Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


CloudFlare vs Incapsula vs ModSecurity – A Comparative Penetration Testing Analysis Report
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

CloudFlare vs Incapsula vs ModSecurity – A Comparative Penetration Testing Analysis Report

DamianDamian Member
edited February 2013 in General
This document contains the results of a comparative penetration test conducted by a team of security specialists at Zero 
Science Lab against three ‘leading’ web application firewall solutions. Our goal was to bypass security controls in place,
in any way we can, circumventing whatever filters they have. This report also outlines the setup and configuration 
process, as well as a detailed security assessment

We've chosen to test three Web Application Firewall services offered by three different vendors including Trustwave 
SpiderLabs ModSecurity, CloudFlare and Incapsula.

Given that ModSecurity is free, we signed up  for both CloudFlare and Incapsula paid Business plan.  They have 
noticeably different prices for their paid plans. CloudFlare Business Plan is $200/month (the WAF is also available in the 
Pro Plan, for $20/month). Incapsula Business Plan is $59/month.

Download the entire PDF here: http://zeroscience.mk/blog/02/2013/cloudflare-vs-incapsula-vs-modsecurity-a-comparative-penetration-testing-analysis-report/

tl;dr:
image

Comments

  • shovenoseshovenose Member, Host Rep

    Ouch :( CloudFlare didn't so well.

  • @shovenose said: CloudFlare didn't

    Fixed that for you.

  • joepie91joepie91 Member, Patron Provider

    Either something was misconfigured, or the Cloudflare team is going to have a bad day...

  • LOL - that is pretty bad for the paid providers -- I quit using free CF when it seemed like my site was down more than it was UP :) --- good analysis of the platforms though, I always liked mod_sec, and it's good to see it performs well in testing.

  • Awmusic12635Awmusic12635 Member, Host Rep

    I believe cloudflare promotes themselves more as DDOS protection + performance CDN than security. Security was mostly a bonus.

  • CloudFlare is only one tool to use. You should use both, not one or the other.

    Personally, i wouldn't ever use cloudflare because the last time i used it on a project we noticed a significant drop in ad revenue.

  • All nice and well, but Cloudflare is a 'plug and play' service, which also has a free plan btw, whereas ModSecurity doesn't seem to be that much plug and play but rather 'get ready to config'...

  • @Fliphost said: I believe cloudflare promotes themselves more as DDOS protection + performance CDN than security. Security was mostly a bonus.

    Exactly, you pay for SSL, extra IPs and more DDoS protected bandwidth, it's about the network at cloudflare, not the software

  • Awmusic12635Awmusic12635 Member, Host Rep
    edited February 2013

    @BronzeByte

    Incapsula Appears on only offer an SLA on their enterprise plan where as cloudflare offers 100% sla on business as well.

    Had a short conversation with one of the co-founders of cloudflare a couple months ago. Cloudflare has 250Gbps + compacity adding 20% more each month or two if i recall correctly

  • AlexBarakovAlexBarakov Patron Provider, Veteran

    I've heard pretty great things for Incapsula, I can't belive that mod_seq performs better.

  • @Alex_LiquidHost said: I've heard pretty great things for Incapsula, I can't belive that mod_seq performs better.

    They were pretty close. Incapsula was much better than Cloudflare...

  • @Damian said: They were pretty close. Incapsula was much better than Cloudflare...

    Yes,I do not like cloudflare.I have used them for a long time.They were good to stop spam bots in my forum,but they have a bad habit of showing live sites offline which causes decrease in revenue to the sites.I was using free version ,so cannot comment on the paid version.

  • shovenoseshovenose Member, Host Rep

    Well I use the paid version of CloudFlare on some sites, but most of all the free version. both work great :) blocks forum/blog spammers nicely though.

  • Obviously something is up with CF. Did you turn the WAF on? :p

  • It looks like those tests were performed with the protection itself turned off, or something.

    CF shouldn't be that incompetent, I'll buzz them with the link to that article.

  • This appears to be a paid for case study by Incapsula

  • @unused said: This appears to be a paid for case study by Incapsula

    Wouldn't be the first time they've done something like this.

  • @Wintereise said: It looks like those tests were performed with the protection itself turned off, or something.

    Nope,I have read their full report.They have tested with protection to high.It is true that CF web firewall is worst.I have heard this issue on webhostingtalk as well

  • @ftpit said: Nope,I have read their full report.They have tested with protection to high.It is true that CF web firewall is worst.I have heard this issue on webhostingtalk as well

    You do realize you can still jip a study by putting something with a known increased result into a test. Like putting a known increased diabetic group in a study on how sugar effects people.

  • WintereiseWintereise Member
    edited February 2013

    It looks really biased to me, tbqh. Either way, linked -- maybe we'll get an official response.

    Edit:

    Got a reply, though, you can't really call it a real response, I guess?

    
     John Roberts (CloudFlare Support)
    
    Feb 20 09:55 pm (PST)
    
    Seen it, thanks.
    
    John Roberts
    Platform lead
    CloudFlare 
    
  • lol

  • I'd suspect if it gets enough traction they will respond via blog post.

  • @Mun said: You do realize you can still jip a study by putting something with a known increased result into a test. Like putting a known increased diabetic group in a study on how sugar effects people.

    Maybe incapsula paying them for the review since modsecurity will not pay :)

  • Using Mod Security for 8 years. Tried and tested.

  • This is funny and interesting. I knew that CF was shitty but didn't know it was THAT shitty.

Sign In or Register to comment.