3 Types of Web Application Firewalls: How to Choose?

There are plenty of web application firewalls (WAF) offered in the market. Yet, not all of them are created equal. Different forms of WAFs have their own advantages and disadvantages, thus it is important to understand their differences before making a well-informed decision.

Let’s first refresh our minds by taking a quick look at how a web application is hosted and where the WAF is located within the network. The figure below shows a simple illustration.

Now assuming that we are all familiar with what a WAF does and why every organization needs one (if not, see this article: Why Do I Need a Web Application Firewall?), let’s now take a look at the types of WAFs available in the market.


Three types of web application firewalls (WAF)


1. Hardware-Based Web Application Firewall

A hardware-based WAF is deployed through a hardware appliance, installed locally within the local area network (LAN) close to the web and application servers. An operating system runs within the appliance, supporting software configurations and updates. 

The greatest advantage of a hardware-based WAF is fast speed and high performance. Due to its physical proximity to the server, it tracks and filters data packets to and from the website with very low latency. The major downside is that owning and maintaining hardware machines is not cheap. From acquisition and installation to storage and maintenance, hardware-based WAFs are associated with higher costs compared to other types of WAFs.

Who is it suitable for? 

A hardware-based WAF is commonly used by large organizations who gain hundreds of thousands of visits on a daily basis. This is because to serve this massive amount of clients efficiently, speed and performance become the highest priority. Besides, most large businesses can easily afford the management and operating costs of running hardware.

Recommended product: WAPPLES

WAPPLES is a hardware-based WAF that comes with an application delivery controller (load balancer), saving the hassle of purchasing them separately. Unlike most competitors who rely on a signature-based detection system, WAPPLES runs on a patented COCEPTM engine that relies on rule-based detection algorithms. Having a rule-based detection system not only makes it much easier to update, but also maximizes delivery speed and application performance, making it one of the most efficient WAFs in the industry.

Watch this video to learn more about WAPPLES and click here for detailed information.


2. Software-Based Web Application Firewall

A software-based WAF is installed in a virtual machine (VM) instead of a physical hardware appliance. All the WAF components are essentially the same as a hardware WAF. The only difference is that users would need to have their own hypervisor to run the virtual machine.

A hardware-based WAF is like consuming coffee in a coffee shop, while a software-based WAF is like getting it through a drive-thru, where the customer brings their own place (i.e. the car) for consumption.

The main advantage of a software-based WAF is flexibility. Not only can it be used within an on-premises system, the virtual machine can also be deployed in the cloud, connecting to cloud-based web and application servers. A software WAF is also a cheaper option compared to hardware WAFs. However, the major downside is that since it is run in a virtual machine, a higher latency is experienced during the monitoring and filtering process, making it less speedy than a hardware WAF.

Who is it suitable for?

Clearly, software WAFs are commonly used for organizations with web and application servers based in the cloud, such as data centers and hosting providers. They are also popular among small and medium-sized enterprises who need to protect their web applications at lower costs. 

Recommended Product: WAPPLES SA

WAPPLES SA (software appliance) is a software-based WAF that comes with all the same functionalities and features as WAPPLES. It supports popular hypervisors including KVM, XenServer, and vSphere. It can be optimized for public cloud servers based in AWS, Google Cloud, Microsoft Azure as well as private cloud servers based in VMWare and Citrix.

Click here to learn more about WAPPLES SA.


3. Cloud-Based Web Application Firewall

A cloud-based WAF is a newer generation of WAF that is provided and managed directly by a service provider in the form of SaaS (software-as-a-service). Unlike a software-based WAF, the WAF components are entirely located in the cloud, so that the user does not need to install anything locally or in any virtual machines.

The major advantage is simplicity. The user does not need to install any software physically and only needs to enroll in a subscription plan. The service provider provides all the optimization and updates so that the user is not required to manage the WAF by themselves. On the other hand, the disadvantage is that since the WAF is entirely managed by the service provider, there is not much room for customization.

Who is it suitable for?

Cloud-based WAFs are suitable for most small and medium-sized organizations, since it does not require any physical storage place and manual maintenance, it is great for organizations without many extra resources to manage a WAF.

Recommended Product: Cloudbric

Cloudbric is a SECaaS (security-as-a-service) product that offers web application protection, advanced DDoS protection, and content delivery network (CDN) services in a combined package. Whether the application is hosted locally or in the cloud, Cloudbric provides the easiest protection and maintenance services.

To learn more about Cloudbric, click here.


Check out Penta Security’s product lines:

Web Application Firewall: WAPPLES

Database Encryption: D’Amo

Identity and Access Management: ISign+ 

Automotive and Mobility Security: AutoCrypt