Stratusly

  • Home
  • About
  • Companies
  • News
  • Advertise
You are here: Home / Akamai / CDN Edge Security (WAF + DDoS) Review

CDN Edge Security (WAF + DDoS) Review

February 2, 2016 By Stratusly Leave a Comment

Below is a side by side comparison of 5 of the top edge security players in the market as of February 2016. While Akamai has lead the pack for quite some time, some of the smaller security focused startups like CloudFlare and Incapsula are gaining ground fast, and some of the more established CDN players like Amazon and Verizon have entered the ring with security offerings of their own.

Akamai Verizon Amazon CloudFlare Incapsula
DNS Yes Yes Yes Yes No
CDN Yes Yes Yes Yes Yes
Network Capacity 20Tbps 13Tbps Unknown Unknown 2Tbps
Layer 3 & 4 DDoS Protection Yes Yes Yes Yes Yes
Slow DDoS Attacks Yes No No Yes Yes
DDoS Scrubbing Prolexic No No No Yes
Web Application Firewall Yes Yes Yes Yes Yes
WAF Technology OWASP + proprietary OWASP + Trustwave Proprietary Proprietary Proprietary
Origin Cloaking Yes Yes Yes Yes Yes
SSL Support Yes Yes Yes Yes Yes
PCI Compliance Yes Yes Yes Yes Yes
IP Reputation Database Yes Yes No Yes Yes
Built-in Attack Signatures Yes Yes No Yes Yes
Geo blocking Yes Yes No Yes Yes
Bot Mitigation Yes No No No Yes
Anomaly Scoring Yes Yes No Yes No
DNSSEC Yes Yes No Yes No
Rate Limiting Yes Yes No Yes Yes

 

CloudFlare

CloudFlare has quickly become a world leading security company due to their strong feature offering, simple and  transparent pricing, and easy to use interface. And while there are many advantages to using CloudFlare, there are some disadvantages as well.

The primary downside of CloudFlare is you do not get the granular level of control over your security policies that you get with some other providers. For example, they claim their web application firewall will mitigate 90% of layer 7 attacks automatically with no user involvement. This is great in that it allows any sized company to protect their site without needing their own team of security experts, but they are essentially saying 10% of malicious traffic will get through.

In the case bad traffic does get through, the customer can engage a more restrictive “I’m Under Attack” Mode, which adds additional layers of protection, but also degrades performance of the website significantly and will likely block legitimate traffic from accessing the site as well.

This type of setup will work just fine for many small and medium businesses, but for those who want more control over their website security, there may be better options.

Akamai

Akamai is the largest CDN on the planet and in recent years has also become the leader in cloud security primarily due to the massive reach and scale of the Akamai Intelligent Platform. Akamai’s security offering consists of multiple layers of protection. First, the KONA product suite includes KONA DDoS Defender for layer 3 & 4 protection and KONA Site Defender for layer 7. Their web application firewall leverages ModSecurity OWASP, which is a widely used open source rule set. They also have a significant amount of propriety security features and proactively push out new rules as new threats are detected.   This all comes bundled with some of the best analytics on the market.

One of the main advantages of using Akamai is the sheer scale of their network. As one of the world’s largest Internet companies, they have over 2,000 points of presence globally and can handle attacks of any size. They also acquired Prolexic years ago to add a layer of DDoS scrubbing centers to their offering (although it is still not fully integrated into their platform).

The biggest downside of using Akamai (for some companies) is ease of use. Akamai is, for the most part, a managed service that often requires professional services engagements to configure and maintain. Adding new security rules can take hours or days to complete, which can be a serious problem if you’re being attacked. That said, many large enterprises prefer this hands-off approach as they often do not have the security expertise needed to do this on their own.

Amazon Web Services

Amazon’s security offering is brand new and at this stage is fairly primitive, as can be seen from the table above. While the Cloudfront CDN is one of the larger networks on the market and has the capacity to handle large DDoS attacks, the application layer security is somewhat lacking. The AWS WAF provides very little built in functionality to protect against known attacks, and does not have any advanced features like an IP reputation database, anomaly scoring, bot mitigation, or rate limiting. For companies looking to utilize this WAF (existing AWS customers for the most part) you will need to configure all your security rules on your own.

The main advantage of using this service is its seamless integration with the AWS platform, which is the largest cloud computing platform in the world. The service is also relatively low cost in comparison to a service like Akamai KONA.

Verizon

Verizon Digital Media Services, formerly EdgeCast Networks, officially entered the cloud security space with their own WAF product in 2014. The CDN has always offered network layer DDoS protection to all customers at no added cost, and the web application firewall then added layer 7 protection to their DEFEND security offering.

The Verizon WAF is built with the Modsecurity OWASP and Trustwave rule sets which are both widely used and somewhat industry standard. This gives customers a large number of existing security rules to choose from, alongside an IP reputation database and some other advanced features. The service currently does not offer bot mitigation and just recently added rate limiting.

The Verizon WAF is intended to compete with Akamai, but in a more self-serve and real-time fashion. Customers can configure and manage the WAF on their own without the help of professional services and new rules can be deployed to the network in as little as 5 minutes.

The main downside of Verizon’s security offering is that it can be somewhat difficult to setup in comparison to a CloudFlare, and the costs are higher than some of their competitors.

Incapsula

Incapsula is one of the fastest growing players in the cloud security space, taking a page out of CloudFlare’s book and making security simple and accessible to anyone. The Incapsula security offering is full featured and built from the ground up without using any existing rule sets like ModSecurity. They claim their proprietary technology performs better than open-source technologies like OWASP, although this is hard to substantiate.

The Incapsula offering is built on top of their global CDN which consists of 28 data centers and 2Tbps of network capacity. Each POP supports DDoS scrubbing, WAF, bot protection, caching, and load balancing. Their proprietary web application firewall protects against layer 7 attacks of all types and includes many advanced features like bot mitigation, IP reputation database, rate limiting, and more. They also allow customers to configure and deploy their own security rules nearly in real-time, giving them more granular control over their security policy.

Overall, Incapsula has one of the most complete security offerings on the market today, but with pricing more in line with CloudFlare than with Akamai/Prolexic. This makes them a great choice for small and midsize companies who want enterprise grade security without enterprise pricing.

Related posts:

  1. Akamai Declares Online Gambling The #1 Target of DDoS Attacks
  2. What is a DDoS Scrubbing Center?
  3. DDoS Attackers Set Sites on Gaming and Technology Firms in 2016
  4. Cloud Security Market Analysis 2016

Filed Under: Akamai, Amazon Web Services, Cloud Security, CloudFlare, DDoS, Incapsula, Verizon Tagged With: akamai, akamai vs cloudflare, Amazon, aws waf, cloudflare, cloudflare vs akamai, cloudflare vs incapsula, incapsula, incapsula vs cloudflare, prolexic, verizon, verizon digital media services

Popular Posts

  • Top 5 Best DNS Hosting Providers of 2017
  • CloudFlare vs Akamai - 2017 Update
  • Akamai vs Amazon CloudFront 2017
  • AWS CloudFront vs CloudFlare
  • Wordpress Security: A Sucuri vs Wordfence Review

Stratusly Recommends

For fast CDN + enterprise-grade security:

For high performance full site security including malware detection and removal:
Sucuri Security

For low cost HTTP/2 enabled hosting + SSL and CloudFlare CDN:
SiteGround

For supercharged Wordpress hosting + CDN, security, and automatic backups:

Join our newsletter

Recent Posts

  • Cloud Market Share Update: AWS vs Azure vs Google
  • Top 5 Best DNS Hosting Providers of 2017
  • Cisco Acquires SD-WAN Startup Viptela for $610 Million
  • Box Introduces New Flexible Pricing Model
  • CrowdStrike Expands into Latin America

Stratusly

  • Company Directory
  • Advertise
  • News

Social

  • Facebook
  • Twitter
  • Linkedin

Support

  • About
  • Privacy Policy
  • Terms of Service

Stratusly