Cloudflare Web Application Firewall Review
Hi, I hope most of you are familiar with Cloudflare, in short, CloudFlare protects and accelerates any website online. Check more details about their features Cloudflare Overview. I’m a fan of cloudflare right from the start. Cloudflare has a free account , pro and business account, For over an year i was using cloudflare as a free member and enjoying all the benefits it offers free of cost. One of my personal favorite is that its a reverse proxy, so from security point of view, you can’t tell the IP address of the server my website is hosted on. Some time back i participated in Cloudflare Bug Bounty, I found a XSS vulnerability in cloudflare core infrastructure which was effecting all cloudflare based websites, here is the writeup. They awarded me Cloudflare Pro account for lifetime. Cloudflare pro, apart from other cool features, also offers Web Application Firewall. I’ve been using it for about 6 months now so i decided to write Cloudflare Web Application Firewall Review and let everyone know about its features.
Cloudflare Web Application Firewall Interface
Cloudflare WAF has an online easy to use interface, which users can access from their cloudflare account, Users have complete control over the working of WAF, which is explained later in this post. Users can do the following (but not limited to) operations.
- Users can Turn Off/On firewall on single click
- Rulesets can be changed.
- Particular action can be decided for a particular rule, either, block, challenge, or just log the activity u3on triggering a user.
- View IP address, user activity, and rules they triggered.
- How many times a specific rule is triggered and who triggered it.
Cloudflare Web Application Firewall Rulesets
Cloudflare Web Application firewall is based on two types of rulesets , which are then divided over several rulesets, users have the ability to select rulesets that they want to enable or disable, also the action that firewall should take after a particular ruleset is triggered. Two main rule sets are as follow:-
OWASP ModSecurity Core Rule Set
OWASP ModSecurity Core Rule Set is opensource rule set developed by ModSecurity and OWASP, The OWASP ModSecurity CRS provides protections if the following attack/threat categories:
- Protecting HTTP protocol violations.
- IP looks for blacklisted IP’s from 3rd party.
- HTTP DOS Protection
- Common Web attack protection
- BOT/Crawler detection
- Scanning for malicious file uploads
- Tracking sensitive data like credit card leaks
- Detecting trojan horses
- Application defects and misconfiguration detection
- Error Detection
Cloudflare Web Application Firewall Modsecurity core ruleset
Cloudflare’s own ruleset
Cloudflare Ruleset is developed in-house by cloudflare. This ruleset contains several other rulesets for particular applications which contains the following.
- CloudFlare Atlassian This ruleset provides specific protections against vulnerabilities within Atlassian applications and services.
- CloudFlare Plone This ruleset should only be enabled if the Plone CMS is used for this domain. It contains additional rules that complement the technology-specific protections provided by similar rules in the OWASP ruleset.
- CloudFlare Miscellaneous CloudFlare Miscellaneous contains rules to deal with known malicious traffic or patch flaws in specific web applications.
- CloudFlare Php This ruleset should only be enabled if PHP is used for this domain. It contains additional rules that complement the technology-specific protections provided by similar rules in the OWASP ruleset.
- CloudFlare Whmcs This ruleset should only be enabled if WHMCS is used for this domain. It contains additional rules that complement the technology-specific protections provided by similar rules in the OWASP ruleset.
- CloudFlare WordPress This ruleset should only be enabled if the WordPress CMS is used for this domain. It contains additional rules that complement the technology-specific protections provided by similar rules.
- CloudFlare Joomla This ruleset should only be enabled if the Joomla CMS is used for this domain. It contains additional rules that complement the technology-specific protections provided by similar rules in the OWASP ruleset.
- CloudFlare Drupal This ruleset should only be enabled if the Drupal CMS is used for this domain. It contains additional rules that complement the technology-specific protections provided by similar rules in the OWASP ruleset.
-
CloudFlare Flash This ruleset should only be enabled if Adobe Flash content is used for this domain. It contains additional rules that complement the technology-specific protections provided by similar rules.
-
CloudFlare Specials CloudFlare Specials contains a number of rules that have been created to deal with specific attack types.
Cloudflare WAF events
Cloudflare WAF generates events when they are triggered, user can view those events their rulesets, why they were triggered, including the POST or GET request. This is particularly interested for people in Information security because you can see what attacks are common now adays, which services are being attacked and what are the payloads being used. I personally saw some interesting attacks. For example this one
Cloudflare Web Application Firewall Review
This is an SQL injection attack on a specific application. Even if you are lucky you can also get Zero Day vulnerabilities. The screenshot below describes the overall look for WAF events. The features here are self explanatory in screenshot.
Cloudflare Web Application Firewall Review
Conclusion
Cloudflare Web Application Firewall is simply great, it offers easy interface , a lots of features. The most important thing is the level of customization and details it offers. I personally recommend it as compared to Open sources WAF solutions. The easy to use interface and description of every makes it easy for non info security person to adopt to their settings. You may ask about negatives, i really tried to find negatives, I dont seem to find any, if you have any negatives, feels free to post in comments, i will include them in this article. Thanks for reading Cloudflare Web Application Firewall Review.
source: https://haiderm.com/cloudflare-web-application-firewall-review/