MyBB Community Forums - Opinions on using a WAF like Incapsula for MyBB forum?

Hey guys,

Are any of you using any Web Application Firewall services like Cloudflare, Incapsula, Sucuri etc?

We have a couple of websites (including another forum, but not a MyBB forum) using WAFs and they are doing pretty good in terms of security. I do find however that the WAF tends to make a site slower if your hosting is actually good (the opposite if your hosting is bad/average).

I'm more interested about a WAF from a security point of view. Modsecurity for Apache 2.4 seems to be improved and more strict, but what do you think of adding a WAF like the paid version of Incapsula that protects against SQL injections, cross-script attacks, backdoor vulnrabilities etc? That plus modsecruity for Apache 2.4 could be epic to protect a MyBB forum (or not?).

I've seen a couple of big forums using these WAFs, but most were vBulletin. However I've noticed hackforums.net (MyBB) is using Cloudflare, so that should mean something. When we used a WAF on our forum (not MyBB), we noticed that search engine traffic dropped substantially, but it could have been a coincidence since page loading time actually improved.

So what do you all think of adding a WAF to a MyBB forum to improve its security?

Thanks.

Will help against auto scanners but can easily be bypassed.

(2015-01-30, 09:04 PM)Rakes Wrote: [ -> ]Will help against auto scanners but can easily be bypassed.

I've read that Cloudflare's WAF is mediocre but that the Incapsula one is pretty decent. The sites that I have with the paid Incapsula plan get an average of 10 to 20 MySQL attacks per day, which worries me as to the abuse a site with no WAF gets and to what extent a WAF can be of help.

What would you suggest in terms of added server scripts like modsecurity/software/WAF for added security? The source where I read about Incapsula being pretty decent also mentioned that modsecurity for Apache 2.4 was pretty good for most typical hacking attempts and even DOS attacks.

Any other scripts/software/WAF options? (in our case we have VPS, but any suggestions can be for any kind of hosting).

(2015-01-30, 09:21 PM)Finlan Wrote: [ -> ]
(2015-01-30, 09:04 PM)Rakes Wrote: [ -> ]Will help against auto scanners but can easily be bypassed.

"I've read that Cloudflare's WAF is mediocre but that the Incapsula one is pretty decent. The sites that I have with the paid Incapsula plan get an average of 10 to 20 MySQL attacks per day, which worries me as to the abuse a site with no WAF gets and to what extent a WAF can be of help."

If someone was testing our WAF around 3-4 years ago, yes. Our first WAF was not designed to replace WAFs with rulesets & was taking more of heuristic approach to attacks and learning about the attacks. Since that time, however, we have modified our WAF to include OWASP rule sets & we have built a number of custom rule sets to deal with current attacks (things like WordPress attacks, etc.).

(2015-01-30, 10:11 PM)damoncloudflare Wrote: [ -> ]
(2015-01-30, 09:21 PM)Finlan Wrote: [ -> ]
(2015-01-30, 09:04 PM)Rakes Wrote: [ -> ]Will help against auto scanners but can easily be bypassed.

"I've read that Cloudflare's WAF is mediocre but that the Incapsula one is pretty decent. The sites that I have with the paid Incapsula plan get an average of 10 to 20 MySQL attacks per day, which worries me as to the abuse a site with no WAF gets and to what extent a WAF can be of help."

If someone was testing our WAF around 3-4 years ago, yes. Our first WAF was not designed to replace WAFs with rulesets & was taking more of heuristic approach to attacks and learning about the attacks. Since that time, however, we have modified our WAF to include OWASP rule sets & we have built a number of custom rule sets to deal with current attacks (things like WordPress attacks, etc.).

The last testing I read was from February 2013, and clearly shows Cloudflare less capable of stopping common attacks.

http://www.slideshare.net/zeroscience/cl...odsecurity

I have no doubts Cloudflare is working hard to improve their WAF. I don't have any dogs in this fight, and I actually use Cloudflare for some small sites and I'm happy with it. However, tests like the above really make me question the product when it comes to protecting important sites of mine. I'm sure you/Cloudflare are aware of the literature in the above link.

ModSecurity actually fares really well compared to both Incapsula and Cloudflare.

Any more opinions WRT WAFs or other security scripts?