Thanks to the Open Web Application Security Project (OWASP) framework, we now have robust rules to guard against the most common security breaches in web applications. NGINX ModSecurity is a well-known Web Application Firewall (WAF) that incorporates these rules to protect applications hosted by the NGINX platform. However, NGINX has made an End of Life (EOL) announcement for ModSecurity, effective March 31, 2024. So, what comes next?
Moving forward, ignoring the need for a WAF is certainly not an option. When security becomes an afterthought during design, it takes the front seat during deployment and wreaks havoc. With over 50% of IT professionals confessing to such malpractices in application design and deployment cycles, security breaches can easily become rampant.
This article discusses the key features and shortcomings of the NGINX ModSecurity WAF and the available alternatives that enhance the security posture of web applications beyond what is offered by ModSecurity.
What is NGINX?
NGINX is one of the most popular web server platforms out there. Initially developed in 2002, it has evolved into a fully-fledged platform for hosting modern web and API-driven applications.
NGINX is available as an open source HTTP and reverse proxy server. NGINX Plus, a commercial web server platform, includes the core web server and several important middleware components, such as load balancer, API gateway, and content cache.
NGINX Plus is owned by F5, Inc., which acquired the NGINX, Inc. in 2019. F5 also offers additional tools around the NGINX platform, such as a management suite, Denial of Service (DoS) protection suite, and an ingress controller for Kubernetes-hosted applications.
What is NGINX ModSecurity WAF, and How Does it Work?
ModSecurity is an open-source WAF that works with popular web servers such as NGINX and Apache. Under NGINX, ModSecurity can be installed as a module. Once installed and activated, it intercepts all HTTP traffic to and from the NGINX server to perform certain checks.
At its core, ModSecurity checks a set of security rules and performs actions defined under SecLang, a security definition language. These rules define the finer nuances of checking an HTTP request for potentially malicious arguments. Based on the rule match, an action is assigned to handle any matching HTTP request. Typical actions include allow, deny, and log, which translates to allowing, denying, or logging any matching HTTP request.
ModSecurity has a huge list of rules, actions, and configuration directives as part of the reference manual to build sophisticated SecLang rules for protecting web applications from most security vulnerabilities.
What are the Key Features of NGINX ModSecurity WAF?
ModSecurity was initially written as a module for monitoring application traffic in the Apache web server. Over the years, it has expanded support for NGINX as well. Some of the key features of NGINX ModSecurity WAF include:
Robust set of security rules: As a WAF, ModSecurity protects against common attacks, such as invalid parameters or paths, and specific attacks like SQL injection, cross-site scripting, etc. It has many built-in rules that can detect and block malicious requests.
Regular expression-based syntax: ModSecurity provides a flexible rule syntax based on the Perl Compatible Regular Expressions (PCRE) regex engine to tailor protection rules for URI, headers, and body of any HTTP request. This allows for very granular control over HTTP traffic filtering.
Real-time request inspection: ModSecurity analyzes each HTTP request in real time and applies its rules to look for anomalies and threats.
Integration with NGINX config: ModSecurity has native support for NGINX. With this feature, the rules and configurations can be directly integrated into the config files of an NGINX deployment for simplicity and ease of management.
Auditing: ModSecurity also has extensive logging capabilities for capturing granular details of the HTTP traffic. It provides detailed audit logs about those requests that were blocked due to certain rules.
ModSecurity’s Security Rules language SecLang is a domain-specific language for writing robust WAF policies with great flexibility and control over traffic handling and security. Apart from matching patterns using regular expressions, it can transform parts of the request to ensure they are sanitized against possible vulnerabilities.
The OWASP has defined a standardized Core Rule Set (CRS) for ModSecurity, which is readily available. This rule set expresses all the common attack detection rules for use with ModSecurity, and aligns with the top 10 web application security risks published by OWASP. They are frequently updated to refine the vulnerability detection logic and prevent false positives.
When you combine a powerful and pre-emptive WAF with comprehensive web application security testing, security-as-code, and up-to-date application management, you’ll be on the way to a robust cybersecurity strategy.
ModSecurity on NGINX is Twilighting: Top Four Alternatives to Consider
NGINX’s announcement on ModSecurity EOL directly results from Trustwave’s termination of supporting ModSecurity. Trustwave is the company maintaining ModSecurity source code – after July 1, 2024, it will cease to do so. But as an open source software, ModSecurity’s development will most likely continue, given its strong community backing.
However, newer WAF alternatives have emerged in the last few years, adding more performance punch and leveraging emerging technologies to offer a better and faster way of managing security vulnerabilities. Here are the top four ModSecurity alternatives to consider in light of the EoL announcement:
1. open-appsec by Check Point Software
open-appsec is an AI-capable WAF. It has a fully automated security engine that can prevent OWASP Top 10 and zero-day threats by leveraging ML and scoring based on transaction, user behavior, crowd behavior, and content risk.
open-appsec is fully compatible with NGINX. Thanks to its AI capabilities, it is quick to get started since it already has the OWASP Top 10 and zero-day vulnerability checks baked in. It is not signature-dependent, unlike most competitors, meaning it is pre-emptive and reacts at lightning speed to attacks before they spread.
See here more about migration from ModSecurity to open-appsec.
2. NGINX App Protect WAF
NGINX App Protect WAF is a premium WAF software offering from F5. It works with NGINX Plus and offers several performance optimizations, including bytecode compilation of security rules and faster matching.
Additionally, the syntax for security rules definition is the same as ModSecurity. Therefore, any custom rule set used with ModSecurity WAF can be easily migrated to App Protect WAF. The NGINX team maintains and continuously updates the core ruleset for new threats and to reduce false positives.
3. OWASP Coraza WAF
Coraza is an open source, high-performance WAF written in Golang. It claims to be more performant than ModSecurity and runs on the latest version of OWASP CRS with the option to create custom policies.
Coraza is meant to be a drop-in replacement for ModSecurity and, therefore, fully compatible with the SecLang rule sets. However, as of this writing, the support for NGINX is experimental.
4. Cloudflare WAF
Cloudflare WAF is a premium SaaS service. It supports OSWAP Top 10 vulnerability and DDoS protection by default. It is ideally suited for centralized security management, especially when maintaining security policies becomes challenging for large deployments spanning multi-cloud configurations.
The best part about Cloudflare WAF is its collective intelligence capabilities that guarantee automatic WAF updates based on new threat detection across millions of web properties managed by Cloudflare.
Embrace AI-Enabled WAF Defence
ModSecurity has existed for over twenty years and has done a commendable job securing millions of websites and web applications. However, it has not kept pace with the times.
The domain of cyber security is continuously evolving. With newer trends, new attack surfaces are emerging, thus creating a moving goalpost and zero day attacks that are difficult to conquer without the right WAF. An ML-powered WAF such as open-appsec detects patterns in malicious behavior and learns from previous crises to thwart unknown vulnerabilities.
The open-appsec code published in GitHub has been audited by an independent 3rd party (LEXFO) that rated the security as “Excellent”. The project also has an Open Source Security Foundation (OpenSSF) Best Practices Badge, meaning it meets Security, Analysis, Quality, Reporting, and Change Control standards.
open-appsec is an open-source project that builds on machine learning to provide pre-emptive web app & API threat protection against OWASP-Top-10 and zero-day attacks. It simplifies maintenance as there is no threat signature upkeep and exception handling, like common in many WAF solutions.