web application firewall

Endpoint WAF vs Cloud WAF – What is the difference?

September 17, 2019 by Agnes Talalaev

There are different options when it comes to choosing a web application firewall for your website. The technical approaches have various pros and cons and tend to be more effective in different situations.

Let’s see what’s the main difference between the technologies and discuss their strengths and weaknesses. Ultimately, let’s try to figure out which one to use for a website.

What Is a Cloud-Based Firewall (DNS, Reverse Proxy)?

The cloud-based firewall works as a middle-man between your site and the visitor. When the visitor enters your domain name to the browser, the connection, in reality, goes to the cloud-based firewall providers servers, where it’s analyzed.

If all the checks pass and the visitor is legitimate and does not pose any risk to the site, the traffic is forwarded to the actual website (or to the cached version of the site).

You probably have heard about Cloudflare. They are the most known cloud-based firewall provider.

Advantages Of a Cloud-Based Firewall (Cloud WAF)

Cloud-based firewalls often analyze a wider spectrum of traffic, since everything that is sent to the domain has to pass the cloud-based WAF servers. One of the advantages is protection against the DDoS attacks.

Another thing to note is the fact that cloud-based firewalls often save your server resources from the unwanted traffic even before accessing the site itself.

Disadvantages Of a Cloud-Based Firewall (Cloud WAF)

Of-course, cloud-based firewalls also have their weaker side. One of them would be the fact the cloud-based firewalls really don’t know who the visitor really is.

The cloud-based firewall has no understanding of how the site works, what are the software-specific circumstances, who is authenticated and which permissions they have. Because cloud-based firewalls have often generic use case, many software specific vulnerabilities (such as plugin vulnerabilities) might not be blocked.

Sites behind a cloud-based firewall also rely completely on the service provider. If the cloud-based firewall provider has service down-time, your site will be down as well. In many cases, cloud-based firewalls can also be bypassed completely if the site is accessed directly via IP rather than via domain name.

What Is an Endpoint Web Application Firewall (Endpoint WAF)?

Endpoint web application firewall (Endpoint WAF) runs within the application itself. It’s aware of the software used inside the website and understands how it’s built. Endpoint firewall understands how the software used inside the website works and who are the visitors by their permissions and if they are authenticated or not.

Most next-gen firewalls that are available today, also work on the endpoint, because they can do more.

Advantages Of an Endpoint Firewall (Endpoint WAF)

Endpoint firewalls tend to have fewer false-positives and can be more effective in blocking more complicated and software targeted attacks. Endpoint WAFs often combine signature-based and heuristic protection, some even include behavioral analysis.

Since the endpoint firewall has all the information about the websites technical environment and software specifics, it’s multifunctional and capable of serving the role of IDS (intrusion detection system) and IPS (intrusion prevention system).

password management

You’re also not affected if the endpoint WAF provider service drops, you might not receive the new rules, but the firewall and the site will remain working. It also can’t be bypassed like cloud WAFs since it’s running inside the website itself.

Disadvantages Of an Endpoint Firewall (Endpoint WAF)

The main disadvantage is that endpoint firewall runs on your own resources. The traffic hits your site, and it’s being analyzed there, which can require slightly beefier infrastructure for high traffic sites. Endpoint WAF’s usually don’t have DDoS protection, especially when applied on the application (not deep within the server).

Enable an endpoint web application firewall on your websites today!

Protect my website

What To Choose? Cloud WAF or Endpoint WAF?

The truth is, you should use both. While they have their pros and cons, it’s always good to have multiple layers of security for the sites. Cloud WAF for reducing bot traffic and preventing DDoS attacks, and Endpoint WAF for protecting the website from hacking attempts.

We always suggest a combination of Cloudflare Free (Cloud WAF) and WebARX (Endpoint WAF) for good layered website security strategy.

web application firewall

Start your free 7-day trial now

Protect your websites from malicious traffic - set-up in under 3 minutes.

Try it now

WebARX is compatible with the following platforms: