Philip Tibom, a 23 year old Whitehat Hacker from Sweden, recently performed an independent penetration tests of Cloudflare and Incapsula Cloud-based security services, after being a customer of both CloudFlare and Incapsula for more than 6 months.
He documented his findings in this Youtube video and in an extremely detailed 22 page-long security study that clearly describes the way both services deal with various security threats: SQLI, XSS, DDoS and more. Without spoiling too much, let's just say that you will find his findings surprising and perhaps even alarming.
Introduction
Cloudflare and Incapsula are two different Cloud-based website security and acceleration services. They both work by sitting in between the sites visitors and the Webservers, and then forwarding the requested content to the visitors. With such a method, they can filter out the bad traffic from reaching a website. They also offer many features that speed up and optimize websites.
This review is focused only on the security aspects of the two services. Both services offer protection against bad bots, a Web Application Firewall (WAF) which they claim to protect from malicious bots and hacking attempts, and DDoS Protection. This review shows whether they really provide the protection they claim to.
What is included in this review?
1. DNS changes – How does it affect your security?
2. SQL injection protection – How well does it work?
3. XSS (Cross Site Scripting) protection – How well does it work?
4. Remote File Inclusion protection – How well does it work?
5. OWASP Top 10 Vulnerabilities – Are they protected?
6. SSL – Does it work? Is it easy?
7. Control panel – How does it help you protect your site?
8. Spam bot / Bad bot protection – Is it effective?
9. PCI Compliance – Does the WAF meet the requirements?
10. DDoS protection – Is it included?
How have I performed this review?
I have been a customer with active websites of both Cloudflare and Incapsula for more than 6 months. Within this time I have learned all the features provided by both services and the differences between them. For this review, I have also tested the level of security of both companies by attacking my websites with dozens of different attack types (SQL injections and XSS, vulnerability scanners and more).
Summary & Conclusion
This is only a glimpse of the review results. I advise to download and read the full review.
Web Application Firewall (WAF)
Incapsula wins this battle by far. The WAF in CloudFlare is almost non-existent and it does not live up to the quality of a WAF. It does not protect against SQL-injections or XSS as they claim to do. Incapsula on the other hand does what they advertise to do. It blocks SQL-injections, XSS, vulnerability scanners, bad bots and more. Incapsula’s WAF is also PCI 6.6 compliant.
Video demonstration: http://www.youtube.com/watch?v=XyomdqPWSg4
SSL
Both companies offer outstanding SSL options. Incapsula offers stronger encryption while CloudFlare offers a second solution that they call 'Flexible SSL'. Any website can use the Flexible SSL even if they do not have SSL enabled on their own webserver. This battle is somewhat even but CloudFlare gets a big plus for the Flexible SSL option.
Control panel
They both have a clear and good control panel. Incapsula wins this as they provide much more details in the security logs which allow further research. CloudFlare’s control panel is very basic and may be more suited for someone with no knowledge about security.
Spam / Bot protection
Cloudflare’s spam and bot protection is definitely decent. But the false positives can be very annoying for the visitors. Incapsula’s spam and bot protection is even sharper. It prevents more spam while maintaining less false positives.
DDoS protection
DDoS protection is not included in Pro / Business packages for either of the two services. But it can help protect against DDoS to a certain degree anyway. For a full DDoS protection service you will have to upgrade to the enterprise plans.
Overall
Incapsula is the clear winner when it comes to security. By using the service, it is clear that they have put a lot more effort into it than CloudFlare. With better security comes a higher price, but I highly recommend Incapsula’s security features to any commercial website and to any personal website who can afford it. For anyone who values security Incapsula is a great choice.
CloudFlare is a good opponent. They offer a wider CDN network than Incapsula and other enhancements which is not covered in this review. But when it comes to security, they fail to leave up to the standards of Incapsula. For the security minded, CloudFlare is not that great choice.
The full review can be downloaded here:
http://www.tourney.se/downloads/Full-Review.pdf
He documented his findings in this Youtube video and in an extremely detailed 22 page-long security study that clearly describes the way both services deal with various security threats: SQLI, XSS, DDoS and more. Without spoiling too much, let's just say that you will find his findings surprising and perhaps even alarming.
Introduction
Cloudflare and Incapsula are two different Cloud-based website security and acceleration services. They both work by sitting in between the sites visitors and the Webservers, and then forwarding the requested content to the visitors. With such a method, they can filter out the bad traffic from reaching a website. They also offer many features that speed up and optimize websites.
This review is focused only on the security aspects of the two services. Both services offer protection against bad bots, a Web Application Firewall (WAF) which they claim to protect from malicious bots and hacking attempts, and DDoS Protection. This review shows whether they really provide the protection they claim to.
What is included in this review?
1. DNS changes – How does it affect your security?
2. SQL injection protection – How well does it work?
3. XSS (Cross Site Scripting) protection – How well does it work?
4. Remote File Inclusion protection – How well does it work?
5. OWASP Top 10 Vulnerabilities – Are they protected?
6. SSL – Does it work? Is it easy?
7. Control panel – How does it help you protect your site?
8. Spam bot / Bad bot protection – Is it effective?
9. PCI Compliance – Does the WAF meet the requirements?
10. DDoS protection – Is it included?
How have I performed this review?
I have been a customer with active websites of both Cloudflare and Incapsula for more than 6 months. Within this time I have learned all the features provided by both services and the differences between them. For this review, I have also tested the level of security of both companies by attacking my websites with dozens of different attack types (SQL injections and XSS, vulnerability scanners and more).
Summary & Conclusion
This is only a glimpse of the review results. I advise to download and read the full review.
Web Application Firewall (WAF)
Incapsula wins this battle by far. The WAF in CloudFlare is almost non-existent and it does not live up to the quality of a WAF. It does not protect against SQL-injections or XSS as they claim to do. Incapsula on the other hand does what they advertise to do. It blocks SQL-injections, XSS, vulnerability scanners, bad bots and more. Incapsula’s WAF is also PCI 6.6 compliant.
Video demonstration: http://www.youtube.com/watch?v=XyomdqPWSg4
SSL
Both companies offer outstanding SSL options. Incapsula offers stronger encryption while CloudFlare offers a second solution that they call 'Flexible SSL'. Any website can use the Flexible SSL even if they do not have SSL enabled on their own webserver. This battle is somewhat even but CloudFlare gets a big plus for the Flexible SSL option.
Control panel
They both have a clear and good control panel. Incapsula wins this as they provide much more details in the security logs which allow further research. CloudFlare’s control panel is very basic and may be more suited for someone with no knowledge about security.
Spam / Bot protection
Cloudflare’s spam and bot protection is definitely decent. But the false positives can be very annoying for the visitors. Incapsula’s spam and bot protection is even sharper. It prevents more spam while maintaining less false positives.
DDoS protection
DDoS protection is not included in Pro / Business packages for either of the two services. But it can help protect against DDoS to a certain degree anyway. For a full DDoS protection service you will have to upgrade to the enterprise plans.
Overall
Incapsula is the clear winner when it comes to security. By using the service, it is clear that they have put a lot more effort into it than CloudFlare. With better security comes a higher price, but I highly recommend Incapsula’s security features to any commercial website and to any personal website who can afford it. For anyone who values security Incapsula is a great choice.
CloudFlare is a good opponent. They offer a wider CDN network than Incapsula and other enhancements which is not covered in this review. But when it comes to security, they fail to leave up to the standards of Incapsula. For the security minded, CloudFlare is not that great choice.
The full review can be downloaded here:
http://www.tourney.se/downloads/Full-Review.pdf