DevOps, microservices, hybrid, and multi‑cloud are fueling growth for companies taking a modern approach to deploying applications. These key drivers have also exposed the shortcomings of appliance‑based technologies (both physical and virtual) including web application firewalls (WAFs) and load balancers.
Both Signal Sciences and NGINX Plus are purpose‑built for modern environments, and today we’re excited to announce the release of the Signal Sciences Certified Module for NGINX Plus! Signal Sciences brings additional modern web and API security to the NGINX Plus platform, offering a combined solution that helps enterprises replace outdated legacy WAF and load‑balancing appliances, such as the F5 Advanced WAF and F5 BIG-IP.
NGINX Open Source and NGINX Plus are trusted by the world’s most innovative enterprises to deliver high performance from their applications and websites in a resource‑efficient manner. Certified modules for NGINX Plus take advantage of the extensibility offered by NGINX Plus – these modules can be dynamically loaded on top of NGINX Plus. Customers benefit from the ease of deployment, improved integration, and better performance of the joint solution.
Why Do You Need a Next-Gen WAF?
Signal Sciences’ next‑gen WAF provides superior protection for applications and APIs by delivering the following benefits over legacy appliance‑based WAF solutions.
Scalability on Demand
Modern applications and APIs might run across different stacks and clouds and need to scale up and down on demand. Protecting such a diverse footprint requires an elastic technology that can run anywhere without adding the overhead of configuring and deploying new instances and rule sets, as legacy WAFs do. Signal Sciences scales seamlessly both architecturally and operationally by deploying wherever your NGINX Plus instances are running. Scaling is vastly simplified: your teams don’t have to write new rules when deploying new apps or updating existing ones.
Our SmartParse feature makes dynamic detections by parsing requests and using data science to make accurate decisions based on time series analysis, traffic source, and a number of other signals. It’s why 95% of Signal Sciences’ customers trust us to run in full blocking mode out of the box across all covered attack types!
Protection Without Performance Degradation
Signal Sciences runs lightweight software agents wherever you run NGINX Plus – without requiring an additional network hop like appliance‑based WAFs. The operational metrics on our dashboard show that the WAF introduces only minimal latency, on average just 1 to 2 milliseconds. The Signal Sciences WAF has protected the websites for big events like the Superbowl, the 2016 United States presidential election, and Black Friday for many retailers, with no noticeable impact on quality of service.
Our Cloud Engine service currently supports tens of thousands of sites and over 200 billion web requests every week. Coupled with the performance of NGINX – which powers more of the world’s 1 million busiest websites than any other server – our joint offering is the technology of choice at high‑scale websites, for more complicated architectures like microservices, and in environments where excellent user experience is a top priority.
Threat Coverage
Common attacks catalogued by the Open Web Application Security Project (OWASP) Foundation, such as SQL injection (SQLi) and cross‑site scripting (XSS), are table stakes and must be protected by any WAF. However, with traditional WAFs that use regular expression rules these common attack types are the main culprits behind false positives. With so many false positives, teams struggle to move rules into blocking mode, leaving the application exposed. As mentioned previously, 95% of Signal Sciences customers run in blocking mode and therefore are better protected from these basic attacks.
Our Power Rules platform then takes you further with advanced detections. Power Rules allow you to surface threats against your application’s business logic by building custom logic with a simple user interface. With Signal Sciences, you can protect against account takeovers and credential stuffing, bad bots, and CVE exploits via virtual patches.
NGINX Plus with Signal Sciences
Leveraging NGINX Plus as a load balancer, API gateway, and content cache, joint customers can achieve considerable cost savings and increase agility. With no ModSecurity rules to tune, Signal Sciences customers don’t need dedicated FTEs to manage the WAF. Configuring NGINX Plus and Signal Sciences takes minutes, compared to 4–6 weeks for other products.
With this certified dynamic module, NGINX Plus customers no longer have to load the NGINX Plus Lua dynamic module nor incorporate Lua code provided by Signal Sciences into their environment. Those requirements created an operational and performance burden because the Signal Sciences Lua code depended on a specific version of Lua and required additional steps to configure. The Certified Module offers a frictionless user experience for those looking to integrate NGINX Plus with Signal Sciences.
NGINX’s own WAF solution – NGINX ModSecurity WAF, a dynamic module for NGINX Plus based on ModSecurity – is appropriate for basic site protection and regulatory or compliance use cases. The Signal Sciences WAF is a more comprehensive and higher‑performing option that secures applications above and beyond the OWASP Top 10 security risks.
[Editor – NGINX ModSecurity WAF officially went End-of-Sale as of April 1, 2022 and is transitioning to End-of-Life effective March 31, 2024. For more details, see F5 NGINX ModSecurity WAF Is Transitioning to End-of-Life on our blog.]
Installing Signal Sciences
Signal Sciences has a patented two‑part software installation including a module and agent.
Follow our instructions to install the agent before you install the NGINX Plus Certified Module.
The Certified Module package names use the NGINX Open Source version number. In the following commands, for example, 1.15.7 corresponds to NGINX Plus R17.
Here are sample installation commands for a few operating systems.
Ubuntu 18.0
$ dpkg -i ./artifacts/ubuntu/bionic/nginx-module-sigsci-nxp_1.15.7-0-bionic_amd64.debor
$ wget -qO - https://apt.signalsciences.net/gpg.key | apt-key add -
$ echo "deb https://apt.signalsciences.net/release/ubuntu/ bionic main" | tee /etc/apt/sources.list.d/sigsci-release.list && apt-get update
$ apt-get install nginx-module-sigsci-nxpDebian 9
$ dpkg -i ./artifacts/debian/stretch/nginx-module-sigsci-nxp_1.15.7-0-stretch_amd64.debCentOS 7.0
$ yum install -y ./artifacts/centos/el7/nginx-module-sigsci-nxp-1.15.7-0.el7.x86_64.rpmConclusion
As a member of the NGINX Partner Network, Signal Sciences will be working even more closely with the NGINX team. Tune in for future blogs and information around NGINX Plus and Signal Sciences!
Further Reading
Installation instructions for the Signal Sciences Certified Module
