Since both are labelled as “firewall” products, a managed WAF like Cloudflare is often compared to a stateful firewall like OPNsense – which also has WAF capabilities, and much more. This comparison is not really apples-to-apples, especially since OPNsense has a universe of features which mirror Cloudflare’s other offerings, such as Magic Firewall (IDS) and Cloudflare Access (SASE). More simply put, it would take a combination of many Cloudflare products to accomplish the same as OPNsense’s core features and add-ons.
The Cloudflare WAF, which is really a giant reverse proxy in front of all of your HTTP and HTTPS services, is so famous because of the “free” plan which has made it the de-facto standard for DDoS and security mitigation for many web hosts and website operators. One of the things that Cloudflare does do really well is accelerating the performance of a website by caching static assets at its hundreds of datacenters around the world. If you were using an open source firewall like OPNsense instead, you would need to separately use a CDN such as Cloudfront or Bunny.net for performance, and go with a cloud provider that includes DDoS mitigation (many do, for free). For instance, AWS includes the AWS Shield Standard for free to help prevent you from running up an enormous bandwidth bill in case your application was targeted by a DDoS attack. Other providers, such as OVH or Hetzner, also provide some DDoS protection to all of their cloud customers.
The main difference between OPNsense vs. Cloudflare WAF is that OPNsense can protect all of your services, including non-HTTP and HTTPS services. OPNsense is a network security gateway that stands at the perimeter of each of your networks, filtering and network address translating (NAT) traffic between the WAN (Internet, generally untrusted) and LAN (your private network, generally trusted). If you have adopted a hybrid cloud strategy, you may have more than one network. Therefore, you need one (or one set of) virtual or physical OPNsense appliance(s) at each site.
- Virtual OPNsense appliance for AWS VPC
- Physical OPNsense appliance for HQ
- Virtual or physical OPNsense appliance for branch office
It is also possible to use Cloudflare WAF in conjunction with OPNsense, where you need to leverage Cloudflare’s extensive network for your web applications, but also to protect your other workloads such as database servers, VDIs, or physical workstations with a stateful firewall and IDS/IPS. The OPNsense Intrusion Detection module is based on Suricata, an industry standard tool for inspecting packets passing through your WAN interface and blocking any suspicious activity. Although Suricata does not do SSL decryption (this has its own performance and security trade-offs), it is still possible to identify many forms of malicious traffic by inspecting the TLS handshake of encrypted packets. If SSL decryption is of interest to you, OPNsense can be extended with a third-party add-on called Zenarmor, which is much more resource-intensive than the OPNsense core, but provides true deep packet inspection (DPI) as a next generation firewall (NGFW).
Cloudflare Managed WAF
Cloudflare WAF Pros:
- Fully managed, and updated for you as a monthly subscription. Relatively easy to set up.
- Successfully defended against the largest recorded DDoS attacks in history, based on the unmatched size of their network infrastructure
- Managed rulesets (in Pro plan and above) incorporate the latest threat intelligence from across Cloudflare’s network and automatically filter OWASP Top 10 attack attempts
- Excellent GraphQL API for warehousing data (e.g. firewall events for analysis) and automating rulesets using the Rulesets API
Cloudflare WAF Cons:
- Requires trusting Cloudflare’s privacy and security practices as the reverse proxy MITFs (man-in-the-middle’s) your HTTP/HTTPS traffic. They do have a Transparency Report, and have historically contested National Security Letters (NSLs) from the U.S. government. Not likely to be an issue unless your threat model concerns state level actors.
- Requires delegation of your authoritative DNS server to Cloudflare. This may not always be possible in an enterprise environment.
- Only HTTP and HTTPS services are supported by the reverse proxy (orange-clouded in the DNS editor). Other services can only be configured as pass-through (grey-clouded in the DNS editor), so the firewall is *not* active for those records.
OPNsense Open Source Firewall
OPNSense Firewall Pros:
- Open source based on FreeBSD. Fork of the proven pfSense firewall.
- Can be deployed in any public cloud, dedicated host, or on-premises
- Stateful firewall and intrusion detection (IDS/IPS) for all packets, in addition to being a reverse proxy and WAF for HTTP/S services
- Extremely flexible, also serves as a VPN server & reverse proxy (HAProxy or NGINX)
- Can use any rulesets for the Suricata IDS/IPS engine such as Proofpoint ET-PRO, and NAXSI (implementation of mod_security for NGINX) for the WAF
- No need to trust a third-party to decrypt and re-encrypt your traffic, nor delegate control of your authoritative DNS to Cloudflare
OPNSense Firewall Cons:
- Set up in your environment requires cloud and networking knowledge
- Only basic DDOS protection (Anti-DDoS feature prevents SYN floods) but more comprehensive mitigation falls back on your hosting provider
- High Availability set up requires CARP virtual IP (VIP) support in a hardware environment. In AWS, other approaches may be used such as an ALB or re-assignment of an Elastic IP.
- The OPNsense appliance needs to be updated and maintained regularly to apply any security fixes.
Are you confused about whether implementing OPNsense, Cloudflare, or both might be appropriate for your network? Get in touch with a SecOps consultant who can demystify which solutions you might need to keep your applications and networks secure.
