BT

InfoQ Homepage News Cloudflare Announces New Web Application Firewall

Cloudflare Announces New Web Application Firewall

Bookmarks

Cloudflare has recently introduced a new Web Application Firewall. The latest engine is written in Rust, provides better performances and integrates with other Cloudflare products.

The new implementation was designed to offer easier rule browsing, one click deploy and configuration, updated rulesets based on the latest version of the OWASP Core Ruleset, and the ability to deploy the same configuration across the entire account. Cloudflare is now moving away from the previous engine written in LuaJIT by John Graham-Cumming and implemented as an NGINX module. Furthermore, they are changing the old rule syntax that was a superset of the ModSecurity syntax.

Michael Tremante, product manager at Cloudflare, explains why the new product required replacing the code base of the existing WAF, one of the most used products at Cloudflare:

The Cloudflare Web Application Firewall (WAF) blocks more than 57 billion cyber threats per day. That is 650k blocked HTTP requests per second. The original code that filters this traffic was written by Cloudflare’s now CTO (...) Because we value replacing code when it is no longer as maintainable, performant, or scalable as it once was, we regularly rewrite key parts of the Cloudflare stack (...) For some time, we have been working on replacing that original LuaJIT code John wrote with new code, written in Rust.

Rust is a language that Cloudflare is already using for other projects, and the new engine introduces the wirefilter syntax as the basis for managed rulesets matching the Firewall Rules, using the same underlying Rust library to execute the filters. Tomas Pytel, Python developer at IBM, recaps in a tweet the benefits of the new WAF:

- Better rule browsing and configuration
- A new matching engine - written in #Rust
- Updated #WAF Rulesets
- Global configuration

According to Cloudflare, the rollout of the new version will be incremental starting with 10% of newly created accounts on a Pro plan zone or above, increasing to 100% of new accounts over the month of April, followed by the migration efforts for existing customers.

 

Source: https://blog.cloudflare.com/account-takeover-protection/

On a separate announcement, Cloudflare released further functionalities for account takeover protections including Super Bot Fight Mode, Open Proxy managed list and Exposed Credential Checks, a new feature of the WAF that provides on-path exposed credential checks. When enabled, the WAF automatically checks the credentials on any authentication request against a database of leaked credentials maintained by Cloudflare. If a match is found, the WAF will add a header to the origin, so that the application can be warned and trigger a different authentication flow.

We need your feedback

How might we improve InfoQ for you

Thank you for being an InfoQ reader.

Each year, we seek feedback from our readers to help us improve InfoQ. Would you mind spending 2 minutes to share your feedback in our short survey? Your feedback will directly help us continually evolve how we support you.

Take the Survey

Rate this Article

Adoption
Style

Hello stranger!

You need to Register an InfoQ account or or login to post comments. But there's so much more behind being registered.

Get the most out of the InfoQ experience.

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Community comments

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

BT

Is your profile up-to-date? Please take a moment to review and update.

Note: If updating/changing your email, a validation request will be sent

Company name:
Company role:
Company size:
Country/Zone:
State/Province/Region:
You will be sent an email to validate the new email address. This pop-up will close itself in a few moments.