"A traditional firewall is commonly employed to restrict Web site access to Ports 80 and 443, used for HTTP and Secure Sockets Layer communications, respectively. However, such a device does very little to deter attacks that come over these connections. URL query string manipulations including SQL injection, modification of cookie values, tampering of form field data, malformed requests and a variety of other nasty tricks are often given free passage on allowed, legitimate traffic.
A Web application firewall, such as those reviewed in this issue (see review) might help address security holes in Web servers and Web applications, but there is certainly a great deal that network security professional could and should do before and after employing such measures.
So sharpen your pencils: It's time for Web Application Security 101."