Advice From The Community

Read answers to top Web Application Firewall (WAF) questions. 431,024 professionals have gotten help from our community of experts.
Menachem D Pritzker
There are so many products in the market today. Who are we going to be talking about 3-5 years from now?
author avatarRony_Sklar
Community Manager

Would you mind elaborating on why you think Netscope and Zscaler are on the way up? What are they doing that sets them apart from other vendors?

author avatarStuart Berman
Real User

I doubt we will see a new firewall vendor, but I believe we will see new architectures that leverage the advanced capabilities of NGFW delivery through ISPs, think of it is a clean pipe for Internet access. The ISPs will use firewalls (virtualized and segmented by customers) to do the filtering before it hits your networks, just like we see with spam filtering.I also believe we will see more edge networking, 5G networking where the firewall function will be built into the network at the edge. We already are seeing early versions of the with things like Curiosity OS by Sprint working with Ericsson. I think they will easily add existing VM firewalls to their platform and not reinvent the wheel.

author avatarRony_Sklar
Community Manager

@Stuart Berman Interesting perspective. Thanks for sharing. Are there examples of companies working together like Ericsson and Sprint?

author avatarISRAEL DIAZ DOMINGUEZ
User

Those firewalls that allow extend the perimeter. Nowadays, there is a issue with the static perimeter and all is going to change in the next semesters. In my opinion, solutions like Netskope are offering this extended perimeter functionality and they could lead the market.

author avatarNehad Elkordi
Real User

Cisco Portfolio is focusing on total security inside and outside including cloud security,two factor authentication & SDWAN.
Forti Portfolio is focusing on total security too inside and outside including cloud security & two factor authentication.
both are working with Sandbox which is important for 0 day attack.
Therefore If R&D for both vendors will keep as they are today i think they'll be market leaders and away by far for the next 5 years 

author avatarRony_Sklar
Community Manager

@Nehad Elkordi Cisco and Fortinet are currently top players - are there other products that are less known that you think are going to compete with Cisco and Fortinet?

author avatarLipaz Hessel
Real User

Well with the SD-WAN raising it is common to see cloud firewall implementations, like ZScaler.
but as data center firewall, I don’t see any new player comes out unless it will come with a new surprising feature as the market have so many good vendors.

author avatarBrianCook
Reseller

I can think of 2 Firewalls that should be doing much better then they are, Kerio Control and ZyXEL ZyWall. Both have been around for a long time but have never gained the market share I feel they should have and I often find people have never heard of them. 

author avatarIan MacFarlane
Real User

Meraki / Fortinet / SonicWall

author avatarMukesh_Sharma
Real User

It,s totally depends on your security requirements.

Rony_Sklar
It seems that there is some overlap between these two types of solutions - how do Bot Managers and WAF differ? How can they work together to improve security?
author avatarMike Kajubi
User

What’s the Difference Between a WAF and Bot Blocking Solution?
The main difference between a WAF and a bot mitigation solution is that the focal point of a bot mitigation solution is to only target bots. A WAF is capable of targeting them as well but is more focused on protecting against a combined threat profile to prevent app exploitations and safeguard sensitive data.

So which is better? It depends. If a company’s security goal is to minimize the probability of account takeover, content scraping, or denial of service attacks, to name a few examples, a bot mitigation solution would be best. If the goal is to safeguard against internal app exploitations, such as SQL injections or session hijacking, a Web Application Firewall serves best. It all depends on the security objective a company has for their web application, and in many cases, both solutions are leveraged to build a stronger security perimeter.

author avatarOluwatosin Omojola
Real User

A Bot manager differs from a WAF in that it focuses on the management of Bots which comprises about 50% of web traffic today. A good bot manager should be able to differentiate between good and bad bots and perform relevant actions to prevent overwhelming a web application by bot activity ( even in advanced bot attacks ) WAF, on the other hand, manages a broader spectrum of threat activities which also includes bot detection. However, WAF is primarily designed to protect against the exploitation of web application vulnerabilities, like SQL injection, cross-site scripting, cross-site request forgery, and others. By this description, although WAF can do some level of bot filtering, it is not as deep and advanced as a dedicated bot manager. Both can definitely work together to enhance the security posture of an application. A bot manager can be positioned in front of a WAF to filter malicious bot traffic before reaching the WAF which protects the application from bad traffic processing.

author avatarreviewer1333173 (Technical Specialist - Network & Security at a tech services company with 201-500 employees)
Real User

I have prepared some details regarding Bot Manager and WAF.
1. Traditional WAF have LIMITATION Mitigstion of Dynamic IP and headless attack whereas Bot manager can complete protect against the same.
2. WAF can not stop RIsk of blocking geniun false positive users whereas  Bot Manager can resolve the same.
3.  Bot Manager can't protect from API vulnarebilities whereas WAF can protect the same.
4. Bot Manager can't protect from Layer 7 DoS attack whereas WAF can protect the same.
5. Compliance of HIPAA and ACI is very limited for Bot Manager whereas for WAF it fulfill it fulfill compliance.

author avatarRobert Falbo
User

Bot solutions offer much more targeted protection against Bit traffic vs a WAF that is more owasp, sql injection, cross site scripting, and detailed rules.  Account takeovers using Bots is a common attack protected by these solutions.  

Unmesh Deshpande
I am the CTO for a large multi-specialty private hospital. We are currently researching WAF solutions. Which WAF solution would you recommend with no heritage for subscription charges? We are a hospital with many web apps that need to be published soon and quickly. We have decent internet access. There could be 100 to 125 concurrent sessions. Thanks! I appreciate your help. 
author avatarAlcides Barros
User

CromiWAF's WAF solution provides a smooth service for 100 to 125 simultaneous sessions, but we need two additional information to define the most appropriate "package", number of URL's and throughput.

author avatarSrdjan
Real User

I would always recommend F5 WAF, it is probably the best one on the market, aside from Imperva. However both solutions are very expensive, Imperva even more and both might not be suitable if your IT personnel is junior when it comes to this kind of technology - this product requires "engineer attention" and offers even more in return. If you want to avoid opex, i.e. subscriptions, than you need to go for appliance on-prem version and you can use it for years before having replacement. all cloud solutions probably come with subscriptions. Check it out on https://www.f5.com/products/security/advanced-waf, they have roi calculator as well.

author avatarOLUWASEGUN ADERIBIGBE
Reseller

Imperva Clod WAF is the best option. Not only can you protect your IPs, DNS, Apps, you can also mitigate DDoS attack on your network or apps. Imperva has the best and biggest capacity to handle DDoS.
It is fast to deploy, easy to use and a very friendly user interface. Need I say more? You pay only for what yo need.

author avatarCole Bisset
Real User

I'd highly recommend using the Snapt ADC.

The ADC is a full suite..You get one of the world's finest Load Balancers with included functionality of a WAF, Web Accelerator & a GSLB. All of the Snapt support is done in house as well which gives you a direct line to the people who built the solution.

author avatarRaynielBadiola
Real User

If you are looking for an effective WAF solution, I would recommend Radware Appwall, it provides a complete web application security that you are looking for. Radware Appwall WAF comes with a hybrid solution in which you can deploy an on-prem device or via a cloud. Since you don’t want any subscription charges, for now, you can just deploy the on-prem device which will blocks attacks at the perimeter and ensures fast, reliable and secure delivery of mission-critical web applications.

I may not be able to size-up the exact model for you since there are a lot of things to consider like the number of applications, the number of CEC/CPS/HTTP TPS need to pass through the WAF, etc.but I do recommend to contact your local Radware vendor which can assist you on sizing up the Radware WAF solution.

author avatarHedbert Carrasco Carrazana
Real User

It depends if you want to apply positive security or negative security.

For positive security, I strongly recommend F5 due to its large number of features that the software has, but bear in mind that when applying positive security, your applications have to go through a learning process which will map all the parameters and URLs that the application uses. This process can take time depending on how they test the application.

Another point to consider is that after passing your applications to production, you almost always have a few parameters that did not go through the QA tests and can generate a Waf ID which then must be excepted.

If your strategy is based more on the speed of deployment of applications in the shortest possible time, I recommend that you use negative security.

Negative security solutions, I recommend using Cloudflare in this case, so you deploy DNS, WAF, Analysis in one place. Adding to that you should not buy equipment for the solution. Of course, most negative security solutions are only based on signatures. So if you don't have the updated signatures, you could be compromised with a zero-day attack.

That simply can give you my experience in the field.

author avatarAum e Hani
Real User

I myself used Cloudflare as the easiest and quicker solution to implement. But if you are concerned on budget you may try AWS WAF as well. It costs minimal and as per usage instead of fixed monthly expense.

Both are super reliable solutions.
Good Luck

author avatarWAQAR_AKHTAR
User

First, we should keep in mind the subscription in security devices is mandatory for keeping the certifications and database updated for known threats and If the device supports UTM and zero-day attack vector which is required for most the well-known organization then the subscription is required, Mostly vendors keep the package worth 1, 3, 5 support including all updates & Technical support as per the SLA purchased. For WAF I would suggest FortiGate appliance or SOPHOS with the UTM bundle. Both vendors also offer cloud-based subscription and Integrated Threat management if further security footprint is required within the organisation.

See more Web Application Firewall (WAF) questions »
Find out what your peers are saying about F5, Amazon, Reblaze and others in Web Application Firewall (WAF). Updated: July 2020.
431,024 professionals have used our research since 2012.