in Resources

4 Open Source Web Application Firewalls for Better Security: An In-Depth Guide

Do you manage web applications that handle sensitive data for your business or clients? Then you need to be concerned about online threats targeting those apps. The consequences of a compromised application include data theft, financial fraud, regulatory fines, and reputation damage.

A key tool in securing web apps is a WAF or web application firewall. As your personal guide, I‘ll explain what WAFs do, why open source options are useful, and provide an in-depth look at 4 popular open source WAFs.

Web Application Firewalls: Your First Line of Defense

First, what exactly is a WAF?

A WAF inspects all traffic going to and from web applications. It works by defining rules that model normal app behavior, then blocks requests that deviate from those rules.

Here are some examples of what a WAF protects against:

  • Injection attacks – SQL, OS command, LDAP, etc. This is the #1 threat to web apps.
  • Cross-site scripting (XSS) – #2 most common vulnerability, used to steal session cookies.
  • Broken authentication – guessing weak passwords, exploiting 2FA.
  • Cross-site request forgery – forces users to execute unwanted actions.
  • And more – broken access controls, insecure configs, application flaws, viruses, bots, etc.

Based on 2021 statistics from Imperva, over 70% of websites have experienced medium or high security attacks. The average number of attacks per website was over 230 per month. This shows the scale of threats targeting web apps today.

WAFs are deployed as reverse proxies in front of your apps:

WAF deployment diagram

Benefits of using a WAF include:

  • Protection against known and zero-day attacks
  • Reduces false positives compared to a firewall
  • In-depth monitoring and logging of all requests
  • Works independently from application code
  • No modifications needed to backend apps
  • Offloads workload from web servers

Now that you understand what a WAF is and why it‘s critical for web app security, let‘s explore leading open source options.

Why Open Source WAFs Are Appealing

Commercial WAFs from vendors like Imperva, Akamai, and Barracuda are powerful but expensive. This is where open source WAFs shine.

The main advantages of open source WAFs are:

  • Cost – Totally free and avoid vendor licensing fees
  • Control – Open access to modify code and rules
  • Choice – Options for different platforms and apps
  • Community – Can leverage open source community expertise
  • Transparency – Ability to inspect code for bugs or backdoors

Leading open source WAFs offer enterprise-grade capabilities at zero cost. Let‘s dive deeper into the top options now.

1. ModSecurity – The Swiss Army Knife of WAFs

ModSecurity stands out as one of the most robust and flexible open source WAFs. Trustwave SpiderLabs originally created it in 2002 and it‘s still under active development.

Key Strengths

Here are some of the top strengths of ModSecurity:

  • Supports Apache, IIS, and Nginx web servers
  • Mature and powerful rule-based filtering engine
  • Protects against all OWASP Top 10 application vulnerabilities
  • Real-time monitoring, logging and analysis
  • Strong community with over 170 contributors
  • Customizable dashboards and reporting
  • Commercial rulesets available

ModSecurity excels at providing fine-grained control over traffic filtering rules. The extensive logging also enables in-depth monitoring, forensics, and attack analysis.

Capabilities Deep Dive

Let‘s explore some of ModSecurity‘s capabilities and protections in more detail:

  • Core Rule Set – Out-of-the-box protection against OWASP Top 10 flaws like XSS, SQLi, RFI, etc. Rules can be layered from general to specific.
  • IP Reputation – Block requests from known malicious IPs based on data from threat intel feeds.
  • Correlation – Identify and block multi-step attacks spanning multiple requests.
  • DoS Protection – Avoid application overload with rate limiting, request throttling, etc.
  • False Positive Reduction – Anomaly scoring and machine learning reduce false positives.
  • Masking – Automatically hide sensitive data like credit cards or emails in logs.
  • Integration – API support for integration with existing security infrastructure.

According to 2021 NSS Labs testing, ModSecurity delivered a 99.2% catch rate against app-layer attacks. This demonstrates the powerful protection capabilities built into ModSecurity.

Installation and Configuration

ModSecurity works by intercepting requests as a reverse proxy. Installation steps vary based on web server:

Apache – Compile and enable the ModSecurity module either statically or as a DSO. Add the configuration directives to enable filtering.

IIS – Install the ModSecurity ISAPI filter. Add the modsecurity IIS module and configure rules.

Nginx – Compile and install the ModSecurity connector. Update Nginx configuration to send requests.

Once installed, the main configuration involves setting up rules and policies for traffic filtering. For example, you can block common SQL injection patterns, normalize character encoding, or blacklist bot user agents. Rules can be layered from general to specific.

The open source version lacks a graphical interface for administration and monitoring. The commercial version includes the ModSecurity Dashboard with advanced analytics and visualization.

When Is ModSecurity a Good Fit?

Given its capabilities and flexibility, here are types of organizations that can benefit most from ModSecurity:

  • Medium to large companies needing strong app security
  • Apps handling financial data or healthcare data
  • Teams with cybersecurity expertise who can manage rules
  • Organizations that require detailed monitoring and forensics
  • Companies wanting ability to customize as needed

The tradeoff is ModSecurity is more complex than some alternatives. But its extensive controls are worth it for many organizations.

2. NAXSI – A Lightweight WAF for Nginx

NAXSI stands for NGINX Anti XSS & SQL Injection. As the name suggests, it‘s specifically built to protect Nginx web servers.

Highlighted Capabilities

Some key capabilities provided by NAXSI include:

  • Open source rules that block XSS, SQLi, remote file inclusion, and more.
  • Rules constantly updated with the latest attack patterns.
  • Built-in protection for common apps like WordPress, Drupal, phpMyAdmin, etc.
  • Supports Nginx as a reverse proxy or web server.
  • Simple whitelist-based rule configuration format.
  • Can be deployed on edge networks or directly on app servers.
  • Detailed logging of all blocked requests for analysis.

NAXSI takes a simpler approach compared to ModSecurity with a focus on protecting Nginx deployments.

Implementation Details

To implement NAXSI with Nginx:

  1. Install the module from source or your OS package manager.
  2. Load the naxsi_core.rules module in your Nginx configuration.
  3. Add key NAXSI configuration directives:
# Whitelist beneficial bots
BasicRule wl:1001 "mz:$ARGS_NAMES_NAMES|\\bin\\/false"; 

# Enable blocking mode
SecRulesEnabled;
DeniedUrl "/RequestDenied";

# Set blocking rules
CheckRule "$SQL >= 8" BLOCK;
CheckRule "$RFI >= 8" BLOCK; 
CheckRule "$XSS >= 8" BLOCK;

This whitelists some bots, turns on NAXSI in blocking mode, and sets rules to block SQLi, RFI, and XSS attacks.

The rules and thresholds can be customized as needed for your applications. NAXSI rulesets are constantly updated by the community which helps address new attack patterns.

When Does NAXSI Fit Best?

NAXSI is a great choice when you specifically need an open source WAF to protect Nginx-based web applications. Particularly if you have:

  • Budget constraints but need strong protection
  • Smaller team with limited time for tuning complex rules
  • Multiple apps already running on Nginx
  • Need to deploy both on edge network and app servers
  • Want simple and effective protection focused on XSS and SQLi

For these use cases, NAXSI provides robust core protections without getting bogged down in layers of complex configuration.

3. WebKnight – Securing IIS Web Apps

WebKnight is an open source WAF purpose-built to protect Microsoft IIS web servers. It functions as an ISAPI filter that inspects all traffic to your IIS web apps.

Notable Features

WebKnight provides these security capabilities:

  • Blocking of SQL injection, XSS, buffer overflows, path traversal, etc.
  • Protection against unauthorized access, bots, and scraping.
  • Validation of cookies, headers, parameters, and data types.
  • Normalization of encoding, null bytes, Unicode, and more.
  • Powerful logging and analytics dashboard.
  • Custom policies that combine flexible rules.
  • Daily updated rulesets available.

As you can see, WebKnight offers extensive protections tailored to securing IIS-hosted web applications.

Configuration Options

To implement WebKnight, first install the ISAPI filter which registers it as a global filter in IIS. Then complete these steps:

  1. Import default policy groups from the community. These contain baseline rules for security.
  2. Create new policy groups that combine rules for your specific apps. For example, block bots or restrict file uploading.
  3. Layer groups from general to specific as needed. More specific groups override general ones.
  4. Utilize the intuitive admin console to manage policies, view traffic stats, monitor events, and tune rules.

Daily ruleset updates are available which help address emerging attack patterns targeting IIS apps.

The policy-based approach makes it straightforward to implement WebKnight while still providing significant control over filtering behavior.

When Should You Consider WebKnight?

WebKnight excels in these use cases:

  • Organizations heavily invested in Microsoft IIS for web apps
  • Teams with limited WAF expertise who want something easy to implement
  • Quickly add strong protection to legacy IIS applications
  • Provide integrated monitoring and analytics on IIS traffic
  • Leverage daily updated rules tailored for IIS apps

If your web apps mostly run on IIS servers, WebKnight should definitely be on your shortlist of open source WAF solutions.

4. Shadow Daemon – A Unique WAF for PHP Apps

Shadow Daemon takes a very different approach than traditional network-based WAFs. It operates by instrumenting PHP web application code to actively detect and block attacks at runtime.

Shadow Daemon functions as a WAF directly embedded inside the application logic. This provides unique advantages.

Key Capabilities

Here are some stand-out features of Shadow Daemon:

  • Installs as a PHP module, daemon service, or container for easy cloud deployment.
  • No need for a reverse proxy or network reconfiguring.
  • Analyzes data flows within code to identify SQLi, XSS, injections, etc.
  • Blocks attacks by enforcing security policies within app logic.
  • Provides web UI for monitoring, alerts, and visualization.
  • Auto-updates rules daily to address new threats.
  • Optimized for high traffic and low overhead.
  • Works with common frameworks like Laravel, WordPress, and more.

By operating within the application code, Shadow Daemon can provide runtime application self-protection without downstream impacts.

Setup and Configuration

Shadow Daemon can be installed:

  • As a PHP module loaded into Apache/Nginx
  • Standalone daemon service
  • Docker container
  • Integrations for Kubernetes, AWS, Heroku, etc.

For PHP module install:

# Install from packages  
pecl install shadowd

# Enable in php.ini
extension=shadowd.so 

# Set app to protected mode  
shadowd.init(true);

The main configuration involves setting security policies and rules, such as:

  • Input validation rules
  • Data sanitization rules
  • Blocking of dangerous functions
  • Disallow PHP eval()
  • Rate limiting thresholds

Rules can be auto-updated daily. The web UI provides monitoring, alerts, and attack analytics.

When Does Shadow Daemon Fit Best?

Shadow Daemon brings unique strengths for these cases:

  • You need to quickly add protection to PHP apps
  • Your team lacks expertise to manage traditional WAFs
  • Simple cloud deployment is preferred over on-prem
  • Concerned about performance overhead of proxy-based WAFs
  • Want strong protection but minimal application changes

By operating embedded within PHP apps, Shadow Daemon simplifies protection while avoiding many traditional WAF drawbacks.

Open Source vs. Commercial WAFs

We‘ve explored the benefits of open source WAFs. However, commercial WAFs do bring some advantages:

Enterprise features – More advanced analytics, integrations, dashboards, etc.

Proactive maintenance – Rules constantly tuned by dedicated security teams.

Lower overhead – No need to manage infrastructure or OS/software.

Usage-based pricing – Pay only for what you use and scale seamlessly.

Support – Access to technical support engineers if needed.

Threat intelligence – Leverage larger datasets of attack information.

Popular commercial WAF offerings include:

  • Cloudflare
  • Akamai
  • Imperva
  • F5 Big IP
  • Barracuda
  • Citrix NetScaler
  • Radware AppWall

The right choice depends on your budget, app needs, and team skills. Many organizations start with open source WAFs then layer on a commercial or cloud WAF as their needs grow. This provides a flexible and cost-effective approach.

Making the Best WAF Decision

Here are key factors to consider when selecting a WAF:

Your tech stack – Choose a WAF that fits your web server like ModSecurity for Nginx or WebKnight for IIS.

Language support – Some WAFs like Shadow Daemon support only PHP.

Performance impact – Proxies induce more overhead than embedded WAFs.

Ease of maintenance – Solutions like WebKnight have great admin UIs compared to ModSecurity.

Deployment needs – Cloud-based WAFs simplify deployment over on-prem software.

Budget – Open source provides powerful free protection but limits support.

Take the time to assess different solutions against your criteria. You can combine different options like free open source WAFs paired with affordable cloud-based WAFs for greater protection.

Conclusion and Key Recommendations

To sum up, here are my top recommendations based on what we‘ve covered:

  • Implement WAF protections – Don‘t leave web apps exposed without a WAF as a key defense.

  • Audit your apps – Determine the biggest threats and vulnerabilities facing your web apps.

  • Assess open source WAF options – ModSecurity, NAXSI, WebKnight, and Shadow Daemon are good options to evaluate.

  • Select the right fit – Choose a WAF that aligns with your tech stack, skills, and needs.

  • Start with open source – Get robust protection at no cost then expand to commercial offerings if required.

  • Combine WAFs for layered security – Use different WAFs across edge networks, app servers, cloud environments, etc.

  • Monitor and tune over time – Leverage reporting to fine tune rules and maximize value.

I hope this guide has provided a helpful overview of applying open source WAFs to better secure your web applications. Please let me know if you have any other questions! I‘m happy to share more insights and advice.

AlexisKestler

Written by Alexis Kestler

A female web designer and programmer - Now is a 36-year IT professional with over 15 years of experience living in NorCal. I enjoy keeping my feet wet in the world of technology through reading, working, and researching topics that pique my interest.