firewall makes sure a hacker can’t exploit those vulnerabilities.

A web application firewall provides application-layer security. This is the top layer of data processing of the Open Systems Interconnection (OSI) Model and directly interacts with clients. Whenever a client makes a request, it first reaches this layer. The WAF sits in front of this layer as an extra shield to scrutinize the traffic and protect it from various threats.

osi model websec

How Does a Web Application Benefit Your Organization?

As we already learned, a WAF helps to protect your web apps against common attackers who use XSS, SQL injections and DDoS attacks. But what does it do in terms of providing other benefits?

  • Frees up your IT and security personnel. Your employees are one of your organization’s biggest security assets. If they’re tied up performing monotonous and repetitive tasks (like monitoring traffic), then it takes them away from focusing on other essential functions.
  • Ensures compliance by helping secure data. Compliance is critical to every organization and business, and a critical aspect of many regulations and laws is keeping data secure. Being non-compliant with industry and geographic regulations spells bad news and can result in costly penalties.
  • Helps protect your reputation. If your web apps and services continually experience outages or issues due to attacks, it’s going to affect your brand’s reputation and your relationships with customers.

Breaking Down How Web Application Firewalls Work

A WAF is an intermediate connection point positioned between an application’s server and client, working on a reverse proxy principle. The proxy server protects clients from malicious traffic from the server, while a reverse proxy shields the application server from exposure to dangerous client requests. All clients must pass through strong scrutiny before reaching the server.

application layer explained

A web application firewall uses a framework of policies — a set of rules that decide what types of traffic are considered malicious and how to respond in the event of a potential cyberattack. These policies decide the speed, ease, and level of security a WAF provides, and some are customizable.

WAF policies can be positive or negative:

  • A positive framework has a list of clients and the types of traffic it should route to the server, which is also known as the allowlist or whitelist. It blocks all other traffic that does not match the list’s criteria. Consider this real-world example of a positive framework. Say, you’re hosting an event that requires attendees to RSVP. You’ll have a list of invitees and have a system in place at the event hall that ensures only people whose names are on the list can enter. Anyone who’s not on the list will be denied entry.
  • A negative framework has a set of rules, known as blocklist or blacklist, that specifies which type of traffic should be blocked. It has policies that help the WAF detect a cyberattack and know how to respond. It’s like a security guard outside a bar who is asked to check IDs and not admit those who don’t meet the minimum legal drinking age.

3 Common Types of Web Application Firewall

There are three main types of WAFs, each with pros and cons. Let’s explore them briefly:

1. Hardware-Based WAFs

Hardware-based WAFs consist of physical equipment that is installed locally within a local area network (LAN).

These are some of the popular hardware-based web application firewalls:


  • Because a WAF is typically hardware that’s installed exclusively for your organization, it doesn’t inspect any other organizations’ traffic on the sharing bases (unlike cloud-based firewalls). So, it’s unlikely that your WAF will become overburdened and overloaded.
  • Because this physical appliance is one that you’ll want to store in-house, it means that it is something you can keep close and protected.

  • Because it is a physical appliance, it requires physical storage and regular maintenance. The storage area must be secure (with guards, an alarm system, strong door locks, etc.) to prevent attackers from accessing the room and tampering with the WAF.
  • Hardware-based WAFs are generally the most expensive, and can cost up to $10,000 (one-time purchase cost, excluding repairs and maintenance).
  • Like a lot of expensive equipment, these firewalls are designed to last for a long time. But because cyber threats are evolving rapidly, it is challenging to upgrade the hardware components frequently enough to combat the latest threats.

2. Cloud-Based WAFs

These virtual firewalls are easy to implement and are also affordable. Here, each WAF’s functionalities are offered as a service. You need to buy the WAF from the vendor and make changes in your DNS settings to redirect traffic to the firewall.

There are many cloud-based WAF providers in the market, but one of the most popular, advanced, and affordable options is offered by DigiCert known as DigiCert Secure Site Pro OV SSL (the all-in-one website security tool). It comes with a bundle of other excellent security products and starts at just $142 per year.


  • Unlike hardware-based firewalls, where replacing an old firewall with a new one involves scrapping or reselling the old one and paying to install the new one, cloud-based firewalls are easily replaceable.
  • Payment models are monthly or yearly, and you can switch vendors whenever you want without any major hassles.
  • If there are any upgrades needed, the vendor can directly apply them to the firewall as and when needed to meet the latest threats.


  • The major disadvantage of a cloud-based web application firewall is that you are totally dependent upon a third party. You don’t have the same level of control as you do with an on-prem appliance because it’s not housed within your facility.
  • Unlike hardware-based firewalls that work exclusively for your servers, cloud WAF vendors have many clients using the same service. If the vendors’ servers are overburdened or down, your security can suffer.

3. Host-Based WAFs

These types of firewalls are installed in the application’s software itself. They are integrated into the server. It’s just like an app you install on your phone or antivirus software on your PC.


  • They are less expensive than appliance firewalls and more customizable than cloud-based ones.


  • The major disadvantage of a host-based firewall is that it uses the server’s resources and space. So, in the event of a major cyberattack, it consumes more resources and might make the application slower.

Summarizing the Role of a WAF in Cyber Security

A web application firewall is a security layer between your application and the internet. The WAF filters web traffic coming to your server and protects it from various cyber threats. It works on the principles of reverse-proxy and protects the application layer.

There are three types of WAFs: hardware-based, cloud-based, and host-based. Each of them comes with a variety of advantages and disadvantages. As an application owner or webmaster, you should select the most suitable option for your situation — weighing costs, ease of implementation and updates, and resource consumption.

For a list of other website security tips and information about how to secure a database, check out our other resources.