NGINX WAF Review & Alternatives

Nginx is an insider’s brand. While it doesn’t have the fame of its main rival Apache web server, market analysts believe that Nginx could very quietly have become the most implemented web server in the world.

Nginx is a free, open-source system but there is also a commercial company with the same name that owns the brand and manages the open-source project. The company name is all capitalized: NGINX, Inc. NGNIX is able to exploit the popularity of its web server to make money with extra services, such as a premium version of the webserver, support contracts, and related products. The NGNIX WAF is one of those money spinners. It is called NGINX App Protect and it is worth investigating.

What is a web application firewall?

Before looking into NGINX App Protect, it is important to define exactly what a Web Application Firewall (WAF) is for.

A Web Application Firewall is a traffic filter. It is an edge service, which means the system stands in front of a web server and receives all traffic first. Those who already know about network layouts for web servers will probably already be thinking that this is exactly where a load balancer usually goes; and there are many similarities between the actions of load balancers and WAFs.

Load balancers receive all incoming traffic and distribute it to several outbound lines so a cluster of servers can process an equal share of demand. A WAF essentially buffers all traffic, sends some of it on while dropping other traffic.

A load balancer doesn’t just allocate each successive packet to a different connection. It has to ensure that a conversation is maintained. So, it needs to track where each packet comes from and ensure that all packets in the same stream go to the same server. WAFs should perform a similar check. If one bad packet comes in, all traffic from that source needs to be dropped. So, both load balancers and WAFs need to examine the headers of packets in order to fulfill their functions.

A WAF is useful for absorbing DDoS attacks and other hacker connection tricks. It prevents malware from getting to the web server and absorbs intentionally malformed connection requests.

WAFs can easily combine their tasks with load balancing services. Typically, a WAF will be provided as a cloud service or as a network appliance.

About Nginx

Nginx began life in 2004. Russian software engineer, Igor Sysoev decided to write his own web server application in 2002 and released it two years later. He created a developer pool for the software as an open-source project, distributing the system for free. Nginx isn’t the only free, open-source web server application – Apache is also free to use and run as an open-source project for development.

The estimates of web server market share vary widely. The Netcraft market survey for August 2020 put Nginx’s market share of all sites at 36 percent with Apache at 26 percent and Google in third place with a share of 10 percent. W3Techs puts Apache at 36.5 percent, Nginx at 32.5 percent, and Cloudflare Server in third place with 15.7 percent. Datanyze gives Apache HTTP Server a market share of 49.83 percent, Nginx 26.25 percent, and Microsoft IIS has 12.31 percent of the market.

The difference in all of the market share surveys for web servers is whether the surveyor is counting the number of devices the application is installed on, the number of domains each application serves, the number of active domains each server application operates on, or the percentage of the top million busiest sites that use each product. On balance, it is true to say that Nginx is one of the two most widely used web server applications in the world alongside the Apache HTTP server.

The increasing popularity of Nginx lies in its processing efficiency. It can handle four times as many requests per second as Apache. However, the Nginx system is not very easy to adapt. While Apache allows plugins to be added effortlessly, additions to Nginx require the entire application software to be recompiled. Apache has better development on its Windows version than Nginx.

The code for Nginx installs on *nix (BSD Unix, HP-UX, Solaris, AIX, Linux, and macOS) and also Windows.

While Nginx is free, there is a paid version, called Nginx Plus. This includes more features, such as cookie-based session persistence, DNS service discovery, and system performance checks.

About NGINX, Inc.

NGINX, Inc was created by Sysoev in 2011 to create an income stream from his Nginx invention. This company markets the paid Nginx Plus and is also the creator of the NGINX App Protect WAF. F5 Networks bought NGINX, Inc in 2019.

F5 Networks is a US company, based in Seattle, Washington. The company specializes in network services such a load balancing, and application delivery networks. There is a lot of synergy between F5 Networks and NGINX, Inc. However, F5 Networks values the importance of the NGINX, Inc brand and didn’t absorb its acquisition entirely. Instead, it markets NGINX products based on F5 Networks systems. The NGINX App Protect WAF is an example of this strategy.

NGINX App Protect Overview

NGINX App Protect is very new. It was launched in May 2020, a little more than a year after the F5 Networks takeover of NGINX, Inc.

F5 Networks markets all of its network services under the name BIG-IP and these can be bought on appliances called BIG-IP iSeries. Within this family of products is a WAF, called Application Security Manager (ASM). NGINX App Protect is a relabeling of BIG-IP ASM. F5 Networks has also rebranded ASM and it is now called the F5 Advanced WAF.

NGINX App Protect

So, F5 has two products based on the same software. The press release for NGINX App Protect stated “NGINX App Protect’s security controls are ported directly from F5’s advanced WAF technology …”

App Protect also channels all outgoing traffic, enabling it to detect data loss events. It integrates the F5 DataGuard for this function.

The major functions of NGINX App Protect are:

  • Protection against the OWASP Top 10 web application security risks
  • Defense against common evasion techniques
  • IP address blacklisting
  • Protocol compliance enforcement
  • API protection
  • Cookie protection
  • Data loss prevention (F5 DataGuard)

The NGINX WAF is able to protect development environments as well as live websites. This is an important quality for companies that implement an Agile development model. You need to ensure that your testing environment is as close as possible to the real-world conditions that the code will face once released. Having the WAF in place during these phases gives a real insight into how the new features in a site will perform.

Live systems need to be constantly available to genuine site visitors and some webmasters might worry that WAF rules can be too tight and block out potential customers. For example, the constant reCaptcha checks that the Cloudflare protection system imposes on innocent visitors can put off a lot of members of the public and lose an eCommerce site business.

Many cyberdefense systems now use machine learning techniques to establish a baseline of normal activities. This adaptable baseline has gone a long way towards eliminating false positive reporting and blocks on genuine users. NGINX WAF doesn’t have those systems. It isn’t really possible to model the typical behavior of a site user. While a company network has regular users, the visitors to a website might connect one time only and atypical visitors could turn out to be big buyers.

In order to reduce the risk of misidentifying genuine connections as malicious, NGINX has fine-tuned its detection rules through testing. Although this is not cutting edge technology, it is as close to baseline refinement as any WAF can expect to deliver, given the random behavior of legitimate web activity.

NGINX App Protect usage

NGINX App Protect doesn’t have its own dashboard. The service is a plugin for Nginx Plus and needs to be compiled along with the web application server. Most of the configuration options for App Protect need to be implemented at the command line without any GUI interface screens. This makes App Protect difficult to manage for small business owners who try to run their web services themselves. App Protect is aimed at network specialists and web professionals who are comfortable with issuing commands at the operating system prompt.

NGINX WAF configuration options

NGINX App Protect is an implementation of the F5 Advanced WAF. The code for the security system needs to be compiled together with the code for the Nginx Plus web application server. The NGINX WAF can’t be used in conjunction with web servers provided by other vendors; so, for example, it can’t be deployed on systems that use the Apache HTTP Server.

The software package for the NGINX WAF needs to be hosted – NGINX doesn’t offer a SaaS version of the tool. The server that runs the combined Nginx Plus and NGINX App Protect bundle need to have a Linux operating system – specifically, CentOS, Debian, and RHEL.

Users that want to place their WAF outside of their home network can host the NGINX WAF on a cloud server, including AWS, Google Cloud Platform, and Microsoft Azure implementations. The remotely-hosted NGINX App Protect implementation will still need to have an instance of Nginx Plus installed along with it.

Although NGINX doesn’t offer App Protect as a cloud service, F5 does. Those who want a SaaS version of this web application firewall should look for the F5 Essential App Protect service. This system can front for any web server, so you don’t have to be running your websites on Nginx Plus.

NGINX offers a 30-day free trial of the Nginx Plus and NGINX App protect bundle.

Alternatives to NGINX App Protect

The majority of rivals to NGINX App Protect are delivered as cloud services or are part of a network appliance. Businesses that already run their websites on Nginx or Nginx Plus shouldn’t have much difficulty upgrading their software to the Nginx Plus and NGINX App protect combination.

If you use a different web application server and don’t want to switch over to a different system or if you prefer your WAF to be a separate service to the web server, then there are plenty of other options.

You can read more about WAFs and the options available to website owners in the Buyer’s Guide to the Best  WAFs. If you don’t want to read through another article in order to get recommendations for a WAF, you can just rely on the list we give below.

Here is our list of the ten best alternatives to the NGINX:

  1. F5 Essential App Protect – As explained above, this service is the SaaS version of the NGINX WAF, so there is no closer alternative to NGINX App Protect on the market.
  2. BIG-IP iSeries Platform – Get the F5 Advanced Web Application firewall pre-loaded onto a network appliance. Appliances of different capacities are available and this gives you exactly the same software as Nginx App Protect.
  3. AppTrana Managed Web Application Firewall   Managed WAF service from Indusface. This package includes an application scanner, a CDN, and managed custom security rules with Zero WAF False-positive assurance backed with SLA and 24×7 support.
  4. Sucuri Website Firewall A SaaS bundle that monitors, protects, and accelerates websites with higher plans including load balancing and a cloud SIEM.
  5. MS Azure Web Application Firewall A cloud-based metered WAF service that can protect websites hosted anywhere in the world.
  6. Imperva SecureSphere A firewall hardware device that caters to small businesses and is easily upgradeable for those who achieve higher traffic volumes.
  7. Barracuda Web Application Firewall This hardware solution gives DDoS protection, caching, and delivery optimization as well as request filtering and constant security rules updates.
  8. Citrix Netscaler Application Firewall Available as an appliance or as a cloud service, this WAF also includes a load balancer.
  9. Fortinet FortiWeb An appliance that acts as a web application firewall, an SSL off-loader, and a load balancer.