Comparing the best Web application firewalls in the industry

Expert Brad Causey compares the best Web application firewalls on the market across three types of product types: cloud, integrated and appliance.

The vast majority of organizations will, at some point in their evolution, offer a Web application. Alternatively, a company may choose to use a Web application or resell another one as part of their business model. Either way, Web applications are often a part of business in the modern age, and as part of that, application security threats are an ever-present reality.

According to the 2015 Verizon Data Breach Investigations Report, cybercriminals are attacking Web applications more than any other threat actor. Even scarier, these bad guys are now using Web applications as a springboard to attack other companies: the businesses an organization partners and does business with as well as its customers. What this means is that even if a Web application doesn't contain sensitive data, it still pays to secure it using a Web application firewall.

Web application firewalls (WAFs) are defined on a number of criteria, and are implemented in one of three methods (appliance, cloud or integrated). Understanding a few basic ideas can go a long when determining which is the best Web application firewall for an organization.

Cloud implementations are great when the services a business wishes to protect are not hosted in a facility it controls. These are also great for a "minimal touch" implementation, because they basically only require a DNS change to start working. The traditional implementation of WAFs is still a great one, and that is by deploying an appliance on an organization's network, usually between its Web application and the users accessing it. Finally, an integrated WAF would live either within the application itself or on the IT infrastructure along with the application. In addition to implementation method, understanding how the WAF handles attacks, how it logs data, and how it is managed will go a long way toward helping an organization make its selection.

At this point, once an organization is aware of the business cases for deploying a WAF, the criteria for selecting one and has decided which the best Web application firewall implementation -- cloud/hybrid-based, integrated or appliance-based WAF -- is right for its Internet profile and IT infrastructure, it's time to pick a specific WAF product. This feature looks at the best Web application firewalls in the industry and compares features from market leaders within each of three WAF categories.

Appliance-based WAFs include: F5's BIG-IP ASM, Imperva's SecureSphere, Barracuda's WAF, the Citrix NetScaler MPX WAF and Dell's Sonicwall WAF. Qualys' WAF and Imperva's Incapsula are WAF products covered in the cloud/hybrid category, while the ModSecurity Web Application Firewall is the lone entry addressed in the rather unique code integrated product category.

Appliance-based Web application firewalls

Primarily, organizations choose to implement an appliance-based WAF because it provides direct control over the configuration and availability of the WAF device itself. They don't need to worry about connection issues with another data center, and they can make immediate changes to the device locally.

Appliance-based WAFs require organizations to make network configuration changes. Additionally, they'll need to have a solid network or security technical team on tap. Typically, they'll be placing this device in front of (also known as "in line with") their Web infrastructure. This means it will need to keep up with whatever traffic and protocol requirements they have. Traffic requirements are usually measured in connections or the volume of requests that will come in through the device, while protocol requirements are typically unique to how the application is accessed, such as over HTTPS or SFTP.

Because of this, it's important that organizations identify what those requirements are. Start by getting some statistics on peak traffic times. For many companies this is during early morning and late evening, especially for consumer/customer-facing types of applications. While organizations will be looking for a few specific metrics, two really stand out:

  • Throughput: This is the volume of data, usually in megabits per second (Mbps) that traverses the device. Measuring this metric will ensure an organization a box "large" enough to handle the traffic its site is receiving.
  • SSL/HTTP transactions: The number of transactions is important because it translates into how many "actions" a WAF appliance will be examining. This is directly related to the processing power of the machine, and is usually measured in transactions per second (TPS).

It is important to differentiate between HTTP and SSL transactions, which are basically a request made by the client, such as a GET or POST. That's because SSL transactions are typically more expensive (in how it uses hardware resources) to process. As a result, organizations will typically see a significant difference between their HTTP and SSL TPS.

Make sure to have these two metrics handy when evaluating the best Web application firewall appliance product for you.

First, let's take a look at the Netscaler MPX WAF, offered by Citrix. The Netscaler WAF models offer a wide range of throughput to choose from, with SSL throughput from 500 Mbps up to 75 Gbps. With the entry-level unit, the MPX 5550, organizations get a 1U appliance capable of handling 1500+ SSL transactions, with a throughput of over 500 Mbps. This is excellent performance, all at a reasonable price of $4,000. It's important to note, though, that this price doesn't include upgrades and support. That will cost organizations extra, and will vary based on the business's relationship with Citrix.

The MPX 5550 is ideal for a small to medium-sized business (SMBs) whose primary business relies on Web applications that might have larger request content. An example of this is a site hosting PDF or image files.

As a contender to the Netscaler, there is the Web Application Firewall by Barracuda. Like the Netscaler, there are various levels of hardware available to support a wide range of traffic volume needs. The entry-level competition to the Citrix MPX 5550 would be Barracuda's Model 360, which costs approximately $6,350. While more expensive than the Citrix model, this price does include one year of updates. Each additional year of updates is around $1,350.

The Model 360 handles around 2000 SSL transactions at about 25 Mbps. So while organizations get less throughput, they do get more transactions, which is great for a website with lightweight content but a high transaction rate. An example of this would be a mobile site or even a Representational State Transfer interface offered to customers to expedite processes. (These tend to be small, but frequent request/responses.)

Imperva's SecureSphere appliances come in many sizes, ranging from 10 Gbps throughput to 100 Mbps, with SSL transactions between 440 and 9,000. The X2010 model is comparable to other models with performance of 500 Mbps running alongside 2,200 secure transactions. With a cost of around $4,200, the X2010 can keep pace with others in its category, and really shines with a high transaction rate capability.

The F5 Big-IP ASM model 10200 is geared almost exclusively toward large enterprises, and while it costs much more than other appliance-based WAFs compared here, its performance is much higher as well. Coming in at a staggering 75,000 requests and nearly 5 Gbps of throughput, the F5 delivers much greater capacity than the other WAF products. It should be noted that the only testing and request information available was for HTTP transactions, not HTTPS (SSL). This appliance is ideal for very large companies whose Internet presence is extensive.

The final contender in this category is the Dell SonicWall SRA 4600 appliance, which is intended for small businesses with a small Web presence. In this case, though, the WAF is an application that installs on an existing SonicWall security appliance. When an organization purchases a license for the WAF, it becomes available on the device. Fortunately for budget- and resource-constrained smaller organizations, since the WAF feature is an add-on to existing SonicWall firewalls, the appliance can perform other duties as well. While those are outside the scope of this article, this makes the SonicWall a very good choice for small businesses.

Remember, however, the low cost of the WAF service ($1,750) requires that organization's purchase the SRA 4600 appliance separately. This may cost from $1,300 and up depending on what features are purchased.

Figure 1
A quick WAF appliance comparison

Cloud and hybrid Web application firewalls

Cloud-based WAFs are unique in that the infrastructure is either shared between an organization and WAF provider (in the case of hybrid WAFs), or the WAF exists completely outside of an organization's network infrastructure (in the case of pure cloud WAFs). Total WAF cloud services are ideal if an organization wants to add distributed denial-of-service (DDoS) protection or if it doesn't want to make changes to its network infrastructure. Hybrid solutions are great for distributed environments (such as multiple business locations) or when virtual deployments make sense for an organization.

There are two vendors that rise to the top in the cloud/hybrid WAF space, and despite them both being based in some way in the cloud, they are really each in a category all their own. On the pure cloud side, there is Incapsula's industry-leading WAF service, while a WAF product from Qualys exemplifies a hybrid virtual appliance/cloud approach.

Incapsula offers a WAF product that is purely a cloud-based implementation, with a 24/7 security operations center and 25 data centers across the world. This is important for a cloud-based WAF service, as the product must be available at all times. If the WAF goes down, so does an organization's business. In addition to traditional WAF functionality, Incapsula offers -- at no additional charge -- DDoS protection, back door detection and a host of other added security features.

Pricing starts out at $300 a month for the most basic business service, but can scale up exponentially based on volume needs and number of sites supported. The higher organizations go up in the pricing model, the more advanced the levels of service they receive. Where a basic plan might give them a management portal and the ability to make basic changes to the service, a full enterprise plan provides access to an Incapusla security operations analyst and an interface to build custom rules. This is important if a company does not have the in-house skill to write rules and make changes to a WAF's configuration.

The benefit to an all-cloud WAF product, as opposed to both appliance and hybrid WAF, is that organizations don't need to worry about adding hardware or making network changes should their WAF needs change -- for instance, the addition of new websites to protect or new locations around the world.

For businesses considering going the hybrid WAF route, Qualys' WAF actually takes the benefit of cloud from an interface and management perspective, but allows organizations to install the WAF locally as a virtual appliance. This means that scaling up is a non-issue, and solely depends on the enterprise's hardware infrastructure. Scaling out is also simple; with the addition of a new set of virtual machines (VMs) organizations can increase their capacity exponentially. The term "set" refers specifically to the fact that Qualys deploys VMs in pairs for the purposes of high availability. This means that even if one goes down, the other will take over, effectively creating a highly available virtual cluster.

Pricing with Qualys is based on an annual subscription model with Lite and Express service levels starting at $1,995 for organizations with fewer than 100 applications to secure. An Enterprise level starts at $9,995, with a volume model that provides protection of additional applications at less than $1,495 each.

Cloud-based WAF products are ideal for organizations that might not have the infrastructure to deploy an appliance, or the developer/administrative skills to install an integrated WAF. Pure cloud WAF services are fantastic for companies that offer cloud-based products and services, because they require zero hardware to install or maintain, while hybrid products are great for rapid deployment and highly virtualized companies.

Code integrated Web application firewalls

ModSecurity is a WAF in a class by itself, being the only enterprise-level toolkit-style WAF out in front of the Web application security community. This means its deployment options are limitless and well-suited for any size homegrown Web application.

Supported by Trustwave, but open source, ModSecurity offers a tremendous amount of flexibility and scalability for an organization that has the skill to deploy it. ModSecurity can do nearly anything required from a WAF -- such as business logic rules, in addition to highly unique applications such as service buses -- but requires a decent amount of in-house or contract security expertise. This is primarily because the application may need code changes for the WAF to operate properly.

Even though the product itself is open source, Trustwave offers enhanced rules --basically as-the-threat-appears rules, instead of waiting for them from the community -- as part of a subscription. An organization would want these enhanced rules because they help ensure it has the best rule sets available to protect them from new and existing threats.

A single license of commercial rules starts at $495 and gets cheaper if organizations buy more licenses (in the case of more applications to protect) or longer subscriptions (committing to use the product longer). Trustwave also offers consulting, installation and support for an additional charge.

Finding the best Web application firewall for your organization

Looking at the best Web application firewalls in the market today, there are so many types available that a company is pretty much guaranteed to find a WAF product or service that fits its needs.

With traditional WAF appliance offerings available at various performance and price levels, an organization will have ample options for its inline and on-site needs. Well-established companies of all sizes rely on appliance products because of their reliability and local control. Large companies should look toward the F5, Citrix and Imperva offerings, while medium businesses might be more inclined to consider the Citrix, Imperva and Barracuda products. Dell's solution also makes perfect sense for very small to medium-sized businesses.

Companies offering cloud services, and even local content, will be well-suited to hybrid and cloud WAF offerings. Organizations that prefer not to make hardware and network changes locally can easily avoid those by using these types of WAF products. Incapsula's cloud WAF will suit nearly any size business, but the pricing is especially attractive for SMBs, while the hybrid Qualys WAF is ideal for a company with an existing virtualization infrastructure.

Finally, using the WAF ModSecurity, an organization with a high level of internal (or contract) skill will get unlimited options for custom configurations and deployments. Having a solid developer team in any size business will help a significant amount in setting up this very unique WAF product.

Overall, the products available in today's WAF market are well-suited for just about any size or type of company to protect its Web assets. Given the threat landscape in today's Wild West Internet, companies should look strongly at employing the best Web application firewall product for protecting their online assets.

Next Steps

In part 1 of this series, learn about the basics of Web application firewalls in the enterprise

In part 2 of this series, find out about the business cases for Web application firewalls

Part 3 of this series looks at the four questions to ask before buying a Web application firewall

Dig Deeper on Application and platform security

Enterprise Desktop
Cloud Computing