Web Application Security

Modern Web Security Meets Modern Load Balancing with NGINX

Brendon Macaraeg

Brendon Macaraeg is Director of Product Marketing at Signal Sciences. Previously with CrowdStrike and Symantec, he focused on evangelizing and marketing security offerings. Outside of work, Brendon keeps busy with his wife and kids enjoying outdoor activities.

Signal Sciences Certified Modules

NGINX Certifies Signal Sciences Dynamic Module

DevOps, microservices, hybrid and multi-cloud are fueling growth for companies taking a modern approach to deploying applications. These key drivers have also exposed the shortcomings of appliance (physical or virtual) based technologies including web application firewalls (WAFs) and load balancers.

Both NGINX and Signal Sciences are purpose-built for modern environments, and with the release of Signal Sciences Certified Module for NGINX Plus, our mutual customers benefit from improved NGINX security! Signal Sciences brings modern web and API security to the NGINX Plus platform, offering a combined solution that helps enterprises replace outdated legacy WAF and load balancing appliances.

Based on W3-Tech’s ranking on January 11, 2019, NGINX is used by 66.2% of top 10,000 websites, and 58.7% of the top 1,000 sites. Customers of Signal Sciences that use NGINX include 8 of the top 50 sites in the US, along with Chef, Duo, Procore, SendGrid, UnderArmour, Vimeo, Weebly, WeWork and many more.

Why Do You Need a Next-Gen WAF?

Signal Sciences next-gen WAF provides superior protection for applications and APIs by delivering the following benefits over legacy appliance-based WAF solutions:

Scalability on demand

Modern applications and APIs may run across different stacks and clouds and need to scale up and down on demand. Protecting such a diverse footprint requires an elastic technology that can run anywhere without adding overhead to configure and deploy new instances and rulesets as in the legacy WAF days. Signal Sciences scales seamlessly both architecturally and operationally by deploying wherever your NGINX Plus instances run. Because there aren’t any ModSecurity rulesets to tune, your teams won’t face the scalability challenges of having to write new rules for newly deployed or updated apps.

Our SmartParse makes dynamic detections based on parsing requests and using data science to make accurate decisions based on time series analysis, traffic source, and a number of other signals. It’s why 95% of our customers trust us to run in full blocking mode across all attack types that we cover out of the box!  

Protection Without Performance Degradation

Signal Sciences runs lightweight software agents wherever you run NGINX Plus — without requiring an additional network hop like appliance-based WAFs. We expose operations metrics in our dashboard, where the latency we introduce averages between 1 to 2 milliseconds. We’ve had major brands deploy before a big event like the Superbowl, the 2016 election, and Black Friday with no noticeable impact on their service.

Our Cloud Engine service currently supports over 10,000 sites and over 200 billion weekly web requests. Coupled with the performance of NGINX — which powers 60% of the top 1,000 websites — our joint offering is the technology of choice among high scale websites (as well as all websites who care about user experience!).

Threat Coverage

Common attacks cataloged by the Open Web Application Security Project (OWASP) Foundation such as SQLi and XSS are table stakes and must be protected by any WAF. However, these common attack types are the main false-positive culprits with traditional WAFs that use regular expression rules. With so many false positives, teams struggle to move rules into blocking mode, leaving the application exposed. 95% of Signal Sciences customers (as mentioned above) run in blocking mode and therefore are better protected from these basic attacks.

Our Power Rules platform then takes you further providing advanced detections. Power Rules allow you to surface threats against your application’s business logic by building custom logic with a simple user interface. Protection against account takeovers and credential stuff, bad bots, and CVE exploits via virtual patches is all possible with Signal Sciences.

Signal Sciences NGINX Certified Module Diagram

Why an NGINX Plus certified module?

At Signal Sciences, we pride ourselves on the ease of installation and use of our technology. This core value led us down the path to develop a certified dynamic module to make the install even easier. NGINX Plus introduced the idea of dynamic modules to make it easier to use third-party modules without having to recompile NGINX. Before the dynamic module, customers and prospects had to compile lua into the NGINX binary, which was dependent on version number and required extra steps to configure. The certified dynamic module ensures that with each release of NGINX Plus, Signal Sciences module will work without recompiling the binary.

NGINX Plus with Signal Sciences

Leveraging NGINX Plus as a load balancer, API gateway, and content cache, joint customers can achieve considerable cost savings as well as deployment time savings. Appliance-based load balancers can cost up to six times that of NGINX Plus. With no ModSecurity rules to tune with Signal Sciences, there are no dedicated FTEs required to manage the technology. Rollout times for NGINX Plus and Signal Sciences are clocked at minutes, compared to 4-6 weeks for other products.

Installing Signal Sciences

Signal Sciences has a patented two-part software install including a module and agent.

First, you’ll need to follow our instructions to install the agent before you install the module for NGINX Plus.

The Certified Module package names use the NGINX Open Source version number. In the following commands, for example, 1.15.7 corresponds to NGINX Plus R17.

Here are sample installation commands for a few operating systems:

Ubuntu 18.04 (bionic) example:

$ dpkg -i ./artifacts/ubuntu/bionic/nginx-module-sigsci-nxp_1.15.7-0-bionic_amd64.deb

OR

$ wget -qO - https://apt.signalsciences.net/gpg.key | apt-key add -

$ echo "deb https://apt.signalsciences.net/release/ubuntu/ bionic main" | tee /etc/apt/sources.list.d/sigsci-release.list && apt-get update 

$ apt-get install nginx-module-sigsci-nxp

 Debian 9 (stretch) example:

$ dpkg -i ./artifacts/debian/stretch/nginx-module-sigsci-nxp_1.15.7-0-stretch_amd64.deb

Centos 7 (el7) example:

$ yum install -y ./artifacts/centos/el7/nginx-module-sigsci-nxp-1.15.7-0.el7.x86_64.rpm

Conclusion

As a member of the NGINX Partner Network, Signal Sciences will be working even more closely with the NGINX team. Tune in for future blogs and information around NGINX Service Mesh and Signal Sciences in-depth comparisons against ModSecurity, and more!

If you aren’t a Signal Sciences customer and would like to know more about our product, request a live demo of our next-generation web application firewall today.