Web application firewalls (WAFs) are a key component of corporate business security and can be found in about 70% of U.S. corporations. The best ones should find the right balance between efficiency, the effectiveness of security, and total cost. WAF ‘s role is to defend a particular application from Web-based attacks. Instead of securing ports including a network firewall, they have application-layer security, usually sitting between a perimeter firewall and a web server or web application server to make it much harder for malicious hackers to capture server or device information.
A WAF’s main functions include application protection, the ability to screen out suspicious traffic and requests, signature-based security, and identification of anomalies. In addition to its core functions, WAF products are distinguished by the additional features they offer and their delivery method. Some WAFs incorporate load balancing, intrusion prevention (IPS), or convergence with feeds from the threat intelligence. Others are part of a larger Next-Generation firewall (NGFW) or UTM suite. They may be distributed as hardware or software appliances, or as virtual appliances. The cloud is a growing market for WAFs, but most are implemented on-site.
Web Application Firewall (WAF)– Gartner magic quadrants
This Magic Quadrant comprises WAFs that are deployed externally to web applications and are not directly deployed on web servers:
- Physical, virtual or software appliances built on purpose
- WAF modules embedded in Application Delivery Controllers
- Cloud-based WAF service including WAF modules built into larger platforms, such as content delivery networks (CDNs)
- Virtual Appliances Infrastructure as a Service Platform (IaaS) and IaaS Provider WAF solutions
The descriptions of some of the best WAs tools are as follows:
Imperva can deliver strong WAF features as a traditional appliance and cloud-based WAF service, but faces increased cloud competition. Imperva (IMPV) is an application, database, and file security provider based in Redwood Shores, California. SecureSphere is the WAF appliance of Imperva, and Incapsula is the cloud-based WAF, provided as a service. Imperva also has security testing services and offers SecureSphere and Incapsula WAF management support. All SecureSphere and Incapsula are mainly configured in blocking mode. The SecureSphere WAF is available for AWS and Microsoft Azure in seven physical and three virtual appliances, with two models each. There are also two types of physical and virtual devices for dedicated management. ThreatRadar is SecureSphere ‘s family of add-on subscription tools, available in five offerings: account takeover security, reputation feed, bot defense, spam prevention, and community protection. Imperva Incapsula can also be bundled with other services, including mitigation of DDoS and CDN functions. For many companies, Imperva is a reasonable choice. SecureSphere discusses instances of high-security usage in larger organizations, and Incapsula can be addressed by companies who use a cloud-based approach to secure public-facing web applications.
Where customers only require cloud-based WAF service, Akamai’s WAF appeals to prospective customers for its combination of strong security features and scale capability. Akamai is a vendor for CDN and employs a staff of more than 5000 people. The network and web security capabilities including its WAF (Kona Site Defender) are built on top of its global cloud platform, the Akamai Intelligent Cloud. Kona Site Defender includes DDoS mitigation options, such as Site Shield for protection of origin, DDoS fee protection, and a module for compliance management. Optional add-ons, such as client reputation, bot manager, and FastDNS, are often bundled with Kona WAF. Kona Site Defender is a strong selection candidate for all use cases where WAF delivered from the cloud is desirable, and low prices are not the highest priority, especially for current Akamai CDN users.
Radware has a good understanding of the market and is accelerating the rate of innovation. Security managers that incorporate cloud-based WAF service applications and search for ways to handle hybrid delivery models are becoming increasingly important to this. Radware does not appear as frequently in enterprise shortlists as some competitors, however. Radware (RDWR) is a provider of application delivery and security with its key ADC product, called Alteon. Its security solutions include DDoS mitigation (DefensePro), DDoS virtual protection (DefenseFlow), cloud-based DDoS mitigation (Cloud DDoS Protection) and WAF (AppWall). That can be purchased individually or packaged in the Attack Mitigation Service (AMS) package by Radware. AppWall can be installed as a physical or virtual machine, as a module on top of the ADC appliance (Alteon) of Radware. AppWall is also available based on the same technology as the AppWall appliance as a vendor-managed cloud-based WAF service (called a cloud WAF service). For most organizations, Radware is a good shortlist candidate, especially those who want strong positive security and wish to deploy the same levels of security across hybrid environments. The feasibility of the solutions and their environments should still be verified by potential clients, through third parties or in-house security staff.
F5 is one of the most frequently mentioned vendors in shortlists of WAF appliances and has made progress in the cloud-based WAF service. Its renewed efforts to enhance behavior-based detections of anomalies appeal to organizations that are security conscious. F5 Networks (FFIV) technology infrastructure vendor offers a WAF product that is a software module for the F5 Big-IP ADC platform called the Application Security Manager (ASM), which is also offered as a part of F5’s bundle of services. To function as a stand-alone security solution (such as a stand-alone WAF), the F5 hardware Big-IP appliance product line that also runs a license-restricted (yet upgradable) version of the full program. Other F5 security modules include the APM module for Identity and Access Management (IAM) integration and/or enforcement and WebSafe Web Fraud Protection Services. F5 also provides a cloud-based, managed WAF service and DDoS scrubbing (F5 Silverline). The vendor is a good candidate for WAF shortlist, especially for large organizations looking for scalable and versatile WAF appliances.
As more web apps migrate into the cloud, Cloudflare’s bundled approach towards value proposition and its solution’s regular improvements appeal to more clients. Cloudflare is well known for its CDN and DDoS security services. Other tools include the managed DNS and WAF systems. Cloudflare is best known for its free plans and low-cost Pro and Business Self-Service Plans. Most of the company sales are through the custom Enterprise program, which begins at $5,000 a month. It also offers load balancing and failover subscription, another performance optimization subscription (Argo) via enhanced routing decision between its servers, Internet of Things ( IoT) security (Orbit) to secure connections between IoT devices and their origin network, always-on IPv6, a collaboration with OpenDNS to increase the lookup capacity of IPv6 DNS, and beta version support for TLS 1. Cloudflare is a good shortlist candidate for the security of cloud-based applications, especially for budget-constrained organizations requiring bundled WAF and DDoS capabilities for their public web applications.