NGINX is a well-known open-source and free web server developed by Igor Sysoev in 2004. The name comes from the Russian word негоница (negoninitsa), meaning "small lake". According to Web Technology Survey it is the most commonly used web server today with over 32.4% share of all web servers surveyed.
NGINX is widely used because it provides high performance, feature richness and reliability at low cost. In addition, it has a large community of developers who contribute to its development and added modern deployment option as Kubernetes Ingress Controller.
Until 2022, NGINX supported the well-known ModSecurity open-source WAF solution and OWASP Core RuleSet Signatures. However, following Trustwave’s End-of-Life notice about ModSecurity, and possibly related also to the acquisition of NGINX by F5, NGINX announced in May 2022 that it will end of life ModSecurity, leaving NGINX open-source with no open-source security solution. For customers of the premium NGINX Plus and NGINX Plus Ingress, there is a new paid-for closed-source add-on called "App Protect" which is based on F5’s WAF.
In this article, we will briefly compare the NGINX App Protect signature-based WAF solution and a new open-source initiative called “open-appsec,” which builds on machine learning. open-appsec provides preemptive web app and API threat protection against OWASP-Top-10 and zero-day attacks, and it can be deployed as an add-on to both NGINX and NGINX Ingress open-source and premium (Plus) versions.
NGINX App Protect
NGINX App Protect WAF is based on the traditional F5 signature-based WAF solution, with good coverage for OWASP-Top-10 and other common attacks. The App Protect WAF comes with two policies - Default and Strict. The Default policy provides OWASP-Top-10 protection. The Strict policy is recommended by NGINX for “protecting sensitive applications that require more security but with higher risk of false positives.". It includes over 6000 signatures.
Signature-based solutions are well-proven, but they are reactive by nature, meaning that often signatures aren't available until after vulnerabilities have been known for some time and exploits are put into circulation. In many high profile High and Critical risk zero-day attacks that happened in the last year, admins of NGINX App Protect needed to perform a manual set of operations to enable new signature(s) each time after attacks had already been active for a while:
Log4Shell (CVE-2021-44228)
Spring4Shell (CVE-2022-22965, CVE-2022-22950, and CVE-2022-22963)
Text4Shell (CVE-2022-42889)
App Protect provides comprehensive declarative configuration via configuration files, as well a Custom Resource Definitions (CRD) in Kubernetes environments, thus allowing automation and CI/CD integration.
NGINX App Protect is closed source and available for x86 architectures only.
U.S. List Prices starts at $362 per month for NGINX Plus for Single Instance and Standard Support, plus $620 per month for the App Protect Add-On for Single Instance.
open-appsec
open-appsec is a new open-source initiative that builds on machine learning to provide enterprise web application and API security with the visibility, protection and manageability that is required by modern workloads that updates frequently and are often based on many 3rd party components not in full control of the developers. For DevOps/DevSecOps and AppSec teams, open-appsec:
protects web applications and APIs preemptively against OWASP-Top-10 and zero-day attacks using machine learning with no threat signature upkeep required
blocks attacks such as Log4Shell, Spring4Shell and Text4Shell with default settings and no updates required, due to its preemptive nature
delivers precise threat prevention through continuous learning, finding attacks while eliminating the manual tuning and exception creation inherent to traditional WAFs
open-appsec can be deployed as add-on to Kubernetes Ingress, NGINX, Envoy and API Gateways and provides CI/CD-friendly deployment and automation - from installation to upgrades to configuration - using declarative configuration or APIs
open-appsec uses contextual analysis to learn how users normally interact with your web application. It then uses this information to automatically detect requests that fall outside of normal operations, and sends those requests for further analysis to decide whether the request is malicious or not. This preemptive model simplifies maintenance, removes the risk of a vulnerability window, and eliminates the need for rushed patching activities.
The engine is powered by two different machine learning (ML) models:
A supervised model that was trained offline and fed with millions of requests, both malicious and benign
An unsupervised online model that is being built in real time in the protected environment. The online model is updated constantly based on inbound network traffic
In the case of recent zero days like Log4Shell, open-appsec had several indicators in the supervised ML model from Command Injection / Remote Code Execution / Probing families that signaled payloads to be malicious with a very high score, which resulted in the solution automatically blocking the attack. See the original posting from December 14th, 2021 with a detailed technical explanation. A similar finding and blocking happened with the Spring4Shell and Text4Shell Zero Days a few months later.
For users that nevertheless want to add their own signatures (e.g. provided by Incident Response teams or local CERTs), open-appsec includes a full Snort 3.0 Engine.
open-appsec provides cloud native CI/CD-friendly deployment and automation - from installation to upgrades, to configuration - using declarative infra-as-code, CRDs or APIs, as well as Web-Based Central management and Terraform support.
open-appsec code is published in GitHub under Apache License 2.0. The code was audited by an independent 3rd party (LEXFO) that rated the security as “Excellent”. The open-appsec project also has an Open Source Security Foundation (OpenSSF) Best Practices Badge indicating that it meets standards of Security, Analysis, Quality, Reporting and Change Control. It compiles on x86 and ARM architectures. Envoy support will be available in Dec'22.
open-appsec is provided for free with no limits on number of instances or traffic. Premium support and features such as Anti-Bot, log storage in the cloud and others are available.
You can experiment hands-on with open-appsec for NGINX in live Linux playground here. Video tutorials are available here.