Border Firewalls and Web Application Firewalls —Do I Need Both?

Posted on

Let’s not bury the lede on this question…the answer is yes! If you have applications and other services available via the web, then you need both. Network firewalls help you protect the perimeter of your networks, and web application firewalls (WAFs) provide additional security protections for the application servers delivering your web applications to users.

Network firewalls protect your network’s incoming and outgoing points. Organizations need to implement a multifaceted and layered security defense strategy. WAFs deliver specific security functionality for web applications and provide parts of the broader defense strategy needed in the current threat landscape.

In addition to firewalls and WAFs, other cybersecurity components and techniques that get deployed include intrusion detection systems (IDS), network detection and response (NDR) solutions, security event and information (SEIM) systems, identity and authentication management (IAM), zero trust network access (ZTNA) and more.

In this blog, we’ll explore what network firewalls and WAFs deliver and how WAFs complement network firewalls without eliminating the need for them.

What Is a Firewall?

Firewalls are dedicated security solutions that sit at network borders and control the flow of incoming (ingress) and outgoing (egress) network traffic. They can mediate traffic flows between internal networks and the Internet or between separate network segments within an organization.

Additionally, firewalls serve as a top-level network defense mechanism and use rules to control network traffic flow. By inspecting and filtering network traffic based on pre-configured policies, a firewall can allow or block specific traffic flows based on several attributes, such as source and destination IP addresses, ports, protocols or other criteria.

Types of Firewalls

There are various types of firewalls: hardware firewalls (physical devices), software firewalls (installed on servers or devices) and cloud-based firewalls. Firewalls are classified based on how they filter traffic, and there are two types of filtering:

  1. Packet filtering - Firewalls using this method operate like bouncers at a nightclub. They check specific identifying characteristics of network requests, such as IP addresses, before allowing or blocking traffic (like a bouncer verifying someone’s age via their ID).
  2. Stateful Inspection - Stateful inspection firewalls regularly monitor the state of network connections. They maintain a table of all active connections passing through the firewall. Stateful firewalls analyze each packet’s context and state information within a connection. They can dynamically open and close ports based on connection state, inspect entire communication streams for malicious content and maintain session awareness to detect attacks like session hijacking. Overall, stateful firewalls provide more granular control and security than basic packet filtering by understanding the context of network traffic.

To summarize, a firewall is the first line of defense against incoming threats in a multi-layered security approach, making it a crucial component of network security. Its primary function is to allow only authorized traffic while blocking unauthorized access.

What Is a Web Application Firewall?

A WAF is an adjunct security solution designed to enhance the protection of web applications from multiple attack types and threats. Unlike the traditional network firewalls discussed above, which operate at the network and transport layers (Layers 3 and 4 of the OSI model), a WAF also operates at the application layer (Layer 7) and focuses on HTTP/HTTPS traffic. Hopefully, it’s mainly HTTPS now!

A WAF primarily monitors, filters and blocks web traffic identified as a threat to web applications. It inspects incoming requests and applies a set of rules and policies to identify and prevent common web application vulnerabilities and attacks, such as those outlined in the OWASP Top Ten.

Like network firewalls, WAF deployment can occur via physical devices, virtual machines or the cloud. The WAF add-on for Kemp LoadMaster supports all these deployment methods.

WAFs typically support multiple techniques to monitor and filter traffic flowing to web application servers. These techniques include:

  1. Signature-based detection - WAFs use rules and lists of known attack patterns to detect malicious activity.
  2. Anomaly-based detection – The WAF records an established baseline of regular network activity. If it detects any deviations from this baseline, it takes steps to stop malicious activity. See the Progress Flowmon ADS site for a Progress solution that takes this defense method to the next level.
  3. Security models - WAFs can use both negative (block) and positive (allow) lists to control traffic flow to web applications.

In addition to protecting against web application attacks, WAFs often include additional features such as bot attack prevention, DDoS protection, API security and integration with other security solutions like SIEM systems.

WAFs are an essential part of a broad security strategy to protect web-based applications. They deliver an extra layer of protection against cyberthreats that target the application layer.

How Does a WAF Augment Security Provision?

WAFs augment security provisions in several ways. As outlined above, the best way to deploy them is as part of a wide cybersecurity defense strategy that includes network firewalls and the other previously mentioned technologies. It’s worth saying again that WAFs do not replace traditional network firewalls. Rather, they add to and enhance the security provided by existing tools by enabling an additional layer of security inspections and checking network traffic in different and complementary ways.

WAFs add the following to security defenses:

Defense for web applications - WAFs act as a final line of defense for web applications and web servers. They sit between user endpoint devices and web application servers and monitor web traffic to detect security issues before they can impact the applications.

Enhanced security provision - WAFs understand how web traffic uses the HTTP/HTTPS protocols. As a result, they can inspect network packets to look for potential threats and prevent exploit attempts that traditional network firewalls will not detect.

WAFs play a crucial role in a complete cybersecurity strategy. Integrating WAFs with other security measures creates multi-layered defenses that address numerous cyberthreats.


As mentioned, WAFs should work alongside other cybersecurity protection solutions and techniques. These include network firewalls, intrusion detection systems, network detection and response solutions, security event and information systems, identity and authentication management, zero-trust network access and more.

By implementing a layered security approach, organizations can decrease the risks from a compromised protective layer, as other security layers are in place. As cyberthreats continue evolving, deploying WAFs is essential to your cybersecurity strategy.

WAF with LoadMaster

LoadMaster WAF can play a central role in such a strategy, as it is powered by ModSecurity, an industry-leading engine and supported by open-source rule sets and a commercial rules subscription service.

LoadMaster WAF leverages all the benefits of the available flexible licensing models. Deploying LoadMaster instances with WAF via our Metered Licensing allows WAF placements to help an organization meet its unique application delivery and security needs.

For more information, including how to start a 30-day free trial of LoadMaster, including the WAF component, see our web application firewall solution page.

Posted on

Rochelle Wheeler

Rochelle Wheeler is a Global Demand Generation Marketing Lead with Progress’ Infrastructure Team and focuses her efforts on the Kemp LoadMaster load balancing solution. With over two decades of successful marketing and project management experience, she has launched campaigns for companies ranging from boutique agencies to Fortune 500 enterprises. You can follow her on LinkedIn.