Back to all articles
SecurityWAFFirewallLayer 7

Network Firewalls vs WAFs: Protecting the Perimeter vs Protecting the App

Elena RostovaJuly 28, 2024

When a company gets hacked and customer data is stolen, the public often asks, "Didn't they have a firewall?"

The answer is almost always yes. But having a firewall and being secure are two completely different things. To understand why, we have to look at the different types of firewalls, and specifically the difference between a traditional Network Firewall and a Web Application Firewall (WAF).

They both act as security guards, but they operate at entirely different layers of the OSI model and look for entirely different threats.

The Network Firewall (The Bouncer)

A traditional Network Firewall operates primarily at Layer 3 (Network) and Layer 4 (Transport).

Think of a Network Firewall like a bouncer standing at the front door of a nightclub. The bouncer has a very simple clipboard with a list of rules:

  • "Allow anyone in through the front door (Port 443/HTTPS)."
  • "Block anyone trying to sneak in through the back alley door (Port 22/SSH)."
  • "Block anyone who has an ID card from a known malicious country (IP Address blocking)."

    • The Network Firewall is incredibly fast and highly efficient. It looks at the IP headers and TCP/UDP headers of an incoming packet. If the source IP or destination port violates the rules, it instantly drops the packet.

    However, the Network Firewall has a massive blind spot: It does not look inside the packet payload.

    If the bouncer allows you through the front door, they don't search your pockets. Once you are inside, you are trusted.

    If a hacker wants to attack a web server, they don't try to break through the blocked back door (Port 22). They simply walk right through the open front door (Port 443) masquerading as normal web traffic. The Network Firewall sees a packet destined for Port 443, says, "Ah, web traffic, that's allowed!" and waves it through.

    The hacker then sends a malicious SQL Injection command buried deep inside the HTTP request. The Network Firewall is completely oblivious. The web server executes the command, and the database is breached.

    The Web Application Firewall (The Detective)

    To stop these sophisticated, payload-based attacks, we need a different kind of security guard. We need a WAF (Web Application Firewall).

    A WAF operates at Layer 7 (The Application Layer).

    If the Network Firewall is the bouncer at the door, the WAF is an undercover detective standing inside the club, listening to every conversation and watching every transaction.

    Because a WAF operates at Layer 7, it doesn't just look at IPs and ports. It completely unpackages the packet, decrypts the TLS/SSL encryption, and reads the actual HTTP requests and responses. It understands the language of the application.

    When a user submits a login form, the WAF inspects the data being sent in the HTTP POST request.

  • If the username is `john_doe`, the WAF allows it.
  • If the username is `' OR 1=1 --`, the WAF instantly recognizes the signature of a SQL Injection attack. It intervenes, blocks the HTTP request, and returns a 403 Forbidden error to the hacker before the request ever touches the actual web server backend.

    • What Does a WAF Protect Against?

    WAFs are specifically designed to protect against the OWASP Top 10—the most common and dangerous web application vulnerabilities. These include:

    1. SQL Injection: Tricking a database into executing malicious commands.

    2. Cross-Site Scripting (XSS): Injecting malicious JavaScript into a webpage viewed by other users.

    3. Directory Traversal: Trying to access hidden files on the server by manipulating URLs (e.g., `example.com/images/../../../etc/passwd`).

    4. Bot Traffic and DDoS: Detecting automated scraping tools or Layer 7 Denial of Service attacks that attempt to overwhelm the server with seemingly legitimate HTTP requests.

    Why Not Just Use a WAF for Everything?

    If a WAF is so smart, why do we even bother with Network Firewalls? Why not just use a WAF for all security?

    The answer is Performance and Scope.

    Because a WAF has to decrypt traffic, reassemble HTTP streams, and run complex regular expressions (regex) against the payload, it requires a massive amount of CPU power. It is relatively slow.

    If you tried to push a massive 50GB database backup transfer through a WAF, the CPU would max out, and the transfer would crawl to a halt.

    Furthermore, a WAF *only* understands HTTP/HTTPS web traffic. If you have non-web traffic on your network—like DNS queries, database replication protocols, or VoIP phone calls—the WAF won't know what to do with it.

    Defense in Depth

    Modern enterprise security requires both.

  • You put a **Network Firewall** at the edge of the network to quickly and efficiently drop 90% of the obvious garbage traffic, port scans, and volumetric DDoS attacks.
  • You then place a **WAF** directly in front of your sensitive web servers to meticulously inspect the remaining 10% of traffic that was allowed through the front door.

    • By combining Layer 3/4 filtering with Layer 7 inspection, you create a layered security posture—Defense in Depth—that keeps both the front door and the conversations inside secure.