Fastly WAF is a hybrid SaaS solution powered by Signal Sciences. With innovative features like context-based detection through SmartParse, it significantly reduces false positives.
Fastly states on its website that over 90% of its WAAP deployments are configured in a blocking mode, a unique achievement matched only by AppTrana and Imperva within the WAAP market.
Network Learning Exchange (NLX)
NLX adeptly identifies emerging attack patterns throughout Fastly’s client network, providing timely notifications that strengthen the security of web applications and APIs.
Utilizing anonymized data collected from a diverse network of distributed software agents, NLX introduces an exceptional IP reputation feed. This data serves to identify well-documented malicious activities.
SmartParse
Fastly’s SmartParse technology is a unique solution that evaluates the context and execution of each request to detect potentially malicious or unusual data payloads.
Notably, SmartParse stands out by not depending on traditional signatures to identify malicious web requests. Its thorough lexical analysis approach leads to a substantial reduction in false positives.
Hybrid Deployment
If your environment encompasses a mix of infrastructure and technology, its wide array of deployment choices eliminates the need for piecemeal solutions. It ensures that no applications or APIs are left unprotected. You can deploy WAF across all these scenarios and maintain centralized management and holistic visibility.
It guarantees the security of your applications, regardless of their location, whether on-premises, within containers, in the cloud, or at the edge.
DevOps and Security Toolchain Integrations
Fastly is renowned for its extensive range of integrations, spanning SIEM tools, Slack, DevOps software, and more. These out-of-the-box integrations make it easier for teams to adapt to modern development methodologies and architecture with minimal effort.
Limited Rate Limiting Controls
Fastly offers relatively limited customization options for addressing DDoS attacks through rate limiting. The advanced rate-limiting rules are reserved for ultimate plan users.
AppTrana excels in rate limiting, using behavioural analysis of historical traffic data to automatically enforce rate limits across various parameters, including IP, Geolocation, URI, and host.
Managed Service
While virtual patching is accessible through SmartParse and Templated Rules, application-specific virtual patching necessitates using managed services.
Managed services are not available as options for the starter and advantage plans. If you require a managed WAF that aids with virtual patching, DDoS monitoring, latency monitoring, and custom workflow-driven bot rules, your only choice is the ultimate plan.
Support
Phone and chat support is exclusively accessible with the ultimate plan. Moreover, general inquiries benefit from 24/7/365 support only during business hours in San Francisco, London, or Tokyo.
Discover our in-depth guide, offering a thorough assessment of the features, benefits, and limitations of the leading 17 WAAP providers in today’s market.
WAF Feature | Fastly | AppTrana | Cloudflare | Imperva | AWS WAF | Akamai |
Gartner Peer Insights Rating | 4.9 | 4.9 | 4.5 | 4.7 | 4.4 | 4.7 |
Gartner Peer Insights Customer Recommendation Rating | 97% | 100% | 93% | 92% | 90% | 88% |
DDoS Monitoring | Ultimate Plan only | Starts at $399 | Enterprise Only | Add-On | $3000 per month | Add-On |
Virtual Patching | Ultimate Plan only | Starts at $99 | Enterprise Only | Add-On | – | Add-On |
Payload Inspection Size | Unknown | 134MB | 128KB | Unknown | 64KB | Starts: 8KB
Max: 128KB |
NTLM Support | Unknown | Yes | No | Unknown | No | No |
Bot Protection | Yes, but unsure whether it is bundled in all plans | Yes | Yes | Not available in essentials
Add-on in Professional Bundled in Enterprise Plan |
Basic | Add-On |
Response Timeout | Default: 60 seconds
Max: 300 Seconds |
Default: 300 seconds
Max: 300 seconds |
Default: 100 seconds Enterprise: 6000 seconds |
Default: 360 seconds
Max: Unknown |
Default: 30 seconds
Max: 300 seconds |
Default: 120 seconds
Max: 599 seconds |
Managed Services | Ultimate Plan only | Starts at $399 | Enterprise only | Add-On | Only through SI partnerships | Add-On |
DAST Scanner | Not Available | Bundled in all plans | Not Available | Not Available | Not Available | Not Available |
Asset Monitoring | Not Available | Bundled in all plans | Not Available | Not Available | Not Available | Not Available |
Penetration Testing | Not Available | Bundled in the $399 plan | Not Available | Not Available | Not Available | Not Available |
API discovery | Available | Available | Available | Available as an Add-On | Not Available | Available |
API Security | Available | Available | Available | Available | Basic capabilities through API Gateway | Available |
API Scanning | Not Available | Bundled in the $399 plan | Not Available | Not Available | Not Available | Not Available |
API Pen Testing | Not Available | Bundled in the $399 plan | Not Available | Not Available | Not Available | Not Available |
Workflow-based bot mitigation | Ultimate Plan only | Starts at $399 | Enterprise only | Add-On | Only through SI partnerships | Add-On |
Origin Protection | Add-on | Bundled in all plans | Limited | Not Available | Available | Add-on |
AppTrana sets itself apart by adopting a ‘risk-based’ approach to WAF. This unique approach begins with an initial scan of applications and APIs using the built-in DAST scanner to pinpoint vulnerabilities.
Subsequently, the rule set is fine-tuned to ensure the complete elimination of false positives. It’s likely the only WAAP that commits to a ZERO false-positive guarantee.
AppTrana offers a comprehensive suite of solutions encompassing DAST scanning, API Discovery, API Security, DDoS Mitigation, Bot Protection, and CDN.
Here are the most important features of AppTrana:
Real Protection, no False Positives
AppTrana WAF places all onboarded applications in block mode, with a remarkable 100% on block mode. Various studies indicate that, on average, only 53% of WAFs are utilized in block mode, often due to concerns about false positives and application-breaking misconfigurations.
With AppTrana, every application brought on board benefits from a dedicated solution engineering team overseeing the deployment, ensuring that false positives and misconfigurations are effectively mitigated during the critical first 14 days.
Furthermore, post-deployment, AppTrana offers ongoing false positive monitoring as a valuable service.
Asset Discovery
The most significant risk lies in the unknown, particularly when dealing with orphaned applications launched by business divisions no longer in use. Attackers can exploit such applications, discover backdoors, and potentially disrupt your organization.
The asset discovery feature helps you find and keep track of all your public-facing assets like websites, APIs, and mobile apps, along with their details like IP addresses and sub-domains.
This makes it easier to protect important apps that didn’t have protection before and eliminate any old assets you don’t need anymore.
Virtual Patching
The managed services team takes the lead in automatically applying patches for all Zero-Day vulnerabilities.
An outstanding example of its effectiveness is how the Log4J vulnerability was immediately resolved for all impacted customers within 24 hours.
Through the seamless integration of an embedded DAST Scanner and manual penetration testing, the managed security team can efficiently leverage scan results to deploy precise virtual patches for identified vulnerabilities promptly.
Managed Security Service
With the aid of third-party threat intelligence and an ongoing commitment to security research, the Indusface team possesses extensive insights into threat actors.
The team stands out in its ability to fine-tune scans, validate, and prioritize vulnerability findings, and deliver actionable reports without false positives.
Additionally, AppTrana ensures that customers, including those on the $99 plan, can access round-the-clock support through phone, email, and chat in the event of security incidents.
Here are potential areas for improvement within AppTrana:
No Option for On-premise WAAP
While AppTrana provides the benefits of cloud-based security, including dynamic scalability and centralized management, it may not align with the inclination of enterprises that prefer to maintain their security infrastructure only within their own premises.
Legacy API Support
AppTrana’s API security measures do not extend to older API standards such as SOAP and WebSocket.
The Cloudflare WAF plays a crucial role in defending websites and applications against online threats. It serves as a protective barrier positioned between web servers and potential attackers, thoroughly inspecting incoming web traffic, and eliminating any malicious requests or attacks.
Here are the benefits of choosing Cloudflare as a Fastly alternative:
Comprehensive Bundle for SaaS Start-ups
Cloudflare presents an attractive package that includes SSL certificate management, support for vanity domains, and powerful security solutions for DDoS, WAF, and API protection. This comprehensive offering positions Cloudflare as an excellent choice for SaaS start-ups.
While the enterprise plan may come with a significant cost, the flexible pricing models available in the Free, Pro, and Business plans are especially beneficial for start-ups and growing businesses. These pricing options can easily scale alongside their evolving business requirements.
DDoS Mitigation
Cloudflare provides robust and highly efficient DDoS protection solutions. Leveraging their impressive network capabilities, extensive global presence, and a track record of successfully mitigating large-scale attacks, they offer an exceptional defense against DDoS attacks.
Cloudflare’s expansive network, which spans 209 Tbps and encompasses 300 cities in 100 countries, empowers them to stop significant threats effectively.
Like AppTrana, Cloudflare offers an adaptive DDoS mitigation solution that can dynamically adapt to changes in user behaviour patterns. This feature proves especially valuable when web traffic experiences fluctuations driven by the evolving demands of the business.
API Security
Like AppTrana, Cloudflare delivers more comprehensive API protection, including API discovery functionality.
Furthermore, Cloudflare boasts broader support for various API protocols, encompassing REST, JSON, and others.
Here are a few limitations of Cloudflare WAF:
False Positive
Cloudflare, with its world-class threat intelligence, grapples with the complexity of formulating broad rules to secure its expansive network, which hosts hundreds of thousands of applications, occasionally resulting in false positives.
Virtual Patching as a Service
Development teams adhere to agile methodologies, which can heighten the likelihood of new vulnerabilities entering the code.
To mitigate these risks, applying virtual patches via the WAF becomes essential. This process involves conducting vulnerability scans with a DAST scanner, filtering out false positives, and forwarding the real vulnerabilities to Cloudflare for virtual patching.
Like Fastly, this capability is exclusively available with Cloudflare’s enterprise plan. When searching for Fastly alternatives, especially driven by the requirement for a managed service, Cloudflare may not stand out as the ideal choice.
Like Fastly, Imperva asserts the significance of deploying WAAP in block mode and claims that 90% of applications are already deployed in full block mode.
Advantages of using Imperva WAF:
Hybrid Deployment
Do you have diverse infrastructure and technologies in your environment? Its diverse deployment options eliminate the need to patch together various WAF solutions.
Imperva WAF guarantees the security of your applications, regardless of their location, whether on-premises or in the cloud.
RASP
Imperva is a notable player among the limited number of WAAP solution providers that integrate RASP (Runtime Application Self-Protection). RASP equips SOC teams to make faster and more well-informed decisions, considerably cutting down on investigation time.
While managing RASP can present certain difficulties, its value becomes apparent in mitigating false positives, especially in settings where the application environment remains relatively stable and standardized across the organization.
Limitations of Imperva WAF:
Managed Services is an Add-On
To utilize a managed WAF, you must choose managed services as an add-on.
With respect to a managed WAF, AppTrana excels in providing DDoS monitoring, virtual patches, and extensive false-positive testing; all included within the $399 package.
No Bundled VAPT
Combining an integrated vulnerability scanner with penetration testing can provide a complete assurance of threat detection, reaching a 100% confidence level.
Imperva WAF does not include a built-in VAPT package. Consequently, for DAST scanning and compliance reports, it is necessary to engage separate VAPT providers.
AWS WAF is a cloud security service offered by Amazon Web Services (AWS). Due to AWS’s prominent position in the public cloud industry, AWS WAF is a favored option for organizations already utilizing AWS services.
Regulatory Compliance
With availability in more than 25 regions worldwide, AWS offers a seamless solution for aligning with your data privacy requirements, making AWS WAF an ideal choice. This ease of compliance is particularly beneficial for SMBs aiming to deploy a WAF and meet regulatory standards promptly and efficiently.
Flexibility in Rules
Within AWS, there exists a thriving partner ecosystem where leading WAF providers, including F5 and Fortinet, offer rulesets designed to shield against OWASP vulnerabilities and related threats.
These rulesets deliver an elevated level of protection beyond the default AWS rulesets. Although there is a nominal subscription fee for using these rulesets, you’ll also incur charges based on the volume of traffic inspected using them.
This approach mitigates the limitation in AWS’s threat intelligence capabilities. Nevertheless, it’s important to recognize that this strategy primarily addresses known vulnerabilities, making it challenging to protect against zero-day and unidentified vulnerabilities through AWS’s self-service framework.
Now, coming to the cons of using AWS WAF:
AWS Shield Advanced is Expensive
AWS Shield Advanced comes with a fixed monthly cost of $3,000 and is a managed DDoS protection service. For those seeking robust DDoS protection at a more cost-effective rate, both Cloudflare and AppTrana offer unmetered DDoS protection solutions.
Notably, Cloudflare provides unmetered DDoS protection as an add on feature, charging just $.05 for every 10,000 requests. In contrast, AppTrana seamlessly integrates unmetered DDoS protection into all of its plans, eliminating the need for any extra charges.
API Security
Given the escalating scale and complexity of API attacks, it becomes vital to prioritize API security when exploring alternatives to Fastly WAF.
In the context of AWS WAF, the array of API security solutions is constrained, offering only fundamental rate-limiting capabilities through the API gateway. Advanced features like API discovery are currently not part of the available offerings.
Akamai is one of the pioneering WAF products, maintaining its vital role in today’s WAAP market.
By integrating a range of security technologies, encompassing WAF, bot mitigation, API security, and DDoS protection, Akamai’s App & API Protector presents an all-encompassing, unified solution.
Discover some of the advantages of choosing Akamai WAF:
Prolexic
Prolexic, the cloud-based DDoS protection platform offered by Akamai, serves as a robust defense mechanism against potential attacks. It takes proactive measures to intercept threats before they can target applications, data centers, or internet-facing infrastructure.
This platform delivers proactive mitigation, expertly managed by Akamai’s 24/7 global SOCC, ensuring customers benefit from an unmatched 100% uptime SLA.
Page Integrity Manager
As the volume of web traffic from mobile devices continues to rise, in-app browsers have gained significant prominence in the traffic landscape.
Akamai’s Page Integrity Manager treats injected scripts just like any other script, providing customers with the capability to not only monitor these scripts but, more importantly, implement protective measures to prevent potential malicious intentions.
Managed Service
Akamai’s Managed Security Service is precisely tailored to suit the specific requirements of your business, delivering a comprehensive solution. It encompasses a wide range of services underpinned by Akamai’s extensive industry knowledge and adherence to best practices. The services cover:
Here are some limitations of using Akamai WAF:
Pricing
Even within the premium segment of the market, Akamai tends to be pricier than most of the other WAAP providers. If your budget allows for Akamai, particularly when paired with managed services, it undeniably delivers exceptional performance.
False Positive
Managing false positives can be a demanding task with Akamai. This challenge becomes particularly evident when your organization lacks certified in-house security engineers or has not opted for the managed services add-on.
Verdict
AppTrana stands out as an excellent option for teams that lack in-house security expertise and seek robust managed services for WAF support.
AppTrana excels as the most comprehensive WAAP solution, with Akamai and Cloudflare providing strong features in their own right, but with certain limitations.
Take action by initiating a trial to assess the performance of the WAFs with your specific application.
Stay tuned for more relevant and interesting security articles. Follow Indusface on Facebook, Twitter, and LinkedIn.
The post Top 5 Fastly WAF Alternatives in 2023 appeared first on Indusface.
*** This is a Security Bloggers Network syndicated blog from Indusface authored by Vivek Gopalan. Read the original post at: https://www.indusface.com/blog/fastly-waf-alternatives/