)\nCSRF (cross-site request forgery)\nLocal/Remote File Inclusion\nAuthentication / session attacks\n\nDeployment forms:\n\n\n\nForm\nWhere it sits\n\n\n\n\nBridge\nTransparent L2 device — invisible to clients\n\n\nRouter\nL3 device — has its own IP\n\n\nReverse Proxy\nMost common — clients connect to WAF, WAF proxies to web servers\n\n\nOn the server (mod_security on Apache)\nSoftware module on the web server itself\n\n\n\nTwo security models:\n\n\n\nModel\nApproach\nTrade-off\n\n\n\n\nNegative (blacklist)\nBlock known attack patterns\nEasy setup, but new attack patterns slip through\n\n\nPositive (whitelist)\nAllow only known-good request patterns\nStrict but high config burden — every form field/URL must be defined\n\n\n\nThe \"pro-active\" benefit:\n\n\"Pro-aktive Schutz gegen neue (ev. noch nicht entdeckte) Sicherheitslücken möglich\"\n\nEven if the web app has a zero-day vulnerability, a properly configured WAF can block exploits generically — e.g., a WAF rule blocking '; DROP TABLE blocks any new SQL injection attempt regardless of which endpoint is being attacked.\nThe disadvantages:\n\n\n\nDisadvantage\nDetail\n\n\n\n\nConfiguration burden\nWhitelisting every form field/parameter is enormous work\n\n\nEach app release may break the WAF config\nNew endpoints, changed validation → WAF policy must be updated\n\n\nKnowledge transfer required\nDeveloper knowledge → firewall admin knowledge\n\n\nFalse negatives\nReal attacks slip through because patterns aren't recognized\n\n\nFalse positives\nLegitimate traffic blocked → user complaints\n\n\n\nThe WAF tuning challenge:\nA new WAF deployment in \"blocking\" mode often breaks the application immediately. The standard procedure:\n\nDeploy in monitor-only mode for 2-4 weeks.\nReview logs, identify false positives.\nWhitelist legitimate patterns.\nSwitch to blocking only after the false-positive rate is low.\n\nTip: Major WAF products: Airlock (Swiss), Imperva, F5 ASM, Cloudflare WAF, AWS WAF, mod_security (open-source). As of the 2026 source window, cloud-integrated WAFs (Cloudflare, AWS) are very widely deployed because they're bundled with the provider's CDN/cloud — the WAF is \"built in\" rather than a separate purchase.\nGo deeper:\n\n Web application firewall — Wikipedia — covers the positive vs negative security models and deployment forms (reverse proxy, bridge, on-server module).\n OWASP Top Ten — the canonical list of web-app risks (SQLi, XSS, …) that every WAF ruleset is built to mitigate.\n\n", "dateModified": "2026-07-14T16:25:10+00:00" } } }

LOGBOOK

HELP

Quiz Entry - updated: 2026.07.14

What is a Web Application Firewall (WAF), and how is it different from a network firewall or NGFW?

A WAF is an Application-Layer Firewall specifically protecting web servers — it parses HTTP/HTTPS requests and blocks attacks like SQL injection, XSS, and CSRF. It works alongside the network firewall, not as a replacement, and operates at OSI Layer 7.

WAF vs other firewalls:

Tier Protects Inspects
Packet Filter Network IPs, ports
Stateful FW Network Connection state
NGFW Network + apps Packets, app identity, threats
WAF Web servers specifically HTTP request structure, body, headers, cookies

What a WAF blocks:

The OWASP Top 10 — including:

  • SQL Injection (' OR 1=1 --)
  • Cross-Site Scripting (<script>alert(1)</script>)
  • CSRF (cross-site request forgery)
  • Local/Remote File Inclusion
  • Authentication / session attacks

Deployment forms:

Form Where it sits
Bridge Transparent L2 device — invisible to clients
Router L3 device — has its own IP
Reverse Proxy Most common — clients connect to WAF, WAF proxies to web servers
On the server (mod_security on Apache) Software module on the web server itself

Two security models:

Model Approach Trade-off
Negative (blacklist) Block known attack patterns Easy setup, but new attack patterns slip through
Positive (whitelist) Allow only known-good request patterns Strict but high config burden — every form field/URL must be defined

The "pro-active" benefit:

"Pro-aktive Schutz gegen neue (ev. noch nicht entdeckte) Sicherheitslücken möglich"

Even if the web app has a zero-day vulnerability, a properly configured WAF can block exploits generically — e.g., a WAF rule blocking '; DROP TABLE blocks any new SQL injection attempt regardless of which endpoint is being attacked.

The disadvantages:

Disadvantage Detail
Configuration burden Whitelisting every form field/parameter is enormous work
Each app release may break the WAF config New endpoints, changed validation → WAF policy must be updated
Knowledge transfer required Developer knowledge → firewall admin knowledge
False negatives Real attacks slip through because patterns aren't recognized
False positives Legitimate traffic blocked → user complaints

The WAF tuning challenge:

A new WAF deployment in "blocking" mode often breaks the application immediately. The standard procedure:

  1. Deploy in monitor-only mode for 2-4 weeks.
  2. Review logs, identify false positives.
  3. Whitelist legitimate patterns.
  4. Switch to blocking only after the false-positive rate is low.

Tip: Major WAF products: Airlock (Swiss), Imperva, F5 ASM, Cloudflare WAF, AWS WAF, mod_security (open-source). As of the 2026 source window, cloud-integrated WAFs (Cloudflare, AWS) are very widely deployed because they're bundled with the provider's CDN/cloud — the WAF is "built in" rather than a separate purchase.

Go deeper:

  • doc Web application firewall — Wikipedia — covers the positive vs negative security models and deployment forms (reverse proxy, bridge, on-server module).
  • doc OWASP Top Ten — the canonical list of web-app risks (SQLi, XSS, …) that every WAF ruleset is built to mitigate.

From Quiz: INTROL / Firewall Fundamentals | Updated: Jul 14, 2026