WAF Architecture: 3 Key Components and Deployment Models

What Is a WAF? 

A Web Application Firewall (WAF) is a security solution designed to monitor, filter, and block harmful traffic to and from web applications. By deploying a set of rules known as WAF policies, it examines web traffic to protect applications from vulnerabilities such as SQL injection, cross-site scripting (XSS), file inclusion, and other security breaches. 

Unlike traditional firewalls that protect the flow of data to and from the network, WAFs provide specialized protection for application layer traffic. They serve as a protective barrier between an application and the internet, scrutinizing every HTTP request before it reaches the application. 

This proactive approach allows WAFs to identify and mitigate potential threats in real time, ensuring the security and integrity of web applications while maintaining their availability to legitimate users.

How Does a WAF Work? 

A web application firewall operates as a reverse proxy, standing between client requests and a web application server. It filters incoming traffic to the web application by intercepting and analyzing HTTP requests before they reach the server. This ensures that only safe, verified traffic is allowed through, while potentially harmful requests are identified and blocked based on predefined security rules. 

By functioning at the application layer of the OSI model, a WAF provides targeted protection against application-specific attacks without affecting legitimate traffic flow. It scrutinizes the content and context of web traffic using a set of rules or policies. These policies can be based on patterns known to be malicious (signature-based detection) or deviations from normal behavior (anomaly-based detection). 

When a request matches a rule indicating a potential threat, the WAF takes action according to its configuration—blocking, logging, redirecting, or allowing the request after further inspection.

3 Core Components of a WAF Architecture

A WAF typically includes the following components.

Detection Engine 

The detection engine analyzes incoming requests against a set of rules or signatures to detect malicious activities such as SQL injection and cross-site scripting (XSS). It uses signature-based and anomaly-based detection methods to recognize known attack patterns as well as unusual behavior that could indicate a new or evolving threat.

Proxy Server 

The proxy server acts as an intermediary between the user’s requests and the web application server. It receives requests from users, evaluates them based on security rules, and then either forwards them to the application server or blocks them if they are deemed malicious. This allows the WAF to inspect, modify, accept, or reject HTTP requests before they interact with the app.

Management Interface

The management interface serves as the central control panel for administrators, providing tools and options to configure WAF settings and policies. It enables the creation, modification, and deletion of security rules. A user-friendly dashboard displays key metrics and alerts, allowing users to monitor traffic and analyze logs to identify patterns or threats.

WAF Deployment Modes

Web application firewalls are usually available in different modes or types of deployment, based on the environment used and the threats being defended against.

Inline or Bridge Mode 

In inline mode, a WAF is positioned directly in the path of traffic between clients and the web application server. All incoming and outgoing traffic must pass through the WAF, enabling it to inspect and filter malicious requests before they reach the server. This mode allows the WAF to block attacks in real time, as it actively intercepts traffic rather than just monitoring or logging it. 

Bridge mode positions the WAF to monitor network traffic without intercepting or altering packets. In this passive deployment, the WAF acts as an observer within the network architecture, analyzing copies of the data flow for signs of malicious activity. This mode is useful for detecting threats and auditing purposes without affecting application performance. 

Cloud-Based WAF 

Cloud-based WAF solutions are hosted on remote servers managed by third-party providers, offering a flexible and scalable approach to web application security. They protect web applications without the need for on-premises hardware or IT infrastructure. By leveraging cloud computing resources, these WAFs can adjust to fluctuating traffic volumes

This deployment model is suitable for organizations with limited IT resources. Cloud-based WAFs usually provide global threat intelligence and automatic updates, ensuring that the protection mechanisms are always up-to-date against the latest vulnerabilities and attack vectors. 

Appliance-Based WAF

Appliance-based WAFs are physical devices installed within an organization’s network infrastructure, providing dedicated security for web applications. These appliances are designed to protect various application-level attacks. Situated on-premises, they offer organizations complete control over their web application firewall, allowing immediate access to hardware resources.

This setup is especially useful for entities with stringent compliance requirements or data sovereignty needs. These WAFs can be optimized for specific environments, offering high-performance capabilities and low latency due to their proximity to the web applications they secure. However, they require upfront investment in hardware and ongoing maintenance. 

Example of a WAF Architecture: AWS WAF 

AWS WAF’s architecture is designed around a central component known as the web ACL (Access Control List), which functions as the primary inspection and decision point for incoming requests to web applications. 

Source: AWS

This architecture is deployed through a CloudFormation template, integrating various AWS resources to shield web applications from common attacks. Upon initial setup, users can select protective components to activate within the AWS WAF.

The AWS WAF architecture comprises several key components: 

• AWS managed rules: Includes IP reputation rule groups and baseline rule groups designed to guard against common vulnerabilities and unwanted traffic as outlined in OWASP publications. 
• Manual IP lists: Allows users to manually specify IPs for allowance or denial, with features for configuring IP retention and removing expired IPs via Amazon EventBridge rules and Amazon DynamoDB. 
• SQL injection and XSS protection: Configures rules to prevent SQL injection and cross-site scripting attacks in request URIs, query strings, or bodies. 
• HTTP flood protection: Utilizes rate-based rules or AWS Lambda functions for mitigating large volumes of requests from single IP addresses, characteristic of DDoS attacks or brute-force attempts. 
• Scanner and probe detection: Analyzes application access logs for suspicious activities using Lambda functions or Athena queries, blocking sources that exhibit unusual error rates.
• IP reputation lists: Employs a Lambda function that checks third-party IP reputation lists hourly for new ranges to block, including those from Spamhaus DROP/EDROP lists, Proofpoint Emerging Threats list, and Tor exit nodes.
• Bad bot mitigation: Sets up a honeypot mechanism intended to attract and identify malicious bots or content scrapers, automatically blocking their source IPs upon detection.

Related content: Read our guide to WAF on AWS (coming soon)

Managed WAF and CDN with Coralogix

Coralogix sets itself apart in observability with its modern architecture, enabling real-time insights into logs, metrics, and traces with built-in cost optimization. Coralogix’s straightforward pricing covers all its platform offerings including APM, RUM, SIEM, infrastructure monitoring and much more. With unparalleled support that features less than 1 minute response times and 1 hour resolution times, Coralogix is a leading choice for thousands of organizations across the globe.

Learn more about Coralogix for WAF and CDN