A Guide to Web Application Firewall vs. Network-Level Firewall

According to an industry report published last year, over 35% of websites and web applications have at least one “high severity vulnerability.” This surprisingly high statistic demonstrates the necessity of appropriate firewalls to protect your digital environment. 

Not all firewalls protect your systems from the same threats, in the same locations. The most common firewall products are network firewalls and web application firewalls. Understanding the differences between these two firewall types is crucial to ensuring that you have the appropriate protections in place to provide your business and clients with cutting edge online security.

What are web application firewalls?

Web application firewalls (WAFs) protect against vulnerabilities that are unique to public-facing web applications, like websites. Conceptually, IT security professionals divide digital security into 7 layers. Within this model, WAFs provide security at the 7th layer, known as the “application layer.”  

Pragmatically speaking, WAFs protect against attacks embedded in data transmitted to your web applications. There are a wide variety of web app attacks, but the most common (and critical) include:

• SQL injections– These malicious SQL statements can execute inside your applications to retrieve, edit, or even delete data within your SQL database.
• Cross-site scripting (XSS)– This is another form of data injection into your site, which embeds into data your app sends to your end-users. These end-users, such as your site visitors or clients, are the primary targets of XSS attacks.
• Distributed denial-of-service (DDoS)– This attack floods an application or network with malicious traffic. This traffic attempts to overwhelm your app and prevent normal traffic from being processed. 

WAFs protect against these attacks, and others, by examining HTTP traffic. They can filter traffic by whitelisting (only letting in explicitly-allowed traffic) or blacklisting (only excluding predetermined traffic). WAFs can be deployed via on-premise hardware or virtual machines, or in the cloud by a managed service provider. The most popular WAF products on TrustRadius include:

• Cloudflare
• NGINX
• F5 BIG-IP

How network firewalls differ from web application firewalls

In a technical sense, the difference between application-level firewalls and network-level firewalls is the layers of security they operate on. While web application firewalls operate on layer 7 (applications), network firewalls operate on layers 3 and 4 (data transfer and network). WAFs are focused on protecting applications, while network firewalls are more concerned with traffic into and out of your broader network. The most popular firewall products include:

• WatchGuard Network Security
• Cisco ASA
• Fortinet FortiGate
• Cisco Meraki MX

Network firewalls were traditionally the main digital protection for businesses. They excel at protecting against network-wide attacks that can attack connected devices and infiltrate systems via LAN. If you provide an internet connection at any business location, a network firewall is still a must-have.

Why you may need both firewalls

While the importance of WAF and network firewalls may vary by business, there’s a good chance that you should employ both technologies to fully protect yourself and your clients. Since each firewall type protects against different attacks, using only one can leave your systems vulnerable. 

For example, a network firewall alone will not provide sufficient protection for publicly-accessible websites. Since network firewalls only have visibility into packet headers, and not packet data itself, attacks like SQL injections can circumvent network firewalls. These vulnerabilities are only preventable via WAF capabilities. Without an application firewall, attackers can infiltrate your broader network through vulnerabilities in your web apps. 

The need for comprehensive security leads to the need for “multi-layer” security across layers 3, 4, and 7. Fortunately, firewall vendors have stepped up to provide such protection. 

What to buy when you want it all

Purchasing and layering separate firewall products for every layer of security is expensive and cumbersome for businesses that look at firewall options and say they want it all. Fortunately, market trends have shifted in favor of comprehensive security packages known either as Next-Generation Firewalls (NGFWs) or Unified Threat Management (UTM) platforms. 

There is not yet an industry standard for what constitutes a Next-Generation Firewall. Generally, they combine the capabilities of network and web application firewalls into a centrally managed system, among other features like VPN connections. UTMs tend to be even more comprehensive, including anti-spam, content filtering, and greater network visibility. 

Given the lack of industry standards, you can’t judge a product based on its NGFW/UTM label. Look for more granularity in what capabilities and services a product and vendor can offer you, and don’t be afraid to push on the vendor for clarification.

Whether you should purchase an NGFW/UTM or layer several separate products can vary by business, but there are strong benefits to consolidation in most cases. Having a single pane of visibility into most/all of your digital security makes managing your firewalls much easier, and can frequently be more cost-efficient than purchasing multiple products/licenses. If you’re not sure which approach is best for you, see which method users like you used as a starting point for exploring your options. 

You should also check out what other users have to say about the firewall products on your shortlist. Reviews can frequently provide context on how well various features work in the field, whether users have experienced security breaches post-implementation, and how easy the product is to use. Armed with the right information, you can ensure that you keep your systems, your employees’ devices, and your clients’ data safe and secure.