New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
CloudFlare vs Incapsula vs ModSecurity – A Comparative Penetration Testing Analysis Report
This document contains the results of a comparative penetration test conducted by a team of security specialists at Zero Science Lab against three ‘leading’ web application firewall solutions. Our goal was to bypass security controls in place, in any way we can, circumventing whatever filters they have. This report also outlines the setup and configuration process, as well as a detailed security assessment We've chosen to test three Web Application Firewall services offered by three different vendors including Trustwave SpiderLabs ModSecurity, CloudFlare and Incapsula. Given that ModSecurity is free, we signed up for both CloudFlare and Incapsula paid Business plan. They have noticeably different prices for their paid plans. CloudFlare Business Plan is $200/month (the WAF is also available in the Pro Plan, for $20/month). Incapsula Business Plan is $59/month.
Download the entire PDF here: http://zeroscience.mk/blog/02/2013/cloudflare-vs-incapsula-vs-modsecurity-a-comparative-penetration-testing-analysis-report/
tl;dr:
Comments
Ouch CloudFlare didn't so well.
Fixed that for you.
Either something was misconfigured, or the Cloudflare team is going to have a bad day...
LOL - that is pretty bad for the paid providers -- I quit using free CF when it seemed like my site was down more than it was UP --- good analysis of the platforms though, I always liked mod_sec, and it's good to see it performs well in testing.
I believe cloudflare promotes themselves more as DDOS protection + performance CDN than security. Security was mostly a bonus.
CloudFlare is only one tool to use. You should use both, not one or the other.
Personally, i wouldn't ever use cloudflare because the last time i used it on a project we noticed a significant drop in ad revenue.
All nice and well, but Cloudflare is a 'plug and play' service, which also has a free plan btw, whereas ModSecurity doesn't seem to be that much plug and play but rather 'get ready to config'...
Exactly, you pay for SSL, extra IPs and more DDoS protected bandwidth, it's about the network at cloudflare, not the software
@BronzeByte
Incapsula Appears on only offer an SLA on their enterprise plan where as cloudflare offers 100% sla on business as well.
Had a short conversation with one of the co-founders of cloudflare a couple months ago. Cloudflare has 250Gbps + compacity adding 20% more each month or two if i recall correctly
I've heard pretty great things for Incapsula, I can't belive that mod_seq performs better.
They were pretty close. Incapsula was much better than Cloudflare...
Yes,I do not like cloudflare.I have used them for a long time.They were good to stop spam bots in my forum,but they have a bad habit of showing live sites offline which causes decrease in revenue to the sites.I was using free version ,so cannot comment on the paid version.
Well I use the paid version of CloudFlare on some sites, but most of all the free version. both work great blocks forum/blog spammers nicely though.
Obviously something is up with CF. Did you turn the WAF on?
It looks like those tests were performed with the protection itself turned off, or something.
CF shouldn't be that incompetent, I'll buzz them with the link to that article.
This appears to be a paid for case study by Incapsula
Wouldn't be the first time they've done something like this.
Nope,I have read their full report.They have tested with protection to high.It is true that CF web firewall is worst.I have heard this issue on webhostingtalk as well
You do realize you can still jip a study by putting something with a known increased result into a test. Like putting a known increased diabetic group in a study on how sugar effects people.
It looks really biased to me, tbqh. Either way, linked -- maybe we'll get an official response.
Edit:
Got a reply, though, you can't really call it a real response, I guess?
lol
I'd suspect if it gets enough traction they will respond via blog post.
Maybe incapsula paying them for the review since modsecurity will not pay
Using Mod Security for 8 years. Tried and tested.
This is funny and interesting. I knew that CF was shitty but didn't know it was THAT shitty.