Sucuri WAF Review & Alternatives

Sucuri has a strong presence in the cybersecurity market, but it isn’t as well known as bigger brands, such as Imperva or NGINX. The edge services offered by Sucuri are of very high quality and are worth investigating.

Sucuri offers a cloud-based service that works as a proxy, channeling all traffic in and out of your web server. The fact that this service is outside of your network means that malicious traffic is dealt with before it has any chance of touching any of your resources.

The location of a web application server is just one option available to website owners. Let’s take a look at web application servers and how they work before examining the services of Sucuri in detail.

What is a web application firewall?

A typical firewall for a network sits on the boundary of the system and receives all incoming traffic, checking for malware. There are now a lot more threats to networks from inbound traffic arriving from the internet. Malware isn’t the only problem that a network owner needs to worry about. Web servers are vulnerable to even more threats because a hacker can block access to a website or drain all of the resources of a server without even installing any malicious software.

The proxy server strategy offered by Sucuri has become a very popular solution to the dangers presented to websites. Cloud services are becoming common in all aspects of business software, including productivity and collaboration suites and network monitoring systems. It makes sense to push the protection of web application servers out beyond the boundary of the network.

Web application firewalls (WAF) can be combined with other services, such as a reverse firewall to enforce data loss protection. Web application services that can be included with the firewall include a website accelerator and content delivery networks, which cache content whether on the cloud WAF server or on many servers around the world. Caches also cover for web server downtime, ensuring constant availability. Another service that proxy firewalls can perform is DDoS protection, absorbing large volumes of attack traffic and keeping the website available.

Proxy firewalls are capable of protecting many different aspects of a web site. However, data entered into fields in the site can be difficult to scan due to end-to-end encryption between the customer’s browser and the web application server. There are many hacker attacks, such as SQL injection that can be performed by entering confusing text strings in input fields.

In order for a proxy server to filter those damaging hacking attempts out before they reach the web server, the proxy server needs to be in control of the encryption system. This enables it to decrypt all content and scan it before passing that unencrypted data on to the webserver. This connection is usually a VPN, which is secured, keeping the decrypted responses secure.

Some website owners are uncomfortable with the idea of sending all of the responsibility for its connection security off to a services supplier. For those businesses, there are web application firewalls that operate on a network appliance. This solution keeps the load security checks off the webserver but it is a more expensive solution than a cloud-based system. A third option is to host the WAF software on a server – preferably a separate server to the one hosting the websites. This is also an expensive solution.

A big advantage of proxy services like the Sucuri website firewall is that it is charged for by subscription and it includes all of the necessary hardware needed to support the WAF. This means that there are no upfront equipment costs and the customer of a Sucuri WAF doesn’t need to have an IT support team.

About Sucuri

Sucuri is a private company that is owned by GoDaddy, the largest web hosting service in the world. The company was created by Daniel B Cid, who created the OSSEC open source project. OSSEC is one of the world’s leading host-based intrusion detection systems in the world, and it is free. Host-based systems check log files for signs of suspicious activity. However, web application firewalls work on live data and use different strategies to host-based IDSs, so, Cid has managed to produce two exceptional security systems in different fields of operation.

Sucuri started out with a vulnerability scanner and then moved into a wider list of services, all bundled around a web application firewall. Sucuri began operations in 2010 and was bought by GoDaddy in 2017. The business know-how of GoDaddy has helped Sucuri grow to commercial success. As the world’s largest web hosting provider, GoDaddy also has a large pool of clients to present to Sucuri with a very low marketing overhead.

Sucuri Website Firewall options

The Sucuri website firewall is a subscription service that includes other web protection systems as well as a basic firewall. There is also a higher plan available, which is called the Sucuri Platform. This is also marketed as the Professional plan of the firewall system. The Professional service costs about $100 per year more than the basic firewall package. There is also a Business plan that has all of the same utilities as the Basic plan.

All plans can be paid for either monthly or yearly. The service is cheaper on the annual plan, but the entire service period has to be paid for in advance.

The Basic package costs $19.99 per month or $199.99 per year. It protects one website and includes:

  • System scans
  • Web application firewall
  • Content Delivery Network (CDN)
  • Malware removal
  • Load balancing

The Professional and Business plans cost $299.99 and $399.99 respectively. These plans include all of the utilities in the Basic plan but also have SSL certificate management. The prices for these plans also cover just one website. The Business plan has more frequent security scans and has a faster response to attacks than the Professional plan.

With all of the plans, there is no limit to the number of web pages that the system will protect just as long as they are all on the same domain.

Sucuri Website Firewall details

The web application firewall element of the Sucuri platform includes the following elements:

  • Malware and hack protection The firewall includes an anti-malware scanning service. The frequency of malware scans increases with higher plans. With the Basic plan, scans occur every 12 hours. The scan frequency is every six hours with the Professional plan and every 30 minutes with the Business plan.
  • On-page attack protection The WAF protects against SQL injection and cross-site scripting attempts on the input fields in protected web pages. Potentially damaging input from site users is filtered out before it reaches the webserver.
  • Brute Force Attack Protection This feature prevents automated sequencing attempts to crack passwords on sites and servers.
  • Zero-Day Exploit Prevention The WAF performs behavior analysis, so it doesn’t have to rely on attack signatures, which can only alert to previously-attempted attack strategies.
  • Machine Learning The machine learning feature of the Sucuri WAF correlates data from all of the sites that it protects. This enables it to set alert levels according to the regular patterns of typical web surfers, which changes over time.
  • Visitor authentication Site owners can choose to add extra protection to certain pages on their site. Authentication features available through Sucuri are passwords, CAPTCHA, 2FA (from Google Authenticator), and IP whitelisting.
  • IP whitelisting Whitelisting can be applied to whole sections of a website as well as to individual pages. For example, a member’s area or admin system can be protected by whitelisting so hackers don’t even get a chance to try to test passwords.
  • Application profiling Attempts by hackers to bypass the web pages on a site and get directly to the applications and underlying services that support the website get blocked by the WAF.
  • Signature detection Signature-based detection is an older form of security protection. Sucuri uses this to look out for well-known attack strategies.
  • Bot blocking Bots create a repetitive attack that can overwhelm a server. The Sucuri WAF spots this activity and blocks it.
  • Geo-blocking Website owners have the option of blocking all traffic from the top three hacker countries or selecting which countries to block.
  • Virtual Patching and Hardening The proxy takes over the delivery of a site that needs to be bounced in order to apply a patch. The Sucuri service also applies any patches needed for the software and services that your website uses.
  • DDoS Attack Mitigation DDoS attacks are a particularly harmful form of bot activity because they will make it appear that your site has been shut down. Sucuri blocks a range of DDoS strategies that attack at Layers 3, 4, and 7.

Sucuri Website Firewall dashboard

The Sucuri system is easy to use – it was designed for a wider clientele, not just network specialists. Website managers access the service through any standard browser.

On first taking up the service, the manager has a number of tasks to perform in order to get the full security service working. There are elements on the host that will contribute to the complete security package. For example, Sucuri includes server-side scans, which are performed by a host-based intrusion detection system that searches through system logs for signs of malicious activity.

The screen to set up the scanning service is typical of the straightforward layout of the whole dashboard.

sucuri Website Monitoring

Once the service has been set up and is fully operational, the manager’s main point of access to security performance information is through the main monitoring screen in the dashboard.

sucuri dashboard

The system is well laid out with plenty of spacing between features.

Sucuri Website Firewall alternatives

The Sucuri edge services packages are impressive and the inclusion of other features as well as the web application firewall means that you could fulfill all of your web server protection and site optimization needs with one subscription. However, it pays to shop around and look at a couple of other WAFs before you decide to go with Sucuri. There are more details about web application firewalls in the article, Buyer’s Guide to the best Web Application Firewalls. However, we have listed our recommendations for the top ten WAFs below.

Here is our list of the ten best alternatives to Sucuri:

  1. AppTrana Managed Web Application Firewall   An edge service package that includes technicians to manage the system. Experts analyze the traffic data gathered by the system and recalibrate the settings accordingly. It includes an application scanner and a CDN as well as the WAF.
  2. StackPath Web Application Firewall An edge service package that is delivered from the cloud and provides a DNS server, a content delivery network, and a performance monitor as well as a web application firewall.
  3. Fortinet FortiWeb A group of edge services loaded onto a network appliance. Facilities include a web application firewall, a load balancer, and an SSL off-loader.
  4. BIG-IP iSeries Platform – A network appliance with the F5 Advanced Web Application Firewall pre-loaded on it.
  5. F5 Essential App Protect – A cloud-based web application firewall that is an online version of the appliance-based F5 Web Application Firewall.
  6. MS Azure Web Application Firewall A web application firewall service available from the Microsoft cloud platform. It serves websites hosted anywhere not just those hosted on the same platform.
  7. Imperva Cloud WAF A cloud-based web application firewall with a managed security option. This system is PCI DSS compliant.
  8. Barracuda Web Application Firewall A group of web protection and enhancement services that include DDoS protection, caching, and site optimization as well as a WAF. It is delivered as a network appliance.
  9. Citrix Netscaler Application Firewall A choice of cloud delivery or an appliance is offered for this web application firewall that includes a load balancer.
  10. Radware AppWall A web application firewall delivered as a network appliance with signature-based detection strategies.