1

I am looking for an open-source WAF solution that could be deployed in Kubernetes. I've looked a ModSecurity but it seems like good rules cost money and it also requires lots of tuning.

neuro
  • 14,948
  • 3
  • 36
  • 59
ladaat
  • 11
  • 2

2 Answers2

5

it seems like good rules cost money and it also requires lots of tuning

How can you define the "good rules"?

There are "good rules" in my opinion, called CoreRuleSet, it's absolutely free. And I don't think you need to tune it too much. CRS has a good community, you can ask anything. Its development is very active.

I think you should take a look.

Beside ModSecurity, there is a new competitor, called Coraza. It also uses SecLang format for the configuration, and it's 100% compatible with CRS.

airween
  • 6,203
  • 1
  • 14
  • 20
  • Well, good is about coverage and about false positives. CRS seems to require lots of tuning, I don't have the time for this. As for coverage, I guess there's a reason why AWS, F5 and others are selling rules. – ladaat Sep 10 '22 at 19:33
  • You are concerning about FP's - but what about FN's (false negatives)? You should take a look to this article (2 parts, the next in the article): https://blog.fraktal.fi/cloud-waf-comparison-using-real-world-attacks-acb21d37805e. F5 is not a competitor there, but as you can see, CRS is a very good rule set. – airween Sep 13 '22 at 09:51
  • coraza with the stable plugin for https://caddyserver.com/ looks like a good choice to run in rootless podman – Stuart Cardall Oct 25 '22 at 09:40
1

As you mentioned the most common one is ModSecurity. It’s well proven solution that uses signatures. They work well but are reactive by nature, meaning that often signatures aren't available until after vulnerabilities have been known for some time and exploits are put into circulation, as such they don't provide good enough response for modern fast-spreading attacks. From an operational perspective they require constant tuning and exception handling to avoid false positives.

You can look at open-appsec (https://www.openappsec.io) - it is a new open-source initiative that builds on machine learning to provide web application and API security with no threat signature upkeep. It can be deployed as add-on to Kubernetes Ingress, NGINX, Envoy and API Gateways.

onirisapp
  • 11
  • 1
  • Well, it's still in Beta, but the approach looks interesting. I will check it out. Thanks. – ladaat Sep 10 '22 at 19:34
  • 1. When testing efficiency of security products you must look at both FP and FN. It's very easy to achieve very high TN (true negative) while having very high (false positives), which in practice means that you will not be able to use the solution. 2. "Zero-day" exploits such as Log4Shell and Spring4Shell were not blocked by CRS. Signatures were released only after. – onirisapp Sep 11 '22 at 20:50
  • @onirisapp - sorry, my previous comment went to wrong place. I've moved that under my answer. Sorry again. – airween Sep 14 '22 at 09:53