Types of Web Application Firewalls (WAFs) — How to Choose a WAF?

Note: This is a guest post written by Adam Dawson

Web Application Firewall — or WAF — is a specialized firewall for web apps that protects your public-facing applications from a wide array of attack vectors.

Web Application Firewalls come in three configurations — all having a different set of pros and cons, general and maintenance requirements, and the total cost. So, the question arises: Which type of WAF is the best for your apps? This post discusses this question to help you pick the right Web Application Firewall.

What is a Web Application Firewall?

First and foremost, let’s learn the basics of Web Application Firewalls. A Web Application Firewall is a special version of firewalls that looks for and detects suspicious activities. After finding such an illegitimate activity, it can filter out the activity based on the rules configured by you or your security experts.

A WAF protects your web apps against a large set of attacks including the most common attacks listed under “OWASP Top 10”. For example, it protects from attacks such as Cross-Site Scripting (XSS), SQL Injection (SQLi), and more.

How does a Web Application Firewall (WAF) work? It checks and monitors the incoming online traffic of your web applications and blocks or filters any type of malicious request from reaching to your apps, thus protecting your web apps.

Types of Web Application Firewalls (WAFs)

There are three types of Web Application Firewalls — Network-based WAFs and Host-based WAFs, and Cloud-hosted WAFs.

Let’s get to know them in detail.

Network-based WAFs

Network-based Web Application Firewalls are hardware-based WAFs, i.e., they are usually standalone servers that are connected directly to the application servers using dedicated equipment. However, it’s difficult to administer them since there can be multiple machines that need individual management.

Of course, the major vendors enable some form of configuration replication that allows copying rules and settings across multiple machines. Nevertheless, it all depends on the individual vendor and the number of to-be-managed WAFs.


  • Low network latency since they’re connected directly to the web servers.


  • Cost is typically higher than the other types of WAFs since there is an up-front investment as well as regular maintenance and operational costs.
  • Management is tougher than the other types of WAFs — especially if the vendor doesn’t allow replication of configurations or if you require a huge number of WAFs hosted along with your web application servers.

Host-based WAFs

Host-based Web Application Firewalls are software-based WAFs that are directly integrated into your application’s software. Since they don’t require their own physical equipment, they’re more customizable and manageable than the above mentioned WAFs. However, they do have disadvantages as listed below.


  • Affordable than Network-based WAFs, but overpriced than Cloud-hosted WAFs since their implementation and operation demand more cost.
  • Offers more customizability than Network-based WAFs since they’re built into your apps, so you can modify them along with your applications.
  • Zero network latency since they’re integrated directly into the web apps.


  • Ask for engineering costs and time for integrating into the web apps.
  • Consume local server resources of the app servers, which may slow or bring down the web app itself if the server is not managed properly.
  • Implementation complexity is more than the other two WAFs and may introduce bugs to the app since it’s integrated right into the application.

Cloud-hosted WAFs

Cloud-hosted Web Application Firewalls are the WAFs-in-the-cloud. These are the latest offerings in the security market that minimize your investments and provides new features and latest security updates almost on-the-fly. However, it can be challenging to leave all the responsibilities onto the third-party.


  • Affordable than the other two types of WAFs since they require neither implementation or installation charges nor maintenance costs.
  • Auto updated and maintained to protect against the latest online threats without any additional cost or work required from your part.
  • Minimal up-front investment because they are available as “Security as a Service”, which you opt and pay for monthly or yearly per needs.
  • Easy and quick deployment since they only require you to change DNS.


  • Higher network latency than the other types of WAFs because they’re neither directly connected to nor integrated into the application.
  • Zero responsibility or ownership of the service because they’re managed directly and solely by their third-party providers (vendors).

How to Choose a Web Application Firewall?

You now know all about Web Application Firewalls, but still, it’s not easy to pick a WAF. The reason being: there are a lot of WAFs in the market with their different sets of features and issues. Then, they all have varied forefront and operational costs as well. That said, what’s the solution? How to pick a WAF?

The answer: you must ask some questions before choosing a WAF — some to the service provider (vendor) and some to your operational or technical team. These below-given two sets of questions will help you to better understand your requirements and the features offered by the product to fulfill them.

Ask Questions to the Vendor

[1] Which security threats are detected/secured by the WAF?

You must ensure that the product protects against the common security threats and adds quick-support for detecting the newest threats.

[2] Can you create custom rules for customized protection?

You must confirm that the product allows customizing the protection by white-listing or black-listing rules or creating protocols per your needs.

[3] How well it defends against the attacks targeted to itself?

You should understand its features for protecting itself. For example, it may run on a hardened operating system or with secured components.

[4] Which compliance requirements are fulfilled by the WAF?

You shall ask the vendor that the necessary security compliances such as HIPAA, ISO 27001, and PCI DSS are ensured or not by its app firewall.

[5] Which message/service types are processed by the WAF?

You must ensure that the product works with the message types serviced by your application, such as HTML, Dynamic HTML, SOAP, XML, etc.

[6] What are the additional features along with their costs?

You shall confirm with the third-party vendor about the optional features supported by the WAF and their costs like a hardware-based key store.

Ask Questions to Your Team

[1] What budget or cost you’re ready to expend for the product?

If you’re looking for a low-cost solution, you must opt for a Cloud-hosted WAF. You can pick any one of the other two types of WAFs otherwise.

[2] Do you have enough engineering power to maintain the WAF?

If you’re opting for a Network-based or Host-based WAF, you’ll require engineering or maintenance teams to support the product later on.

[3] Do your teams have the required security skills to customize it?

In case your teams are equipped with development and security skills for customizing the firewall, you can opt for Network-based or Host-based WAF. But else, you must choose a Cloud-hosted Web Application Firewall.

That’s all about how to choose a Web Application Firewall for your organization. Did you understand? You can leave your feedback by writing a comment.

Share via
Copy link