During the last year at Loadbalancer.org we have spent a lot of time and effort researching WAF (Web Application Firewall) solutions.
The integrated WAF in version 8 of the Loadbalancer.org appliance has been designed for fast, low latency PCI compliance for our customers. We also have several customers clustering commercial solutions (such as Imperva) behind our load balancer giving a much better WAF feature set + great performance and health monitoring.
During the development process for our own integrated WAF (Web Application Firewall) solution aka. mod security, we have been doing a lot of load testing and stress testing. It is shockingly easy to accidentally create a Denial of Service attack on your own application by incorrectly configuring a WAF i.e. having too many rules and auditing mode turned on. Or writing rules that block valid traffic by mistake.
At Loadbalancer.org our support team are very happy to help our customers with custom rules and security policies.
However our recommendation is that you use a company that is 100% focused on this area before you get yourself in deep trouble :-).
So who do Loadbalancer.org recommend for a local cluster WAF solution?
Well strangely enough, at the lower end of the market we would recommend putting a couple of Barracuda WAFs behind our load balancer in a cluster. These are great for creating a low latency, high performance WAF cluster in front of your application. We would caution however that this is if you know what you are doing!
The Barracuda web interface is basically just a skin on top of the basic mod security functionality.
We would also recommend that you setup the Barracuda WAFs in one-arm mode.
Why can't I use a cloud based WAF solution?
Good question, and its one we get asked a lot of times.
Yes you can use a cloud based WAF!
In fact for the vast majority of our customers it is actually our default recommendation.
For the vast majority of applications a combination of cloud CDN and WAF can easily give you a responsive low latency solution (realistically low enough for most customers anyway).
So who do Loadbalancer.org recommend for a cloud based WAF?
Its fast , its cheap, and its run by people who really give a damn. We like it so much that we moved the Loadbalancer.org web site is behind the Sucuri WAF.
Admittedly one of the reasons was that we changed the main web site to be based on WordPress and were petrified that it would get hacked :-). Obviously we have secured it ourselves (using the usual tricks like an extra htaccess based password on the admin page) . However it is nice and easy in the Sucuri interface to add two factor authentication to the WordPress administration section (so we have done that as well for double the security.)
BTW: CloudFlare deserves a second place mention for our recommended cloud based WAF.
Now for some very un-scientific test data:
Chrome network load data for loadbalancer.org/company through the Sucuri network WAF & CDN: Approx 1.8 seconds load time..... It doesn't prove anything really, but adding the Sucuri WAF certainly doesn't add any latency to our web server..... :-).