Cloudflare has recently introduced a new Web Application Firewall. The latest engine is written in Rust, provides better performances and integrates with other Cloudflare products.
The new implementation was designed to offer easier rule browsing, one click deploy and configuration, updated rulesets based on the latest version of the OWASP Core Ruleset, and the ability to deploy the same configuration across the entire account. Cloudflare is now moving away from the previous engine written in LuaJIT by John Graham-Cumming and implemented as an NGINX module. Furthermore, they are changing the old rule syntax that was a superset of the ModSecurity syntax.
Michael Tremante, product manager at Cloudflare, explains why the new product required replacing the code base of the existing WAF, one of the most used products at Cloudflare:
The Cloudflare Web Application Firewall (WAF) blocks more than 57 billion cyber threats per day. That is 650k blocked HTTP requests per second. The original code that filters this traffic was written by Cloudflare’s now CTO (...) Because we value replacing code when it is no longer as maintainable, performant, or scalable as it once was, we regularly rewrite key parts of the Cloudflare stack (...) For some time, we have been working on replacing that original LuaJIT code John wrote with new code, written in Rust.
Rust is a language that Cloudflare is already using for other projects, and the new engine introduces the wirefilter syntax as the basis for managed rulesets matching the Firewall Rules, using the same underlying Rust library to execute the filters. Tomas Pytel, Python developer at IBM, recaps in a tweet the benefits of the new WAF:
- Better rule browsing and configuration
- A new matching engine - written in #Rust
- Updated #WAF Rulesets
- Global configuration
According to Cloudflare, the rollout of the new version will be incremental starting with 10% of newly created accounts on a Pro plan zone or above, increasing to 100% of new accounts over the month of April, followed by the migration efforts for existing customers.
Source: https://blog.cloudflare.com/account-takeover-protection/
On a separate announcement, Cloudflare released further functionalities for account takeover protections including Super Bot Fight Mode, Open Proxy managed list and Exposed Credential Checks, a new feature of the WAF that provides on-path exposed credential checks. When enabled, the WAF automatically checks the credentials on any authentication request against a database of leaked credentials maintained by Cloudflare. If a match is found, the WAF will add a header to the origin, so that the application can be warned and trigger a different authentication flow.