Web Application Firewalls–or WAFs–are a relatively new kind of firewall. They don’t just block or allow traffic based on IP addresses and ports, they go a step further to analyze traffic and make decisions based on a set of predefined business rules.
As their name implies, their main purpose is to secure web-based applications. Choosing a Web Application Firewall can be a daunting task. They exist either as a cloud-based service or as an appliance, each with its advantages and shortcomings. That’s why we’ve compiled this list of the 10 best Web Application Firewalls. It will help you evaluate product features from different vendors.
In this article, we’ll start off with a discussion on Web Applications Firewalls, what they are and what purpose they serve. We’ll then compare cloud-based and appliance-based systems and list the pros and cons of each. As you’ll see, it’s more than just a philosophical choice. After we’re done explaining the basics of WAFs, we’ll dive into the core of our subject and present not one but two lists. First, we’ll review the best five cloud-based WAFs and next we’ll have a look at the best five WAF appliances.
WAFs In A Nutshell
As we stated in our introduction a Web Application Firewall is a special kind of device. It can be used to secure web-based applications far better than what’s possible with standard firewalls. A typical WAF will protect a website against several types of attacks such as cross-site scripting, cookie poisoning, web scraping, parameter tampering, buffer overflow and many more types of vulnerabilities.
Contrary to traditional firewalls which base their decision to allow or block traffic on simple parameters such as IP address or port number, WAFs mostly base their decision on an in-depth analysis of the HTML data. They examine requests trying to recognize malicious behavior patterns. They will also decrypt HTTPS traffic to ensure no malicious code is inserted in encrypted packets. Web Application Firewalls will be on the lookout for known malware signatures but they will also intercept any malformed or non-standard requests for the best possible protection.
By itself, a Web Application Firewall will offer a good degree of protection but it is when you bundle it with other protection systems such as standard firewalls or virus protection software that you’ll get the best coverage against the greatest number of threats. More than ever, network administrators need to adopt a holistic approach to malware prevention.
Cloud-Based Or Appliance?
There are essentially two types of Web Application Firewalls. WAFs can be either cloud-based or run as an appliance. Cloud-based WAFs are hosted by the vendor. All requests to your website are redirected–through the magic of DNS–to your WAF instance where it is verified before being forwarded to your actual site.
Appliance WAFs are hardware devices. They are specialized computers, typically with no user interface such as a screen and keyboard that run a custom operating system and the Web Application Firewall software. They are typically installed within your data center and are located between your traditional firewall and your web servers where they intercept requests going to them.
Cloud-Based WAFs Pros And Cons
On the plus side, a cloud-based solution requires no maintenance as it is handled by the vendor. These solutions typically have built-in redundancy or high availability features. The vendor also typically handles system backups. Another advantage is that the WAF service can often be paired with other services from the same vendor. You could, for example, combine the content distribution and WAF features of a single provider for a seamlessly integrated solution.
But cloud-based WAFs also have a few drawbacks. One of the most important is that they could lock you with a single provider for many services. Since all traffic to your website has to be redirected to the cloud provider, you almost have no other option but to use their other security services such as a traditional firewall.
WAF Appliances Pros And Cons
The main advantage of WAF appliances is that you keep everything in-house. It gives you complete control over every detail of your infrastructure. It also means that you’re free to choose different components from different vendors.
On the downside, using an appliance means that you have to maintain it. And you’ll have to upgrade it as your traffic increases. Using a hardware solution also means a much higher upfront cost as all the equipment must be acquired from the start. Ultimately, the choice is up to you but you should possibly let your specific needs guide you rather than first picking one type of installation.
Our Top 5 Best Cloud-Based WAFs
We’ve compiled a list of the five best could-based Web Application Firewalls. They’re all from reputable suppliers and offer great value for your money. We can’t really recommend one over the others as they’re all excellent products.
1. Cloudflare WAF
Cloudflare has gained an excellent reputation for protecting web servers against DDoS attacks. Its service offering also features a Web Application Firewall. The service already has a huge customer base and its servers currently handle close to three million requests per second. And if you visit Cloudflare’s website, you’ll see that over 400 million WAF rules were triggered on the last day.
One of the primary benefits of using a cloud service with such a broad customer base is that you can benefit from intelligence acquired from other clients. For instance, if an attack attempt is detected at another client, a new signature will be created and applied to all clients. Another benefit of Cloudflare’s solution is that they also offer content delivery and DDoS protection.
2. Akamai Kona Site Defender
Akamai is the world leader in content delivery systems. Throughout the years, the company has added more functionalities to its offering. Kona Site Defender, as their WAF is called, is one of them. The Web Application Firewall integrates full DDoS protection. And of course, the WAF service can also easily be combined with other Akamai services such as the Content Delivery Network. Once your traffic is redirected to Akamai, you might as well take advantage of it and use as many services as you need.
Due to its size and client base, Akamai often discovers new exploits sooner than other vendors. As a Kona Site Defender user, you benefit from this competitive edge and effectively get a stronger protection with potentially better blockage of zero-day exploits.
3. F5 Silverline
F5 is often better known for its BIG-IP appliances than its cloud services. In a nutshell, F5 Silverline is the online version of the company’s excellent BIG-IP ASM appliance reviewed below. It is available as a managed service or as what F5 refers to as an express self-service to protect web applications and data from ever-evolving threats. Subscriptions can have a one year or three-year duration. 24-hour live support is included with the service.
One major advantage of this cloud-based service is that it can protect a distributed or cloud-hosted infrastructure. The protection includes layer 7 DDoS shielding and will also block anonymized addresses like those which are part of the Tor network. The system also uses a live blacklist of known phishing practitioners and web scrapers. And since this blacklist is shared by all customers, you benefit from any intelligence gained with another client.
4. Amazon Web Services WAF
Amazon Web Services–or AWS–is the universally-known online marketplace’s cloud-based hosting service. It capitalizes on Amazon’s huge distributed infrastructure to offer hosting services. If you’re a client of the Amazon Web Services, the AWS WAF might be for you. Amazon Web Service also offers load-balancing and content delivery service.
The pricing model of the Amazon Web Services WAF is different from other vendors. Instead of paying a predefined sum each month, you are invoiced for each security rule that you add to your service and for the number of web requests that are received each month. The best thing about this is that you don’t have to pay right away for some future growth. It is also very interesting to organizations with seasonal peaks.
5. Imperva Incapsula
Imperva is another common name in the IT security field. The Incapsula cloud-based Web Application Firewall Imperva’s managed service for protecting from application layer attacks, including all Open Web Application Security Project top 10 attacks and zero-day threats. The service is PCI-certified and highly customizable. It is also highly effective and will block most threats with minimal false positives.
Incapsula is one of the cheapest cloud-based WAF solutions you can find. Plans start as low as $300 per month. One great feature of Incapsula is that in addition to a more “traditional” WAF, the system also surveys your servers and will send patches to address found issues providing a better protection for your web applications. You can, of course, schedule patches to be applied at whatever time you chose to reduce your operational impacts.
Our Top 5 Best WAF Appliances
Just like our top 5 cloud-based WAF solutions were all from well-known vendors, so is the case with our WAF appliances. They are from some of the most reputable security equipment vendors. And just like our previous list, this one has nothing but the best. Note that most vendors of WAF appliances also offer a cloud-based service.
1. Imperva SecureSphere
Imperva is one of the two vendors who made it into both of our lists. Its SecureSphere WAF targets smaller installations. The various units they propose vary in throughput from 100 Mbps to 10 Gbps with the smallest able to process 440 SSL transactions per second and the larger some 9000. A mid-tier unit, the X2020 has a throughput of 500 Mbps, will process 2000 SSL transactions per second and will set you back some $4200.
If you pick one of the top-tier models, you’ll be glad to learn that they are upgradable to the next bigger model. For example, the X821 can be upgraded to an X 10K, effectively doubling its capacity. And upgrading only requires purchasing proper software patch and license. No costly hardware upgrades are required.
2. Barracuda Web Application Firewall
Barracuda is another well-respected name in the field of IT security. It proposes an excellent WAF solution which is perfectly suited for small and mid-sized organizations. The Barracuda appliances are somewhat more expensive than their competitor’s but they come with one year of free updates. And about updates, they take place frequently, whenever a new threat is identified.
The Barracuda WAF appliance also has a few extra features. For instance, it offers caching for faster content delivery. Load balancing between multiple servers is another available feature. You can even add full DDoS protection. Like most other WAF appliances, the Barracuda WAAF is available in several sizes. An average device like the Model 360 will cost you about $6350 and give you 25 Mbps of throughput and 2000 SSL transactions per second.
3. Citrix Netscaler Application Firewall
The Citrix Netscaler is an immensely popular load balancing appliance. If you’re already using them, you’ll be glad to know that you can also use some of them as a Web Application Firewall. The functionality is only available in the top NetSclaer MPX appliances or the NetScaler Cloud Service. And furthermore, you’ll need to purchase the top-tier Platinum license to get it for free although it is also available as an option with the Enterprise license.
The biggest advantage of the NetScaler WAF is that you get state of the art load balancing and security in one box. This is a premium system and it comes at a premium price. You can expect to pay around $4000 for the smallest model, the MPX 5550 with a throughput of 500 Mbps and up to 1500 SSL transactions per second.
4. Fortinet FortiWeb
The FortiWeb appliance from Fortinet is better suited for smaller to mid-size organizations. The appliance integrates WAF, load balancing, and an SSL offloading functionality. One of the best–and newest– features of the FortiWeb appliance is the two-step AI-based machine learning which improves attack detection accuracy. it nearly creates a “Set and Forget” Web Application Firewall
The FortiWeb appliance will protect your infrastructure from the latest application vulnerabilities, bots, and suspicious URLs. And its dual machine learning detection engines keep your applications safe from all sorts of threats like SQL injection, cross-site scripting, buffer overflows, cookie poisoning, malicious sources, and DDoS attacks. There are eight different FortiWeb models to choose from, each with increasing capacity. They range from the entry-level 100D at 25 Mbps to the top model 4000E with 20Gbps of throughput.
5. F5 BIG-IP Application Security Manager (ASM)
Last but not least is the F5 BIG-IP ASM appliance. You might know F5 as one of Citrix’s primary competitors. They’re well-known for their top-notch load balancers. This is an appliance which targets larger businesses.
The F5 BIG-IP ASM threat protection uses deep threat analysis and dynamic learning, you barely have any configuration to do and yet you can be assured that your infrastructure is adequately protected. Another interesting feature of the F5 BIG-IP ASM is SSL offloading. The device will handle the SSL encryption and decryption on the fly, allowing your web servers to concentrate on what they do best, serve web pages.
With so many products and services to choose from, picking the right WAF solution can turn out to be a handful. They are expensive systems and they often require considerable efforts–and training–to set up and configure correctly. This is probably not something you’ll want to do twice just to try many different products. Make sure you precisely identify your needs and your growth projection and chances are you’ll be in a better position to choose the WAF that suits you best.