Portal Home > Knowledgebase > Articles Database > Cloudflare
Cloudflare
| Posted by cbkihong, 09-27-2012, 01:57 AM |
| The company I work for is on a deployment with modsecurity and looking into Cloudflare right now. Specifically, we are interested in these aspects of Cloudflare:
1. DDoS protection
2. WAF (including custom modsecurity rules support for business/enterprise plans)
We have deployed OWASP core rule set (CRS) + Trustwave SpiderLabs commercial rules for some time. I would like to understand more how they could possibly fit in in a Cloudflare-enabled environment (whether we need to ditch them, or else), and how custom modsecurity rules work on Cloudflare in general, and the kinds of false positives compared with vanilla OWASP modsecurity CRS.
Another area we are concerned is rule compatibility, that those who have been involved in modsecurity for some time will likely know modsecurity rules are tightly coupled with the modsecurity version and rules frequently become invalid with version changes in modsecurity. Therefore, how can we be sure if we use Cloudflare-powered WAF that our own custom modsecurity rules will work?
Modsecurity CRS indeed has helped us detect and block quite a lot of suspicious requests but due to false positives we needed to add a number of custom rules to override the behaviour of some of the more problematic rules in CRS with respect to our scenario. Specifically we require MS 2.6 or above and we are unsure the version of modsecurity rules accepted by Cloudflare, and how Cloudflare manages the modsecurity versions for their services.
Another clarification from damoncloudflare requested ...
I found a thread here back in 2011 when you recommended to keep the existing security solutions with Cloudflare as it is "not a 100% security solution". While we all understand multiple fences are superior in terms of security, what does that exactly mean, as I couldn't find anything concrete from Cloudflare web site?
/showthread.php?t=1044288
(sorry as a new user I am not allowed to post links on this site)
Any insights are much appreciated.
|
| Posted by SPINIKR-RO, 09-27-2012, 02:11 AM |
| Link for above: http://www.webhostingtalk.com/showthread.php?t=1044288
|
| Posted by eth00, 09-27-2012, 10:31 AM |
| Security it all about layers. Even if they said they could block everything it would not necessarily be bad to have your own layers. What would happen if their systems went down or in a bypass mode? What would happen if somebody was able to gain access to the cloudflare network and launch attacks from it? Not realistic but security is one of those things where it pays to be paranoid.
|
| Posted by cbkihong, 09-27-2012, 09:51 PM |
| Hmm, as mentioned, I am personally well versed of the importance of multiple rings of security, but I am particularly bugged by their statements that they seemed to suggest it's "not a 100% security solution" and in another thread "not a DDoS solution", when these are some of the key selling points of Cloudflare in their propaganda. As some users here also pointed out that their CDN was far from being satisfactory (something we aren't interested in anyway), what value exactly does Cloudflare offer?
That's why I posted here inviting opinions from both fellow users and Cloudflare support alike, especially since the posts here I found which contained particularly critical remarks were made some time back in 2011, and my employer would like to get some more recent opinions in response to aspects which concern us most, as we recognize WHT's standing as probably the best arena for seeking impartial, vendor-neutral user-to-user opinions with respect to the web hosting software and services.
|
| Posted by damoncloudflare, 09-28-2012, 05:34 PM |
| A lot of things have changed since 2011. We actually do offer DDoS mitigation and protection tools as part of our offering.
We do add an additional security layer to sites & do help prevent a lot of attack types. It would honestly be far more mis-leading for me to say we're a full solution and/or that we block everything malicious (we don't) & that's why that caveat is in place in my comments (setting reasonable expectations). We generally recommend that users still keep existing security options in place, largely due to the fact that we can only proxy web traffic ports and we do rely on data sources for challenge behavior. If you're also using CloudFlare on the domain, you would want to make sure that CloudFlare is whitelisted in the core rules for any security product you're running.
Our current WAF right now, more or less, is a modified version of mod_security. We're in the process of rebuilding a better WAF.
|
| Posted by shovenose, 09-28-2012, 06:31 PM |
| I highly recommend CloudFlare. It makes your site faster and more secure.
It can't hurt anything... you can turn off the CDN aspects of it and just focus on security if you want.
|
| Posted by lockbull, 09-28-2012, 11:21 PM |
| Have you looked at Incapsula? With the caveat that I haven't actively used CloudFlare or Incapsula within at least 9 months, so I can't comment on specific features, I do know that Incapsula was initially designed as a cloud based security service based on Imperva's WAF. So if you're specifically looking at a WAF, it might be something to investigate.
Last edited by lockbull; 09-28-2012 at 11:22 PM.
Reason: Typo
|
Add to Favourites 
Print this Article
Also Read
Mailman Error (Views: 749)
Shared Hosting
Shared Hosting
