Protect Your Website Vulnerabilities With a WAF - New Compairson Report - CloudFlare vs Incapsula vs ModSecurity

A new report came out in February, put together by Zero Science Lab, in which they compare the effectiveness between CloudFlare and Incapsula. In it they did the same thing Philip Tibom of Sweden did last year in his comparative report in which he concluded that Incapsula was the superior product. In this new report they included the use of TrustWave’s ModSecurity solution. The thing that website owners have to understand however is that comparing the three is a bit misleading.

Incapsula and Cloudflare are the two leading WAF solutions set up as a software as a service (SaaaS) designed to help every day website owners. CloudFlare probably trumps Incapsula actually in their marketing prowess. ModSecurity, although powerful, is the opposite. It’s something you’d have to configure and maintain on your web servers. It functions the same in that it filters the incoming traffic, but don’t be fooled, it has to be installed and configured and if you don’t know what you’re doing you will likely not render the results they present. That should not take away from its use, in fact I know Cloudflare uses it as part of their solution, not 100% on Incapsula. For the every day website owner, especially those on shared environments, unless you configure your own reverse proxy, ModSecurity will be of little value to you.

Given that ModSecurity is free, we signed up for both CloudFlare and Incapsula paid Business plan. They have noticeably different prices for their paid plans. CloudFlare Business Plan is $200/month (the WAF is also available in the
Pro Plan, for $20/month). Incapsula Business Plan is $59/month. – Zero Science Lab

What I especially liked was how detailed orientated the report was. At a high level this is what they found:

Screen Shot 2013-03-09 at 10.08.03 AM

This is what they really thought about CloudFlare:

Though CloudFlare is presented as, besides other things, a very proficient web application firewall, we concluded that that’s just a marketing sales point and nothing more. – Zero Science Lab

If you’re confused looking at the table provided above, don’t worry, it’s very simple. You are interested in one thing, the number of bypasses. So look at the bold red in the table, the higher the number the worse it is. Bypassed signifies that the attack made it through the firewall. What really confuses me however is that I know CloudFlare uses ModSecurity in their implementation, it’s coupled with a number of other things, but why wouldn’t it be employed correctly. Perhaps it has to do with, what many already know, the idea behind CloudFlare was performance optimization and not security and as much as people would like the two to go hand in hand, they don’t. Focusing energy on one, is going to have an impact on the other. Those that make security the focus will return better results, as shown by Incapsula; the byproduct of the solution will inevitably result in performance increases, but it’s not the focal point of the solution. Perhaps CloudFlare should focus on performance optimization as they started and leave the security to others with a bit more practical experience and capability. The false sense of security they offer their clients is upsetting.

What was perhaps even most upsetting is how CloudFlare continues to employ the CAPTCHA system when it classifies an attack coming from a bot. This was the same issue identified in the last report. All the attacker has to do is type in the CAPTCHA, once validated, you can go about your business attacking. That’s horrible.

Screen Shot 2013-03-09 at 10.24.24 AM

To their defense, the one thing it will protect against is automated attacks, well until the attacker notices and punches in the right CAPTCHA. I should probably clarify though, the issue isn’t with the CAPTCHA per sei, as much as it is with what they do when it’s authenticated. In Cloudflare’s case they seem to whitelist the IP and attacks can resume. In Incapsula’s case they whitelist the IP, but they also continue to block URI attacks. A much more effective solution.

Perhaps the most concerning for users is the lack of apparent protection against Cross Site Scripting (XSS), Local File Inclusion (LFI) and Remote File Inclusion (RFI) attacks. These are the prominent attack vectors today, especially on Content Management Systems (CMS) like WordPress, Joomla and many others.

Ok, but let me fair here. Incapsula isn’t the next thing after slice bread. It does have it’s challenges. One very interesting bypass includes the fact that it doesn’t seem to account for malicious attacks in which the HTTP Header Fields are modified. By Header fields I meant things like User-Agent, Accept, Connection, etc.. What’s probably the most interesting of this report is their inclusion of all the bypasses, that’s pretty nice of them. Gives you something to test against if you were ever building your own service.

One very nice feature that both offer is the SSL support for your website. If you’re not familiar with SSL, it’s called Secure Socklet Layer (SSL), it’s a way to encrypt the communication from the browser to the server. It’s how websites should be handling the transfer of sensitive information, think Credit Cards and other similar Personal Identifiable Information (PII).

As for winners, mine continues to be Incapsula for every day website owners based on these. Especially those on old versions of software that they can’t upgrade for one reason or another. In the report however they lean towards ModSecurity as the clear winner. Unfortunately however this doesn’t do much good for the everyday website owner. Unless you’re looking to sharpen your skills as a system admin and keep up with the threats I recommend a WAF SaaS product. MoSecurity can be real finicky and requires tender love and care (TLC) to get it purring the way you want it.

Do remember however that with any Web Application Firewall (WAF) you have to balance False Negatives with False Positives, they have a symbiotic relationship with each other. As you push one down the other comes up and vise versa, you have to find the balance.

Screen Shot 2013-03-09 at 10.46.08 AM

If you’re interested in a new product, that hasn’t been compared to any of these, then contact us at Sucuri. We are currently beta testing our very own WAF product – Sucuri CloudProxy. Will be in full circulation in the coming weeks. The focus is strictly security, not performance, but there are performance improvements. You can send me an email at