Below is a side by side comparison of 5 of the top edge security players in the market as of February 2016. While Akamai has lead the pack for quite some time, some of the smaller security focused startups like CloudFlare and Incapsula are gaining ground fast, and some of the more established CDN players like Amazon and Verizon have entered the ring with security offerings of their own.
|Layer 3 & 4 DDoS Protection||Yes||Yes||Yes||Yes||Yes|
|Slow DDoS Attacks||Yes||No||No||Yes||Yes|
|Web Application Firewall||Yes||Yes||Yes||Yes||Yes|
|WAF Technology||OWASP + proprietary||OWASP + Trustwave||Proprietary||Proprietary||Proprietary|
|IP Reputation Database||Yes||Yes||No||Yes||Yes|
|Built-in Attack Signatures||Yes||Yes||No||Yes||Yes|
CloudFlare has quickly become a world leading security company due to their strong feature offering, simple and transparent pricing, and easy to use interface. And while there are many advantages to using CloudFlare, there are some disadvantages as well.
The primary downside of CloudFlare is you do not get the granular level of control over your security policies that you get with some other providers. For example, they claim their web application firewall will mitigate 90% of layer 7 attacks automatically with no user involvement. This is great in that it allows any sized company to protect their site without needing their own team of security experts, but they are essentially saying 10% of malicious traffic will get through.
In the case bad traffic does get through, the customer can engage a more restrictive “I’m Under Attack” Mode, which adds additional layers of protection, but also degrades performance of the website significantly and will likely block legitimate traffic from accessing the site as well.
This type of setup will work just fine for many small and medium businesses, but for those who want more control over their website security, there may be better options.
Akamai is the largest CDN on the planet and in recent years has also become the leader in cloud security primarily due to the massive reach and scale of the Akamai Intelligent Platform. Akamai’s security offering consists of multiple layers of protection. First, the KONA product suite includes KONA DDoS Defender for layer 3 & 4 protection and KONA Site Defender for layer 7. Their web application firewall leverages ModSecurity OWASP, which is a widely used open source rule set. They also have a significant amount of propriety security features and proactively push out new rules as new threats are detected. This all comes bundled with some of the best analytics on the market.
One of the main advantages of using Akamai is the sheer scale of their network. As one of the world’s largest Internet companies, they have over 2,000 points of presence globally and can handle attacks of any size. They also acquired Prolexic years ago to add a layer of DDoS scrubbing centers to their offering (although it is still not fully integrated into their platform).
The biggest downside of using Akamai (for some companies) is ease of use. Akamai is, for the most part, a managed service that often requires professional services engagements to configure and maintain. Adding new security rules can take hours or days to complete, which can be a serious problem if you’re being attacked. That said, many large enterprises prefer this hands-off approach as they often do not have the security expertise needed to do this on their own.
Amazon Web Services
Amazon’s security offering is brand new and at this stage is fairly primitive, as can be seen from the table above. While the Cloudfront CDN is one of the larger networks on the market and has the capacity to handle large DDoS attacks, the application layer security is somewhat lacking. The AWS WAF provides very little built in functionality to protect against known attacks, and does not have any advanced features like an IP reputation database, anomaly scoring, bot mitigation, or rate limiting. For companies looking to utilize this WAF (existing AWS customers for the most part) you will need to configure all your security rules on your own.
The main advantage of using this service is its seamless integration with the AWS platform, which is the largest cloud computing platform in the world. The service is also relatively low cost in comparison to a service like Akamai KONA.
Verizon Digital Media Services, formerly EdgeCast Networks, officially entered the cloud security space with their own WAF product in 2014. The CDN has always offered network layer DDoS protection to all customers at no added cost, and the web application firewall then added layer 7 protection to their DEFEND security offering.
The Verizon WAF is built with the Modsecurity OWASP and Trustwave rule sets which are both widely used and somewhat industry standard. This gives customers a large number of existing security rules to choose from, alongside an IP reputation database and some other advanced features. The service currently does not offer bot mitigation and just recently added rate limiting.
The Verizon WAF is intended to compete with Akamai, but in a more self-serve and real-time fashion. Customers can configure and manage the WAF on their own without the help of professional services and new rules can be deployed to the network in as little as 5 minutes.
The main downside of Verizon’s security offering is that it can be somewhat difficult to setup in comparison to a CloudFlare, and the costs are higher than some of their competitors.
Incapsula is one of the fastest growing players in the cloud security space, taking a page out of CloudFlare’s book and making security simple and accessible to anyone. The Incapsula security offering is full featured and built from the ground up without using any existing rule sets like ModSecurity. They claim their proprietary technology performs better than open-source technologies like OWASP, although this is hard to substantiate.
The Incapsula offering is built on top of their global CDN which consists of 28 data centers and 2Tbps of network capacity. Each POP supports DDoS scrubbing, WAF, bot protection, caching, and load balancing. Their proprietary web application firewall protects against layer 7 attacks of all types and includes many advanced features like bot mitigation, IP reputation database, rate limiting, and more. They also allow customers to configure and deploy their own security rules nearly in real-time, giving them more granular control over their security policy.
Overall, Incapsula has one of the most complete security offerings on the market today, but with pricing more in line with CloudFlare than with Akamai/Prolexic. This makes them a great choice for small and midsize companies who want enterprise grade security without enterprise pricing.