What web application firewall do you use? I'm primarily interested in something I can deploy on the perimeter that can protect multiple Apache and IIS servers, but I'd like to hear all answers. Tell me a little bit about how many servers it protects, what kind of load, performance, price. Basically anything you want to share.

Antonius Bloch
  • 4,480
  • 6
  • 28
  • 41

2 Answers2


Having said I have no experience in using Mod Security, I like to share the following review:

ModSecurity is an open source web application firewall (WAF) engine for Apache that is developed by Trustwave's SpiderLabs. It has a robust event-based programming language which provides protection from a range of attacks against web applications and allows for HTTP traffic monitoring, logging and real-time analysis. With over 10,000 deployments world-wide, ModSecurity is the most widely deployed WAF in existence.

It operates embedded into the web server, acting as a powerful umbrella – shielding applications from attacks. ModSecurity supports both branches of the Apache web server.

The module filters, and optionally rejects, incoming requests based on a number of different criteria like CGI variables, HTTP headers, environment variables, and even individual script parameters. mod_security can also create an audit log, storing full request details in a separate file, including POST payloads (the audit feature can be turned on or off on a per-server or per-directory basis).


The advantage of mod_security is “security”.

  1. No network side configuration
  2. Easy management.
  3. Free as in Beer
  4. HTTP intrusion detection and prevention


  1. You have to become a security expert
  2. You have to become a protocol expert.
  3. The configuration must be done manually.
  4. Performance degradation

The Barracuda Web Application Firewall provides a good browser based management/configuration UI which can be setup by most admins which are comfortable setting up IIS or Apache, with just reading their documentation. I know it works with IIS and Apache servers as I've used it with both, and it should work with any server which follows the HTTP/HTTPS standards. We have it deployed as a VM, but you can also buy it as an appliance, or their are even cloud based deployment models. For us, it defends 23 servers hitting only about 20% of it's CPU capacity during our current peaks. It add only single digit ms to the latency.

The main advantage I see compared to Imperva's product is:

  1. Quicker to configure
  2. Less likely to need to hire vendors professional services, as most knowledable web server admins with just a little reading of the product documentation can configure it, while with Imperva, a greater percentage of people will need to hire their professional services to configure it.

Sorry, can't compare to mod_security as I've never used it.