AWS WAF Review

Use this product to make it possible to deploy web applications securely

What is our primary use case?

There are two things that we primarily use AWS WAF (Amazon Web Services Web Application Firewall) for. One use is within the company. Within the company, the intended use is to deploy our applications. It is like working with the cloud. We can start an application in S3 (Simple Storage Service), and use profiles for access to data.  

The other use is that most of our clients use a similar infrastructure. They are either using AWS, Azure or maybe Google Cloud Platform (GCP). We deploy this solution for them.  

Both uses are different. One is for the cloud solutions like AWS, Azure and GCP, and one is for the local server access. That is how you want to secure a server. You are securing a server, database, app servers, and ATA gateways. The other one is for implementing security for the AWS. You want to have both running side-by-side.  

Let me give you an example. Suppose, most of the people working for your company are connected from external locations with company-provided laptops or systems. I want to check all devices to make sure that they are being used in a secure way and not creating any breach of security. Those checks cannot be taken care of reliably from the AWS perspective. This is why you need two solutions.  

What is most valuable?

The most valuable feature is the ability to use the product to enhance security in deploying web applications.  

What needs improvement?

We have not implemented WAF completely. We are working around that issue right now in the AWS. We are creating log files and then we are using Kibana for analysis. Out WAF deployment is not perfected yet so it is not implemented as our long-term solution. It will take another month to complete the setup. I do not have the big picture on it yet in a live environment, so my view of what will need to be improved under load is limited.  

I think one thing that should be available is that if there are technical problems in the AWS, then there should be automated alerts to AWS. Calling support is not that easy. It would be better to automatically send emails to them to report that there is a bug in their programming.  

I have an idea for a new feature to consider. I think the security area and other things that they provide are good, and I know there are third-party integrations. It provides a lot of value. The problem is that the 'value' of the solution makes it very costly. That is a big thing. $20,000 for this solution seems like a lot.  

Right now we are limited to only MySQL and PostgreSQL databases. There should be other options and also a way to check the security of it. I think AWS should develop and make available some kind of a management screen so we can see the logs, which servers are using the service, and how the security is performing. All we can see right now is if there are any security breaches. This is not enough information to evaluate the performance of the system.  

For example, there are a lot of people using MongoDB databases. Over the last two years, a lot of them got hacked. Mongo should have had a way to alert end users if its facilities get hacked. A manager or some administrator should receive an email saying that this or that account got hacked and there was a security breach. This would be enough notification to prompt taking other appropriate actions.  

There should also be a report or alerts which tell us that the configuration is having security issues. I think there is something called PVE security rules which might be implemented. Of course, Cisco's security rules could also be implemented. Once the rules are implemented, we know for certain if they are providing a secure connection or not. We need some type of check on the configuration that can create alerts for potential security issues and to have proper notifications.  

For how long have I used the solution?

We have been in the implementation process with the product for some time but it is not yet live because we are not totally satisfied with the setup.  

How are customer service and technical support?

I am not satisfied with AWS technical support. It is a long story. Two years back I contacted support because their code was not working. The solution itself was not perfect and there was a bug in the system. It was creating a lot of issues and there is no way to contact support. 

I tried to contact them to tell them that they had a problem with AWS, they wanted me to pay them $200 to tell them there was a problem with their product — which is very strange. What I did instead was to send an email to their sales department at AWS to explain to them that there was a coding issue and that the software was not working as it was supposed to. After many months, they replied that this was not a problem for the sales department. They said they would forward the issue to the technical support team. When the technical support team received the information, they asked for money again to solve the problem in the coding of their own product.  

I just wanted to tell them that they had a problem. They gave me a run-around and would not even look at the issue that was on their end which must have affected more clients than just me. So I think in that way, the technical support is not good. If there is a problem or a bug within the AWS services, there is no way to contact anyone for a resolution. That is a problem and not a good way to run technical support.  

Which solution did I use previously and why did I switch?

We were using ManageEngine. A problem with using ManageEngine was that ManageEngine can help in securing the servers and API gateways and app servers, but it cannot help to tell if there is any breach in security from a company-provided laptop. We needed a better solution that covered this vulnerability.  

How was the initial setup?

This product is not straightforward to set up and deploy. In the area of database security, it is especially complex. This is especially true when you want to do security for the cloud. There may be applications that will allow software on the cloud to access your in-house servers. If your in-house servers are available and there is a database, you want to secure it. You can do that more easily in-house than you can on the cloud but you have to be sure it is configured and secured properly.  

What's my experience with pricing, setup cost, and licensing?

As far as pricing considerations, there are other competitors to consider. All the solutions are not easy and all will not do exactly the same thing or even what you need. SecureSphere is expensive, I think $20,000 per year. If you go for ManageEngine or any other solution, they also go for close to $10,000. It depends on how many applications you are running and how many servers you have. They can easily run into close to $10,000 a year. Database security and application security are generally costly solutions.  

AWS is not that costly by comparison. They are maybe close to $40 per month. I think it was between $29 or $39.  

What other advice do I have?

On a scale from one to ten where one is the worst and ten is the best, I would rate this product as a seven or an eight. I do not like to give it a solid rating as of now because we are still in the process of implementing it. Once we have completed the implementation, we will be able to give you a proper answer. As recent as two weeks we were still considering ManageEngine, but we did finally decide in our comparisons that it cannot provide all of the features that we are looking for.  

**Disclosure: I am a real user, and this review is based on my own experience and opinions.
More AWS WAF reviews from users
Add a Comment