Difference between Perishable Press/GridPane 7G/6G Firewall and Cloudflare WAF

Content Error or Suggest an Edit

Notice a grammatical error or technical inaccuracy? Let us know, we will give you credit!

Draft Warning

You’ve reached a draft 🤷‍♂️ and unfortunately, it’s a work in progress.

Introduction

This was posted on the GridPane Community, my response was so long and one that I’ve written many times before that I decided it deserved a blog post. I hope to update quite a few times so it’s perfect 😊

Can anyone give me a rundown of Gridpane WAF (6 or 7) vs the one offered by Cloudflare for an additional $20 a month? Is Cloudflare worth it?

Different types of WAF’s

Cloudflare as a WAF vendor has done a great job of explaining the different WAF’s.

A network-based WAF is generally hardware-based. Since they are installed locally they minimize latency, but network-based WAFs are the most expensive option and also require the storage and maintenance of physical equipment.

A host-based WAF may be fully integrated into an application’s software. This solution is less expensive than a network-based WAF and offers more customizability. The downside of a host-based WAF is the consumption of local server resources, implementation complexity, and maintenance costs. These components typically require engineering time, and may be costly.

Cloud-based WAFs offer an affordable option that is very easy to implement; they usually offer a turnkey installation that is as simple as a change in DNS to redirect traffic. Cloud-based WAFs also have a minimal upfront cost, as users pay monthly or annually for security as a service. Cloud-based WAFs can also offer a solution that is consistently updated to protect against the newest threats without any additional work or cost on the user’s end. The drawback of a cloud-based WAF is that users hand over the responsibility to a third party, therefore some features of the WAF may be a black box to them. (A cloud-based WAF is one type of cloud firewall; learn more about cloud firewalls.)

Perishable Press/GridPane 7G/6G Firewall

The Perishable Press 7G/6G firewall by Jeff Star is used by GridPane and is a set of static firewall rules for Apache/OLS&LSWS/Nginx. It’s considered a host-based WAF but is not susceptible to performance issues due to the fact it’s using Nginx’s own configuration rules which are performant to start with. You can read more about it here

https://perishablepress.com/7g-firewall/

The 7G Firewall offers lightweight, server-level protection against a wide range of malicious requests, bad bots, automated attacks, spam, and many other types of threats and nonsense.

The Perishable Press 7G/6G firewall provides protection against known malicious requests and attacks your WordPress site or server might be exposed to. The 7G firewall hasn’t been updated since 2021-11-03, which isn’t bad as the way it functions doesn’t require lots of updates. Most attacks follow common patterns that haven’t really changed over the years. I will be speaking directly about 7G because it’s the latest.

Something to consider is false positives that will affect the functions of a WordPress site. This does occur and requires that these functions are allowed past the 7G/6G firewall using appropriate code. This can require extra care and feeding if you have a site with plugins that add frontend and backend functionality. There are people who maintain bypass rules for the many situations they’ve run into which has taken the time to create. This might seem like a hurdle, but it’s better than no protection at all. Especially on a brochure site compared to an e-commerce site. Every site is unique, and you might find more issues on one than the other. Extending the 7G firewall is possible if you want to get down and dirty with coding.

Cloudflare WAF

Cloudflare is a Cloud-based WAF that has been around since 2009 and protects a large portion of the internet. You can read more about Cloudflare here

Why Cloudflare?

Why Cloudflare?

Cloudflare is a global network on the edge of the Internet. Cloudflare brings you closer to your customers, employees, and partners by making everything you connect to the Internet secure, private, fast, and reliable.

Cloudflare works the same; it has its own WAF rules for the free plan, and if you upgrade, you get access to managed rules written by Cloudflare. The Cloudflare rules are static. However, they’re constantly updated and improved and available instantly by Cloudflare. You don’t need to worry about updating, only if there are issues with false positives.

If you do have an issue with a false positive, you can put in a bypass rule to address the false positive. This is done through the web UI versus through scp or SSH in a file that has a specific coding structure like Perishable Press 7G. Granted, the UI does have an option to enter in expressions (code) you most likely will use the UI’s rule builder most of the time. Cloudflare’s WAF allows for custom rules (5 on free), and you can implement significant measures to stop attacks and automated resources-based attacks. We’ve written a great article on how to do just that.

We also have a number of other Cloudflare articles you might be interested in.

The most significant difference that makes Cloudflare stand out is it’s verified bots filter, country detection and connection challenges. Whenever a connection is made to your website by a device, Cloudflare can tell if it’s a verified bot (Google Crawler), from a specific country and ask the device to verify it’s not an automated bot.

This allows for some magical things to happen, you can allow all verified bots, but block bad bots that are potentially utilizing your server resources that could be used for a natural person. You can block everyone outside of your specific website geographical service area, require that they go through the Cloudflare Managed Challenge or Javascript Challenge. Both are explained below.

Managed challenges are where Cloudflare dynamically chooses the appropriate type of challenge based on the characteristics of a request. This helps avoid CAPTCHAs, which also reduces the lifetimes of human time spent solving CAPTCHAs across the Internet.

https://developers.cloudflare.com/fundamentals/get-started/concepts/cloudflare-challenges/

With a JS challenge, Cloudflare presents challenge page that requires no interaction from a visitor, but rather JavaScript processing by their browser. The visitor will have to wait until their browser finishes processing the JavaScript, which should be less than five seconds.

https://developers.cloudflare.com/fundamentals/get-started/concepts/cloudflare-challenges/

This opens up a ton of opportunity, and ultimately allows you to protect your WordPress admin from being automatically brute forced and offloads this to Cloudflare versus using your server’s resources or time spent setting up and maintaining a plugin or service like fail2ban.

Conclusion

If you need protection now and don’t have a Cloudflare setup, the 7G firewall works excellently. If you want to go a step further, Cloudflare provides the best protection available for a WordPress site for free, even upgrading to the Pro plan that includes more Clouldflare-managed WAF rules and APO is a great price for $20/month.

Changelog

  • 09-26-2022 – Published
0 Shares:
You May Also Like