什么是 WAF?| Web Application Firewall 解读

WAF 在 Web 应用程序与 Internet 之间创建防火墙;此类防火墙有助于缓解很多常见攻击。

学习目标

阅读本文后,您将能够:

  • 定义 web application firewall
  • 解释黑名单与白名单 waf 之间的区别
  • 了解基于网络、基于主机和基于云的 waf 的优缺点

复制文章链接

什么是 Web Application Firewall (WAF)?

A WAF or web application firewall helps protect web applications by filtering and monitoring HTTP traffic between a web application and the Internet. It typically protects web applications from attacks such as cross-site forgery, cross-site-scripting (XSS), file inclusion, and SQL injection, among others. A WAF is a protocol layer 7 defense (in the OSI model), and is not designed to defend against all types of attacks. This method of attack mitigation is usually part of a suite of tools which together create a holistic defense against a range of attack vectors.

通过在 Web 应用程序前端部署 WAF,可在 Web 应用程序与 Internet 之间形成一道屏障。虽然代理服务器通过中介保护客户机的身份,但 WAF 是一种反向代理,引导客户端通过 WAF 到达服务器,从而防止暴露服务器。

A WAF operates through a set of rules often called policies. These policies aim to protect against vulnerabilities in the application by filtering out malicious traffic. The value of a WAF comes in part from the speed and ease with which policy modification can be implemented, allowing for faster response to varying attack vectors; during a DDoS attack, rate limiting can be quickly implemented by modifying WAF policies.

DDOS WAF 工作原理

黑名单与白名单 WAF 之间有什么区别?

基于黑名单(消极安全模型)运行的 WAF 可防范已知攻击。您可以将黑名单 WAF 想象为俱乐部保镖按指示拒绝接待不符合着装要求的客人。相反,基于白名单(积极安全模型)的 WAF 仅允许接受预先批准的流量。类似于奢华派对保镖,只接待出席名单列出的客人。无论黑名单还是白名单,二者都有各自的优缺点,因此很多 WAF 提供混合安全模型,综合实施两种方法。

什么是基于网络、基于主机和基于云的 WAF?

A WAF can be implemented one of three different ways, each with its own benefits and shortcomings:

  • 基于网络的 WAF 通常基于硬件。由于采用本地安装模式,因而可以最大限度地缩短延迟,但基于网络的 WAF 费用最昂贵,而且还要安装和维护物理设备。
  • 基于主机的 WAF 可完全集成至应用程序软件。这种解决方案的成本低于基于网络的 WAF,而且还能提供更多定制功能。基于主机的 WAF 的缺点在于,占用本地服务器资源,实施起来复杂,而且还会产生维护成本。这些组件通常需要预留维护时间,可能成本较高。
  • Cloud-based WAFs offer an affordable option that is very easy to implement; they usually offer a turnkey installation that is as simple as a change in DNS to redirect traffic. Cloud-based WAFs also have a minimal upfront cost, as users pay monthly or annually for security as a service. Cloud-based WAFs can also offer a solution that is consistently updated to protect against the newest threats without any additional work or cost on the user’s end. The drawback of a cloud-based WAF is that users hand over the responsibility to a third party, therefore some features of the WAF may be a black box to them. (A cloud-based WAF is one type of cloud firewall; learn more about cloud firewalls.)

Learn about Cloudflare's cloud-based WAF solution.