.png)
Network firewalls protect networks at IP and port level. WAFs inspect HTTP content for application-layer attacks like SQL injection. Both layers needed.
What Each Firewall Actually Does
Network Firewalls: The Perimeter Layer
A traditional network firewall sits at the boundary between trust zones — between an internal network and the public internet, between a corporate network and a partner network, between a less-trusted DMZ and a more-trusted internal network. The firewall inspects network traffic at the IP, TCP, and UDP layers, applying rules that allow or deny traffic based on source and destination addresses, ports, and protocols. Modern next-generation firewalls (NGFWs) add deeper inspection capabilities: application identification, intrusion prevention, malware scanning, URL filtering, SSL/TLS decryption for visibility into encrypted traffic.
The leading network firewall vendors include Palo Alto Networks, Fortinet FortiGate, Cisco Firepower, Check Point, and Sophos XG. NGFW capabilities have largely commoditized across these vendors; selection criteria are typically based on operational integration, throughput requirements, and existing security stack alignment.
The structural assumption behind network firewall design is the perimeter model: there is a trust boundary, the firewall controls what crosses it, and traffic inside the perimeter operates with implicit trust. This model has been substantially undermined by cloud adoption, remote work, SaaS proliferation, and zero-trust architecture principles, but network firewalls remain a foundational control for most enterprise environments.
WAFs: The Application Layer
A Web Application Firewall operates at a fundamentally different layer of the network stack. WAFs inspect HTTP and HTTPS traffic directed at specific web applications, applying rules that block application-layer attacks: SQL injection, cross-site scripting (XSS), cross-site request forgery (CSRF), command injection, server-side request forgery (SSRF), and the broader OWASP Top 10 application vulnerability categories.
The WAF analyzes the content of HTTP requests — URLs, parameters, headers, request bodies — and applies pattern matching plus behavioral analysis to identify attack attempts. Modern WAFs combine signature-based detection of known attack patterns, machine-learning analysis of request anomalies, and integration with application-specific threat intelligence about the OWASP top 10 and emerging vulnerability disclosures.
The leading WAF vendors include Cloudflare, AWS WAF, Akamai Kona, Imperva, F5 Advanced WAF, and Fastly Next-Gen WAF. WAFs are increasingly delivered as cloud services rather than on-premises appliances, integrated with content delivery networks (CDNs) and DDoS protection services as part of broader edge security platforms.
Why You Need Both
Different Attack Surfaces
The simplest framing: network firewalls protect networks; WAFs protect web applications. A network firewall sitting between your internal network and the internet can block scanning attempts, prevent inbound connections to internal-only services, and identify known-bad IP addresses. It cannot, however, distinguish between a legitimate HTTP POST to your web application's login endpoint and an SQL injection attempt against that same endpoint — both traffic patterns look identical at the network layer.
The WAF reads the application-layer request content and identifies the injection attempt. Conversely, the WAF cannot prevent reconnaissance against your internal network infrastructure or block exploits against non-HTTP services. The two technologies operate at different layers and defend against different threat categories.
The Capital One 2019 Case
The 2019 Capital One breach is the canonical case study for WAF governance. The attacker exploited a server-side request forgery vulnerability against a misconfigured WAF to access AWS instance metadata and steal IAM credentials, ultimately exfiltrating data on approximately 100 million customers. The breach was not a failure of the WAF technology; it was a failure of WAF configuration. The same lesson applies broadly: WAFs require ongoing configuration management, rule tuning, and exception review to remain operationally effective.
Modern Architectures: Combined Edge Security
The traditional split — network firewall at the perimeter, WAF in front of web applications — has consolidated in modern cloud-delivered security architectures. Cloudflare, Akamai, Fastly, and AWS deliver combined edge security services that include WAF, DDoS protection, bot management, and network-layer filtering as integrated capability. For organizations whose web applications run on cloud infrastructure, the procurement question increasingly involves selecting an integrated edge security platform rather than choosing between separate network firewall and WAF products.
How to Procure Network Firewalls and WAFs Effectively
The Network Firewall Decision
For network firewalls, the procurement criteria are throughput requirements (matching the actual bandwidth needs of the protected segments), feature depth (next-generation capabilities including IPS, application identification, SSL decryption), management overhead (single-vendor consolidation versus best-of-breed), and integration with the broader security stack (SIEM, EDR, identity provider).
The WAF Decision
For WAFs, the procurement criteria are deployment model (cloud-delivered versus on-premises versus hybrid), application coverage (does the WAF integrate with your specific application stack and CDN), false-positive management (how quickly can the security team tune rules to prevent legitimate traffic from being blocked), and rule update cadence (how quickly does the WAF vendor publish protection for newly disclosed application vulnerabilities).
The Common Configuration Errors
The most operationally costly WAF errors are running in monitor-only mode without ever enabling blocking, failing to maintain rule tuning over time so that the WAF eventually blocks legitimate traffic, and exposing the WAF management interface or instance metadata services through misconfigurations that themselves become the attack vector (the Capital One pattern). Network firewall errors typically involve rule sprawl over time, with legacy rules that nobody understands and that nobody is willing to remove for fear of breaking something.
Related Reading
- What is a Firewall? — the foundational discipline
- Stateless vs Stateful Firewall — the architectural distinction within network firewalls
- What is API Security? — the adjacent application-layer discipline
- What is Cloud Security? — the broader cloud edge security context
Network firewalls protect networks at the IP/port/protocol level. WAFs protect web applications at the HTTP content level. Both layers are required.
How Cloudskope Can Help
Cloudskope's Cyber Risk Assessment evaluates network and application-layer firewall coverage as part of broader perimeter and edge security review. For organizations operating web applications without effective WAF coverage — a common finding in mid-market environments — our assessment includes specific remediation guidance on WAF selection, configuration, and ongoing rule tuning discipline.