Web application firewalls provide security at the application layer. Essentially, WAF provides all your web applications a secure solution which ensures the data and web applications are safe.
A web application firewall applies a set of rules to HTTP conversation to identify and restrict the attacks of cross site scripting, SQL injections etc. You can also get web application framework and web based commercial tools, for providing security to web applications. Web Application Firewalls allows you to customize the rules by identifying and blocking malicious content. Some of the most popular and widely used open source web application firewalls for web application security (including various server operating systems like Unix, Linux, Windows and Mac OSX) are
- ModSecurity (Trustwave SpiderLabs)
- ESAPI WAF
ModSecurity is one of the oldest and widely used open source web application firewall which can detect application level threats on internet, and provides security against a range of security issues to web applications. It provides non viral open sources license and it can be integrated to Apache programs. Recently, ModSecurity released the version 2.6.0 which provides features for safe browsing API integration, sensitive data tracking and data modification features. This is available on all major operating systems including Unix, Windows and Linux. If you are looking for a windows WAF this may be a tool worth try before buying an expensive enterprise software.
ESAPI WAF is developed by Aspect Security and it is designed to provide protection at the application layer instead of network layer. It is a Java based WAF which provides complete security from online attacks. Some of the unique features of the solution include outbound filtering features which reduce information leakage. It is configuration driven and not code based, and it enables easy installation by just adding configuration details in the text file.
WebCastellum is a Java based web application firewall which can protect application against cross site scripting, SQL injections, command injections, parameter manipulation, and it can be integrated easily to a java based application. It is based on new technology and it can use existing code to provide protection.
Binarysec is web application software firewall, and it protects applications against illegitimate HTTP and blocks suspicious requests as well. It provides protection against cross site scripting, commend injections, parameter tampering, buffer overflow, directory traversal, SQL injection and attack obstruction. It takes not more than 10 minutes to install the software, and its user interface can manage Apache and other web servers and many sites on one machine.
Guardian is an open source application layer firewall for HTTPS / HTTP and it assesses the HTTP / HTTPS traffic to protect the web application from external attacks. Guardian@JUMPERZ.NET immediately disconnects the TCP connection when the application comes in contact with a malicious / unauthorized request.
Art of defense is a San Francisco based web application security provider which started a project on open source OpenWAF in February 2011. It’s also the first company to provide distributed web application firewall for Apache servers.
Qualys created cloud based open source web application firewall – Ironbee which examines the HTTP instead of the traditional IP packets to evaluate a data. It can even track attacks on cross site scripting code. Ironbee is published through Apache License version 2 and it provides no copyright assignment. It has modular structure and is quite easy to use.
Smoothwall provides strong web security tools to manage emails. The open source web filtering engine of Smoothwall is called DansGuardian. It has flexible user rules and a fully integrated component for web filtering and security. What’s more, it provides authenticated network access and traffic blocking. Smoothwall free firewall has security hardened Linux GNU OS too.
Legacy / Unsupport WAF Archive
This section contains list of legacy WAF that are no more supported
ZION security offers an open source web application firewall similar to ModSecurity, and is called Profense. The web application firewall provided by Zion is essentially a Layer-7 firewall (which is also called “proxy firewall”) and it inspects the traffic to block content.
AQTRONIX WebKnight is an open source application firewall designed specifically for web servers and IIS, and it is licensed through the GNU – General Public License. It provides the features of buffer overflow, directory traversal, encoding and SQL injection to identify / restrict the attacks. Internet based protection is also provided by companies which provide security at the network layer with features such as packet filter. Besides, there are some other types of firewalls which are designed to ensure security of the database. Therefore, the criteria for selecting an open source WAF should be the types of vulnerabilities the WAF can prevent and the exact requirements that your company is having. This list of open source web application firewalls would hence assist you in determining the apt WAF for Webapp security.
Hope you found this list useful! What is your experience with WAF? Please don’t forget to share with me in comments.
- Article Updated on September 2021. Some HTTP links are updated to HTTPS. Updated broken links with latest URLs. Some minor text updates done. Content validated and updated for relevance in 2021.