1. What is WAF?
WAF (Web Application Firewall) is a specialized security system that monitors, filters, and blocks malicious HTTP/HTTPS traffic to protect web applications from cyberattacks and security vulnerabilities. WAF operates at Layer 7 (the application layer) of the OSI model, blocking threats such as SQL injection, XSS, CSRF, and application-layer DDoS attacks.
WAF enforces a set of security rules, known as policies. Every incoming request is evaluated against these rules. If a request violates a rule, WAF blocks it at the network edge before it can interact with the application logic or backend database. If the request is valid, WAF forwards it normally without introducing meaningful latency for legitimate users.
2. Why should organizations use WAF?
Web applications represent the largest and most exploitable attack surface in an organization's digital infrastructure. From e-commerce websites and banking applications to internal portals, all of them expose HTTP/HTTPS endpoints to the public internet. Here are the reasons WAF has become a mandatory element in a modern security strategy:
- Protection against common application vulnerabilities: Most attacks on web applications exploit vulnerabilities listed in OWASP Top 10, including SQL injection, XSS, broken authentication, and security misconfiguration. WAF is equipped with continuously updated rule sets aligned with OWASP standards, blocking these vulnerabilities even before the application has been patched.
- Minimizing data breach risk: For organizations in finance, healthcare, or e-commerce, customer data is an asset that must be protected absolutely. WAF creates a control layer that prevents malicious queries from reaching the database, reducing the risk of personal data leakage and regulatory violations.
- Supporting compliance with security standards: Many international security standards such as PCI-DSS (for organizations processing card payments) and ISO 27001 require or strongly recommend deploying WAF. Having a WAF in place helps organizations shorten audit cycles and demonstrate compliance to regulators.
- Protection during patch windows (virtual patching): In practice, organizations cannot always patch vulnerabilities immediately after disclosure. WAF serves as a temporary protection layer, blocking attacks exploiting a newly published vulnerability while waiting for the official patch from the developer.
3. How does WAF work?
WAF sits between users and the application server, acting as a reverse proxy. All HTTP/HTTPS traffic passes through WAF before reaching the application. The WAF processing flow consists of four sequential steps:
3.1 Receiving and analyzing requests
When a user sends a request to a web application, WAF receives it first. WAF analyzes every component of the request, including the URL, headers, body, input parameters, and cookies. This analysis happens in real time without disrupting the experience of legitimate users.
3.2 Matching against security rules
After analysis, WAF checks the request content against the configured security rule set. These rules may be based on known attack signatures (signature-based), anomalous behavior relative to a baseline (anomaly-based), or a combination of both. Modern WAF also applies machine learning to identify new attack patterns not yet present in the signature database.
3.3 Blocking or allowing requests
If a request violates a rule, WAF blocks it and returns an error code (typically HTTP 403) to the user. All information about the blocked request is logged for later analysis. If the request is valid, WAF forwards it to the application as normal. This classification mechanism corresponds to two operating modes: blocklist WAF blocks what is known to be malicious, while allowlist WAF only permits what has been confirmed as safe. The article on types of DDoS attacks provides further context on how application-layer attack techniques are categorized.
3.4 Logging and incident response
Every WAF action is recorded in logs, including blocked requests, source IPs, timestamps, and violation types. This information helps security teams analyze attack trends, fine-tune rules, and build compliance reports. Next-generation WAF also integrates with SIEM systems for real-time incident response.
4. Attack types WAF can block
4.1 SQL injection
SQL injection attacks occur when an attacker injects malicious SQL queries into application input fields to manipulate the database. WAF detects SQL injection-characteristic character sequences in request parameters and blocks them before the query is executed. This is one of the most severe vulnerabilities, potentially leading to full data exfiltration or complete database deletion.
4.2 Cross-Site Scripting (XSS)
XSS attacks occur when an attacker injects malicious JavaScript into a web page, which then executes in other users' browsers. WAF inspects both request and response content, stripping dangerous script tags and code before they are rendered to end users. XSS is commonly used to steal session tokens, hijack accounts, or redirect users to malicious sites.
4.3 Cross-Site Request Forgery (CSRF)
CSRF tricks the browser of a logged-in user into performing unintended actions, such as transferring funds, changing passwords, or deleting data. WAF detects requests missing a valid CSRF token and blocks them before the application processes them. This is a widely used attack technique targeting financial applications and e-commerce platforms.
4.4 Application-layer DDoS attacks
DDoS attacks at the application layer (Layer 7) send large volumes of requests that are syntactically valid but designed to exhaust the server's processing resources. Unlike volumetric DDoS attacks, this type is harder to detect because the traffic resembles normal user behavior. WAF identifies anomalous behavior based on frequency and request patterns, then applies rate limiting to block the attack.
4.5 Other OWASP Top 10 attacks
Beyond the above, WAF also protects applications against many other attack types in the OWASP Top 10 list, including broken access control (unauthorized access to resources), server-side request forgery (SSRF), security misconfiguration, and use of components with known vulnerabilities. WAF rule sets should be updated regularly to keep pace with evolving attack techniques.
5. WAF deployment models
WAF can be deployed in three primary models, each suited to different scales and operational requirements. The choice of model depends on data control requirements, budget, and technical team capability.
5.1 Network-based WAF (hardware deployment)
Network-based WAF is installed directly on dedicated hardware appliances, placed within the organization's own datacenter. This model offers the lowest latency because WAF processes traffic locally without going through the internet. However, the upfront investment is high and requires a specialized operations team. Best suited for financial institutions, banks, or government agencies with strict on-premises data control requirements.
5.2 Host-based WAF (application integration)
Host-based WAF is integrated directly into the application software or server, typically as a module or plugin. This model offers flexibility in customizing rules to the specific characteristics of each application and carries a lower cost than hardware deployment. The tradeoff is that WAF consumes resources on the same server as the application, which can affect performance under high traffic load.
5.3 Cloud-based WAF (cloud service)
Cloud-based WAF is delivered as a service with no upfront infrastructure investment. Organizations simply point their application DNS through the WAF platform to activate protection immediately. This model suits small and medium-sized businesses or organizations that need rapid deployment without a dedicated security team. The provider is responsible for updating rule sets and maintaining the infrastructure.
6. WAF vs. traditional firewall comparison
WAF and traditional firewalls are both network security tools, but they operate at different layers and complement each other rather than replacing one another.
| Criteria | Traditional Firewall | WAF |
|---|---|---|
| Operating layer | Layer 3-4 (Network, Transport) | Layer 7 (Application) |
| Control based on | IP address, port, protocol | HTTP/HTTPS content, parameters, headers |
| SQL injection / XSS detection | No | Yes |
| API protection | No | Yes |
| Best suited for | Protecting internal network infrastructure | Protecting web applications and APIs |
| Recommended approach | Use both together | Use both together |
The optimal security strategy is to deploy both layers: traditional firewall protecting the network layer, WAF protecting the application layer. This is the core principle of the Defense in Depth model recommended by international security organizations.
7. Criteria for selecting the right WAF
Not every WAF solution fits every organization. Here are the criteria to evaluate before making a decision:
- Rule set accuracy: WAF needs a low false positive rate, meaning it does not incorrectly block legitimate user requests. The rule set should be continuously updated to address newly discovered vulnerabilities.
- API protection capability: Modern applications communicate heavily through APIs. WAF must support REST API and GraphQL protection, not just traditional web traffic.
- Performance and latency: WAF should process traffic without introducing significant latency. Cloud WAF with globally distributed infrastructure generally handles this better than on-premises solutions.
- Rule customization: Each application has its own characteristics. A good WAF allows technical teams to add custom rules aligned with the specific logic of the organization's application.
- Dashboard and monitoring capability: A clear management interface, detailed logs, and automated reporting help security teams respond to incidents faster and meet compliance audit requirements.
- Technical support: Especially important for organizations without a dedicated security team. The provider should have a 24/7 SOC team ready to respond when an attack occurs.
8. VNIS: Comprehensive Web/App/API security by VNETWORK
VNIS (VNETWORK Internet Security) is VNETWORK's security and performance acceleration platform for Web/App/API, integrating WAF to block common security vulnerabilities aligned with OWASP Top 10 standards. The solution is designed to address two challenges organizations typically face simultaneously: security and performance.
8.1 VNIS two-layer protection model
VNIS operates on a two-layer protection architecture where each layer functions independently and complements the other:
- Layer 1 - AI Smart Load Balancing combined with Multi-CDN: Handles DDoS attacks at the network layer. AI automatically analyzes access behavior, distributes traffic intelligently, and filters out abnormal traffic before it overloads the system.
- Layer 2 - WAAP (Web Application and API Protection) powered by AI: Blocks Layer 7 DDoS, malicious bots, and the full OWASP Top 10 vulnerability list. This layer directly protects the processing logic of web applications and APIs, the most common target for sophisticated attacks.
8.2 Key capabilities
- WAF with continuously updated security rules aligned with OWASP Top 10, blocking SQL injection, XSS, CSRF, and many other application attack types
- Simultaneous protection for Web, App, and API within a single integrated platform, eliminating the need for multiple separate tools
- AI-powered detection and blocking of malicious bots, distinguishing real traffic from automated fake traffic
- Global Multi-CDN ensures applications maintain speed and high availability even during an active attack
- 24/7 SOC team monitoring with emergency response capability when large-scale attacks are detected
8.3 Case study: FireAnt restored overnight during an attack
FireAnt is an investment tools and financial data platform for the stock market, where system availability directly affects tens of thousands of investors during trading hours. Facing continuous DDoS attacks that disrupted the system, FireAnt deployed VNIS from VNETWORK.
Upon receiving an urgent report in the middle of the night, the VNETWORK team immediately isolated the attack source using VNIS's Multi-CDN infrastructure, activated the global CDN to distribute traffic, and responded instantly. As a result, the FireAnt system was restored to stability that same night, preventing any disruption from affecting investors. The FireAnt technical team no longer needed to respond manually. The entire response was handled automatically by VNIS and monitored by VNETWORK's SOC.
9. Conclusion
WAF is an indispensable protection layer for any organization running web applications on the internet. From blocking SQL injection and XSS to defending against application-layer DDoS, WAF protects the layer where traditional firewalls cannot reach. Organizations should combine WAF with other security measures such as regular patching, penetration testing, and data encryption to build a comprehensive Defense in Depth strategy.
If your organization is looking for a WAF solution that combines acceleration and security in one platform, contact the VNETWORK team for a free consultation and a VNIS demo tailored to your infrastructure. Hotline: (028) 7306 8789 or email: contact@vnetwork.vn.
FAQ: Frequently asked questions about WAF
1. How is WAF different from a traditional firewall?
Traditional firewalls operate at Layer 3-4, controlling traffic based on IP addresses and connection ports. WAF (Web Application Firewall) operates at Layer 7, analyzing the content of each HTTP/HTTPS request to detect attacks such as SQL injection and XSS. Traditional firewalls cannot read application content, so WAF and traditional firewalls must be deployed together for comprehensive protection.
2. Can WAF block DDoS attacks?
WAF can block DDoS attacks targeting Layer 7 (the application layer), such as HTTP flood and Slowloris, by analyzing and filtering abnormal requests. To handle large-scale volumetric DDoS attacks at the network layer, WAF needs to be combined with a dedicated anti-DDoS system and distributed CDN infrastructure.
3. Do small businesses need WAF?
Yes. Any organization running a website, web application, or API can become an attack target. Cloud-based WAF today offers flexible pricing with no upfront infrastructure investment and is well-suited for small and medium-sized businesses. The risk of SQL injection or XSS attacks does not depend on the size of the organization.
4. Should I choose Cloud WAF or on-premise WAF?
Cloud WAF suits organizations that want rapid deployment, lack a specialized operations team, and need flexible scalability. On-premise WAF suits organizations with strict data compliance requirements or the need for complete control over security configuration. Many large organizations deploy a hybrid of both models.
5. Can WAF replace other security measures?
No. WAF is one layer within a multi-tier security strategy (Defense in Depth), not a complete replacement for all other measures. WAF needs to work in concert with regular patching, security testing, data encryption, and access controls to create comprehensive protection for web applications.
6. What is OWASP Top 10 and how does WAF protect against it?
OWASP Top 10 is a list of the 10 most dangerous web application security vulnerabilities, maintained by the OWASP (Open Web Application Security Project) organization. WAF is configured with OWASP-aligned rule sets to detect and block vulnerabilities on this list, including SQL injection, XSS, broken authentication, and many other common attack types.