Web Application Firewall vs. Web Application Proxy: What You Need to Know

For most businesses, one way to build positive customer perception is by showing your commitment to data privacy and protection. 

Developing and maintaining a secure IT environment where customers don't have to worry about data breaches while making payments or sharing personal information can help you earn and keep people's trust. It can also improve your website and network’s performance, which is essential to providing a positive customer experience. 

To ensure the security of your networks, you have to set up a complete cybersecurity framework with multiple layers of protection. Your web applications—which have become a target of more sophisticated attacks—can benefit from having an additional defense against data theft. 

At ITS, we help hundreds of businesses make smart choices about their technology. Here, we’ll go over the two security options for your web applications, which are: 

Web Application Firewall (WAF) and Web Application Proxy (WAP).  

And by the end of this article, you’ll know: 

• How each one works,  
• Their pros and cons and which works best for your type of business. 

But before we delve into the article, here’s what you should know: a Web Application Firewall is not the same as a Web Application Proxy. We’ll start off with the former.  

What is a Web Application Firewall (WAF)? 

WAF protects your websites from different types of threats by monitoring and blocking suspicious activities before they reach your server. It is designed to be your first line of defense to prevent attacks on web applications.  

Watch this video to get an in-depth explanation: 

How WAF Works 

When a user tries to visit your website, a request is sent to your server. Before the request reaches the server, WAF inspects it to determine whether the user passes your predetermined policies. Policies are rules that determine whether an activity or traffic is malicious. 

Think of WAF as security personnel at a party. If a guest doesn’t carry an invitation and doesn’t wear clothes that match the dress code, the guard will have to deny him entry. Similarly, WAF blocks requests that are suspicious or don’t pass the set policies and allows those that meet the rules. 

Important Features 

1. Improves website's speed 

Like other reverse proxies, WAFs have caching mechanisms, which help offload servers and reduce user response time.

2. Prevents cyberattacks 

WAFs offer protection against: 

• Structured query language (SQL) Injection: This occurs when attackers use malicious SQL statements to access confidential data like contact numbers and passwords. 
• Distributed Denial-of-Service (DDoS) Attack: This happens when multiple machines working collectively attack one target by creating fake traffic to make your website inaccessible to users or cover other malicious activities. 
• Cross-Site Scripting (XSS): This takes place when attackers inject malicious code into a legitimate website to steal users’ data in their browsers. 

Cons of using WAF

1. Doesn’t offer enough protection 

WAFs are great in filtering easily identifiable threats but are not reliable in detecting vulnerabilities that don't have the attributes of typical cyberattacks such as zero-day attacks. 

A survey conducted by Ponemon Institute shows that only 9% of WAF users have never experienced any data breach. 

2. Expensive and high maintenance 

WAFs are not only hard to set up but also expensive to maintain and support. Changes in web applications, features, and your entire security infrastructure also mean updates in WAFs. 

Hiring a managed support may be more beneficial to oversee your network and identify threats before they can cause damage. 

What is a Web Application Proxy (WAP)? 

WAP allows you to provide access to applications on your server to end-users and their devices that are not under your domain without compromising the backend servers. 

Kyle Kohler, Technical Sales Engineer from ITS San Francisco, says, 

“WAP is a way for Microsoft to provide you with a relay into some other web service, either on-premises or in the Cloud. It’s like a front door that hides where your real front door is. This is a security service in which you’re proxying your connections, so unauthorized people cannot easily detect where your Web Service is held.”  

We’ve written a piece on Microsoft’s Azure AD Application Proxy to explain better how Proxies work. Read here.  

How WAP Works 

Publishing refers to the process of making corporate applications accessible to external users. 

“If you have any on-premise web services and you're trying to make it available remotely, the immediate response is to open up the firewall to allow traffic. However, that’s a door you wouldn’t want to be accessible to just anyone at any given time due to security reasons. So, the alternative is to use a WAP. This keeps the door to your firewall closed for the world and is open only for Microsoft services.” Kohler mentioned.  

When you publish applications through WAP, users can access your company's applications from their personal laptops or smartphones anytime and anywhere. WAP provides protection from external threats even though the users are on unmanaged devices. 

It is deployed with Active Directory Federation Services (AD FS) for authentication and authorization. AD FS secures your corporate applications from unauthorized and unauthenticated users. 

Important Features

1. Has multiple authentication protocols

WAPs allow you to get the benefits of AD FS authentication, which include: 

• Single Sign-On (SSO): Enables users to enter their credentials once and be authenticated on subsequent occasions 
• Workplace Join: Allows users to use their laptops or smartphones to join the workplace after the AD FS administrator configures the applications. Users have to register their devices to be granted access to applications.

2. Protects you from DDoS attacks 

WAPs block DDoS attacks before they even arrive at the backend servers. 

3. Ensures network isolation

WAPs allow external users to access corporate applications without providing direct access to backend servers. 

Cons of using WAP

1. Secure hardware requirements 

To run a WAP, you need a computer that passes the hardware requirements for Windows Server 2012 R2. 

2. Set up AD FS servers 

WAP requires you to set up an AD FS server, but it should be installed in a separate server. 

AD FS also has security risks and must be properly installed to avoid issues. 

Web Application Firewall vs. Web Application Proxy: Which works best for your business? 

“WAP may operate similarly to a WAF, but it’s just not the same. WAF has more settings and complex keys while WAP is basically an on and off service, you can use if you want to route your services through the Microsoft Proxy at a one-time loading." Kohler explains. 

If your business follows high-security standards and deals with sensitive customer data like Social Security numbers and credit card information, WAF is highly recommended. These include retailers, banks, and healthcare providers. 

On the other hand, if you want to give access to your published corporate applications to external users and isolate your AD FS servers simultaneously, deploying WAP is ideal for your organization. WAP is best for businesses that aim to prevent direct access to their AD FS servers. 

Need help setting up Web Application Firewall and Proxy? 

As a Managed IT Service Provider, ITS ensures you get the best security solution for your web applications and your entire business network. Download and read this e-book to know what else you can do to bolster your cybersecurity.