Top Ten Best Web Application Firewall (WAF) ProvidersAccording to industry reports, the average cost to US-based companies from a single data breach last year was $5.9 million. This includes the cost of remediation as well as damages related to lost data, service disruption and reputation tarnishing.
Now that more and more enterprises run their business applications and maintain their sensitive data in the cloud, websites and web applications have become primary targets of sophisticated cyber attacks.
Web Application Firewalls (WAF) are designed to secure internal and public web applications and data, so businesses can avoid costly data breaches and downtime. Deployed in front of web servers, WAFs are used to protect against hacking attempts, monitor access to applications, and collect access logs for compliance/auditing and analytics.
WAFs are used to detect and block carefully crafted threats that mimic legitimate website traffic in order to slip through traditional defenses. They are effective in blocking threats (e.g., SQL injection, cross-site scripting and remote file inclusion) that exploit vulnerabilities in web applications, thwarting attacks such as site scraping and comment spam, and stopping application-layer DDoS attacks carried out by malicious botnets.
In addition, WAFs identify and patch "self-inflicted" vulnerabilities in enterprises' homegrown web applications, as well as helping e-commerce merchants comply with PCI-DSS requirements.
Originally deployed as physical appliances in the enterprise data center, today WAFs are also available as virtual appliances, cloud-based services (usually integrated with a CDN) or as a dedicated module within Application Delivery Controllers.
The WAF market is growing quickly, with a broad range of products offering different levels of security capabilities. Choosing the right product depends on your company's business priorities, requirements and budget.
To help you get started, here is a list of the ten best commercial Web Application Firewalls.
The Citrix NetScaler AppFirewall is an appliance-based WAF that helps enterprises secure their applications and data without impairing performance or user experience. The appliance is deployed in front of your web server and monitors all incoming and outgoing traffic (including SSL-encrypted traffic). NetScaler AppFirewall enforces both positive and negative security models to ensure correct application behavior, allowing it to deliver zero-day protection against unpublished exploits. Automatically updated signatures are also used to detect known vulnerabilities and threats. NetScaler AppFirewall ensures PCI-DSS compliance through a dedicated reporting tool.Visit Website
CloudFlare's PCI-certified, cloud-based WAF runs the OWASP ModSecurity Core Rule Set, in conjunction with its own rules, heuristics and reputation database. There is also an option to write custom security rules (depending on your service plan). CloudFlare's WAF inspects application traffic before it arrives at your web server, applies rules to identify Malicious visitors, and blocks or challenges those visitors based on the pre-defined rule action. The WAF protects against common web threats such as SQL injection, comment spam, excessive bot crawling and application-layer DDoS attacks.Visit Website
For two years running, Imperva has been positioned as the only leader in the Gartner Magic Quadrant for Web Application Firewalls. Its PCI-compliant SecureSphere WAF appliance protects business-critical enterprise applications and data from any type of web threat, including application-layer DDoS attacks. Imperva uses dynamic application profiling to "learn" application behavior, ensuring the lowest false-positive rate in the industry.
What makes Imperva unique is that it also offers its best-of-breed web application security technology as a cloud-based service. Known as Imperva Incapsula, this simple-to-deploy service is well-suited for enterprises and SMBs alike, offering the same enterprise-grade security as Imperva SecureSphere at an affordable price point.
Barracuda Web Application Firewall (WAF) protects websites and applications against data breaches and defacements. It uses heuristic fingerprinting and IP reputation techniques to distinguish legitimate users from botnets, enabling it to block application layer DDoS traffic. Barracuda also includes strong authentication and access control capabilities to secure access to sensitive applications or data, while virtual patching protects applications from zero-day threats. Available as a hardware or virtual appliance, Barracuda can be deployed on-premise, in private cloud, or third-party cloud environments such as AWS or Microsoft Azure.
Trustwave offers a physical or virtual on-premise Web Application Firewall appliance that can be deployed in both in-line or out-of-line modes. Using threat intelligence from its SpiderLabs® security team and multiple detection engines, Trustwave delivers advanced protection against application vulnerabilities and emerging threats, including the OWASP top ten. It allows enterprises to monitor applications, detect and prevent threats, mitigate data risk, and address PCI compliance requirements. Trustwave offers virtual patching to protect vulnerable applications from attack without having to wait for the next release.
Radware's AppWall WAF solution is offered as a physical or virtual appliance for on-premise deployment. It protects web applications and helps enterprises comply with PCI requirements by mitigating web application security threats and zero-day attacks while detecting and blocking vulnerability exploits. AppWall gives you full coverage against injections, cross-site scripting, cross-site request forgery and other OWASP top 10 threats, while helping to protect against leaks and manipulation of sensitive data. Proprietary technology is used to automatically generate and maintain enterprise network security policies and create granular protection rules.
The Sucuri Website Firewall is a cloud-based WAF designed primarily for smaller customers, such as bloggers, e-commerce sites, and other business customers, that need to protect a single website. Sucuri serves as a proxy between your website and the rest of the web, filtering out malicious attacks and traffic and sending only legitimate traffic to your website. Using a proprietary approach to application profiling, malicious URL filtering, and anomaly detection, Sucuri protects your site from hacking attempts, vulnerabilities, and possible blacklisting by search engines.
Switched from Incapsula after hackers found ways to bypass their WAF and hack my site. It never happened again since the switch to Sucuri.
DotDefender is a WAF software solution that is installed directly on your IIS and Apache servers across private, cloud, and VPS environments. It protects websites and web applications from known and unknown attacks, denial of service, hacking attempts, and data loss. DotDefender monitors all incoming and outgoing application traffic, using pattern recognition to detect zero-day exploits and session protection to help avoid impersonation. Signature-based techniques are used to block known attacks and vulnerabilities. To ease installation, DotDefender comes with built-in security rules that don't require configuration.
Akamai's Kona Site Defender is an enterprise-focused cloud security service that protects websites against vulnerabilities and attacks. It also mitigates application-layer DDoS attacks using rate controls. The Kona Web Application Firewall (WAF) identifies and blocks application-layer attacks in HTTP and HTTPS traffic, such as SQL injections and cross-site scripting (XSS). With the help of Akamai's Professional Services team, enterprises can create custom security rules tailored to their policies and use cases. High performance, even under attack, is assured through the use of Akamai's global distributed network.
Solid product offering that ties multiple options to improve a company's security posture.
F5's BIG-IP Application Security Manager (ASM) is an enterprise-grade WAF appliance deployed in the data center. BIG-IP ASM allows organizations to protect web applications from OWASP top 10 risks, zero-day attacks, and vulnerabilities. F5 also offers a cloud-based WAF service, known as Silverline, which protects applications hosted in a private cloud, public cloud, or physical data center.
Silverline features the same security capabilities as BIG-IP ASM, such as detection of malicious bots, application-layer DDoS protection, and data leakage prevention. It is supported by F5's security team.
HaltDos offers Web Application Firewall (WAF) and DDoS Protection on a single platform. It is a fully managed solution that uses state-of-the-art anomaly detection techniques to block application layer attacks with zero false positives. It protects your website from common and zero-day web exploits that affect application availability, compromise security, or consume application server resources. Additionally, it periodically audits your website to provide comprehensive security.
Indusface Total Application Security is the industry's first truly integrated web application security and compliance solution. It helps organizations detect application layer vulnerabilities accurately and patch them instantly without any change in code. Additionally, it continuously monitors for emerging threats and DDoS attacks to mitigate them.