I just love this project! BunkerWeb was a huge help when I was self-hosting my products with Docker Swarm. It offers tons of configuration options—especially useful for those needing a WAF and dealing with heavy bot traffic.
Since moving to Kubernetes, I haven’t used or evaluated it there yet, but kudos to the team for continuing to update and improve the project. Keep up the great work!
Your site talks of BunkerWeb PRO, which is, by the sound of it, not open source. But I have no idea what is actually different about it: https://panel.bunkerweb.io/knowledgebase/105/What-is-BunkerW... flatly doesn’t answer the question: “additional features and services responding to professional needs” is impressively vague.
While neat, I feel like in the current age of "let's throw shitloads of packets and see how they like that", this solves _a problem_, but I feel that most of the security products solve it by anycasting IP ranges.
WAFs have a few valid uses in my opinion: "virtual patching" and the ability to create custom rules such as blocking/challenging/rate limiting obviously bad traffic. But the giant rulesets are actively harmful IMO. "Defense in depth" is not a valid justification for doing something actively harmful to both your users and the time budget of your security team.
You are correct. Actual security needs to be inherently part of the application; you can't get it just by slapping something in front of it. And the way most WAFs work is basically just a fancier version of what https://thedailywtf.com/articles/Injection_Rejection does, which is horrifically bad on sites where people try to discuss HTML or SQL.
In addition to defense-in-depth—simply adding a bunch of imperfect layers and acknowledging that no individual layer like this is all that effective on its own—there’s a component of creating signal: it can be pretty trivial for a motivated attacker to bypass a WAF, however it may not be trivial to do so without creating a paper trail of event logs, which can be used to trigger automated blocks or escalate alarms for a human to intervene.
WAFs aren't bullshit but have limitations - they're effective against known attack patterns (SQLi, XSS) but can be bypassed with sophisticated techniques. They're best as one layer in a defense-in-depth strategy, not a complete security solution.
I mean ... You're not completely wrong, but you're not completely right either. For context: I've been working full-time in security for 15 years and on the fringes (reversing) for many more.
WAFs in and of themselves provide virtually zero security. They can block naive attacks -- catching the most obvious payloads -- and act as an early-warning signal that an attack may be underway (though the SNR on this is awful). But frankly, this is far less important in practice than the fact that it just makes things more difficult and annoying for attackers. Enough so that it can make a semi-attractive target into a no-go.
This is like defense-in-depth, but instead of layering protections in place so that the holes in the swiss cheese don't like up, you're making the cheese smell awful enough to ignore the juicy apple behind it.
If you're a valuable enough target, they're gonna go for the apple regardless of how bad the cheese is. ... And this analogy may have gotten away from me.
They're both reverse proxies built on nginx, but the whole point of BunkerWeb is that it's a WAF, which NPM is not, so that's a significant difference.
Since moving to Kubernetes, I haven’t used or evaluated it there yet, but kudos to the team for continuing to update and improve the project. Keep up the great work!
Kubernetes integration is really awesome, you can use BunkerWeb ingress controller or mix it with an existing ingress controller.
It also exists as a docker container as an nginx reverse proxy with modsecurity extension.
https://coreruleset.org/docs/6-development/6-6-useful_tools/...
Neat to see another use case for NGNIX though!
Could someone with a proper background in security confirm or invalidate my suspicion ?
WAFs have a few valid uses in my opinion: "virtual patching" and the ability to create custom rules such as blocking/challenging/rate limiting obviously bad traffic. But the giant rulesets are actively harmful IMO. "Defense in depth" is not a valid justification for doing something actively harmful to both your users and the time budget of your security team.
WAFs in and of themselves provide virtually zero security. They can block naive attacks -- catching the most obvious payloads -- and act as an early-warning signal that an attack may be underway (though the SNR on this is awful). But frankly, this is far less important in practice than the fact that it just makes things more difficult and annoying for attackers. Enough so that it can make a semi-attractive target into a no-go.
This is like defense-in-depth, but instead of layering protections in place so that the holes in the swiss cheese don't like up, you're making the cheese smell awful enough to ignore the juicy apple behind it.
If you're a valuable enough target, they're gonna go for the apple regardless of how bad the cheese is. ... And this analogy may have gotten away from me.
In short, NPM doesn't do any of the stuff listed under Security Features here: https://docs.bunkerweb.io/latest/#security-features