Sucuri CloudProxy - Not your traditional WAF

A few days ago we made public on the Sucuri blog that we were launching the beta of the Sucuri CloudProxy (WAF) product. Since then, I got a lot of questions about it and will try to answer some of them here (on my private blog since it is more of a personal opinion on the matter).

And yes, I have not been posting much here, but you can follow the latest articles on the https://blog.sucuri.net/author/dcid . I am much more active there lately .




Not your traditional WAF


First, it is not an appliance or something you install or download to your site. It is a Cloud-based service and it requires that you change your DNS to point to one our servers, so the traffic can be cached/proxied before it goes to your real server. Once that’s done, you don’t need to do anything else.

Plus, we are not just a web firewall.

The traditional WAF model detects and stops attacks based on known vulnerabilities or exploits and based on the trace of suspicious activity. So they look for patterns that might indicate an SQL injection or an XSS or an attempt to evade security filters through obfuscation.

Even though we do that on our CloudProxy, our goal is not to rely on signatures of suspicious activity to block attacks, but to understand how the web application behind the proxy works and stop any misuse of it.

For example, look at WordPress. Most of the traffic to WordPress goes through the index.php file, where it supports a set of variables (post id, page id, search, etc). A user can also send comments to wp-comments-post.php and administrators can login to the site via wp-admin. Every thing else is not a part of the normal flow (with a few exceptions).

And that’s where the Virtual Hardening comes into play. We are creating profiles for each web application and when those are enabled, we can really restrict access and control what is allowed or not to go through the site. On the WordPress case, we would only allow what is set on the WordPress profile and block any misuse or modification of the default behaviour.

Guess what? Just by having our virtual hardening (without our fancy WAF rules or our signatures for virtual patching), we can block and prevent most attacks. It includes bot scanning, plugin exploits, information gathering and many other issues. It is so powerful, that more than 90% of the attacks are actually getting blocked by it before even reaching or going through the rest of the analysis chain. And it causes a lot less false positives as well.


Fully Managed WAF


Another reason we are far apart from the traditional WAF (and even competitors like CloudFlare) is that our service is fully managed.

So every attack and every log is indeed monitored by our security team (24x7). All our logs go through OSSEC (HIDS), where we have a large amount of rules specific for web attacks and additional correlations that can easily be missed by a common WAF.

So yes, the CloudProxy is not really just a WAF type of service, but a more complete security package that mixes multiple levels of protection, detection, active response and manual auditing for web sites.





Posted in   sucuri     by Daniel Cid (dcid)

Coding for fun and profit. Often fun and little profit.