什麼是 WAF? | Web Application Firewall 說明

WAF 在 Web 應用程式與網際網路之間建立一個護盾;此護盾可協助緩解多個常見攻擊。

學習目標

閱讀本文後,您將能夠:

  • 定義 Web Application Firewall
  • 解釋封鎖清單與白名單 WAF 之間的差異
  • 瞭解網路型、主機型及雲端型 WAF 的優缺點。

複製文章連結

什麼是 Web Application Firewall (WAF)?

A WAF or web application firewall helps protect web applications by filtering and monitoring HTTP traffic between a web application and the Internet. It typically protects web applications from attacks such as cross-site forgery, cross-site-scripting (XSS), file inclusion, and SQL injection, among others. A WAF is a protocol layer 7 defense (in the OSI model), and is not designed to defend against all types of attacks. This method of attack mitigation is usually part of a suite of tools which together create a holistic defense against a range of attack vectors.

在 Web 應用程式前端部署 WAF,即可在 Web 應用程式與網際網路之間設定一個護盾。盡管 Proxy 伺服器能透過使用中繼服務來保護用戶端機器的身分識別,但 WAF 是一種反向 Proxy,可使客戶在到達伺服器前通過 WAF,從而避免伺服器暴露。

A WAF operates through a set of rules often called policies. These policies aim to protect against vulnerabilities in the application by filtering out malicious traffic. The value of a WAF comes in part from the speed and ease with which policy modification can be implemented, allowing for faster response to varying attack vectors; during a DDoS attack, rate limiting can be quickly implemented by modifying WAF policies.

DDOS WAF 如何運作

封鎖清單與白名單 WAF 之間有哪些差異?

基於封鎖清單 (負面安全性模型) 運作的 WAF,能抵禦已知攻擊。將一個封鎖清單 WAF 設想成一名接收命令的俱樂部保鏢,他可以拒絕讓不符合著裝規範的客人進入。相反,基於白名單 (正面安全性模型) 的 WAF 僅承認經過預先核准的流量。這就好比一個專屬派對的保鏢,他或她僅承認列於此名單中的人員。封鎖清單與白名單均具有各自的優缺點,這就是許多 WAF 提供可同時執行兩項操作的混合安全性模型的原因。

什麼是網路型、主機型和雲端型 WAF?

A WAF can be implemented one of three different ways, each with its own benefits and shortcomings:

  • 網路型 WAF 通常基於硬體。它們安裝於使延遲保持最低的本地,但網路型 WAF 是費用最貴的選項,而且需要實體設備的儲存和維護。
  • 主機型 WAF 可以完全整合到應用程式軟體中。此一解決方案和網路型 WAF 相比起來沒那麼貴,而還有更多的可自訂性。不過主機型 WAF 的缺點就是會消耗本機伺服器資源、實施起來很複雜,以及維護成本高等問題。這些組合通常需要工程時間,還可能很昂貴。 .
  • Cloud-based WAFs offer an affordable option that is very easy to implement; they usually offer a turnkey installation that is as simple as a change in DNS to redirect traffic. Cloud-based WAFs also have a minimal upfront cost, as users pay monthly or annually for security as a service. Cloud-based WAFs can also offer a solution that is consistently updated to protect against the newest threats without any additional work or cost on the user’s end. The drawback of a cloud-based WAF is that users hand over the responsibility to a third party, therefore some features of the WAF may be a black box to them. (A cloud-based WAF is one type of cloud firewall; learn more about cloud firewalls.)

Learn about Cloudflare's cloud-based WAF solution.