"An intermediary device, sitting between a web-client and a web server,
analyzing OSI Layer-7 messages for violations in the programmed
security policy. A web application firewall is used as a security
device protecting the web server from attack."
- Web Application Security Consortium Glossary
Standard firewalls are designed to restrict access to certain ports, or services that an administrator doesn't want unauthorized people to access.
Web Application Firewalls are often called 'Deep Packet Inspection Firewalls' because they look at every request and response within the HTTP/HTTPS/SOAP/XML-RPC/Web Service layers. Some Web Application Firewalls look for certain 'attack signatures' to try to identify a specific attack that an intruder may be sending, while others look for abnormal behavior that doesn't fit the websites normal traffic patterns. Web Application Firewalls can be either software, or hardware appliance based and are installed in front of a webserver in an effort to try and shield it from incoming attacks.
Information on the types of 'signatures' that a web application firewall may use can be found in the "Fingerprinting Port 80 Attacks" papers in our Articles section
An open sourced Web Application Firewall for the Apache Webserver named Mod_Security can be found at http://www.modsecurity.org