What is our primary use case?
We are using this product for a major airline whose traffic is routed via F5 Silverline Web Application Firewall. All B2C sites are behind F5 Silverline Web Application Firewall. The data part is basically to Akamai for CDNs and to F5 Silverline Web Application Firewall for WAF capability. The resources are hosted on AWS or Azure. For parameters, we have another F5 AWAS module, which intercepts the traffic once it is inside the cloud parameters, and then the data goes to the backend application pool. Every B2C traffic gets inspected on F5 Silverline Web Application Firewall. Every HTTP profile is inspected on the Advanced WAF module, which is again F5 on-premises.
We are also deploying this solution for another client in the Middle East. We're basically deploying the architecture. We have F5 Silverline Web Application Firewall and the Check Point firewall as the next-generation firewalls. All HTTP traffic is via F5 Silverline Web Application Firewall, and it is routed back to the Check Point firewall for IPS and malware inspection because F5 Silverline Web Application Firewall does not do that. Non-HTTP profiles go via the Check Point firewall.
What is most valuable?
Its flexibility is the most valuable because it is a managed service. The good part is that you don't need to set it up. It just needs DNS routing, which is the easiest thing.
Our client had Akamai for certain websites because they were using CDN features. They had NetScaler on the internal zone, F5 AWAFs on the data centers, and no WAF at all in the cloud. One of the main activities of the project was to move all these policies into a single WAF so that we could control and use that as a choke point. That exercise itself was very easy because it was a managed service and F5 Silverline Web Application Firewall does that for you. That's the best thing about F5 Silverline Web Application Firewall.
It is easy to apply policies on-premises. If you have AWAF on-premises and you want to replicate some policies on F5 Silverline Web Application Firewall, other than the policies that it applies by itself, it is easy because you have a team that supports it.
F5 Silverline Web Application Firewall works perfectly fine. It pretty much does everything that an Advanced WAF on-premises should do.
What needs improvement?
F5 Silverline Web Application Firewall, being a new product in the market or comparatively related to a new product, currently supports less number of PoPs. They should introduce more PoPs. The current number of PoPs that they have is around 10 or 12, which is still relatively less as compared to 2,400 plus PoPs that Akamai offers. The user latency or the number of hops a user needs before reaching the actual web application is less in Akamai because it has its internal fabric to route the traffic.
They need to spin up more data to increase its traffic handling capability. They can also include the bot detection capability, though it is a pretty advanced functionality. If they could include DataDome like functionality, that is, bot prediction, then F5 Silverline Web Application Firewall will be top-notch in the market.
For how long have I used the solution?
I have been using this solution for a year or so.
What do I think about the stability of the solution?
It is so far stable. When I did a POC for one of my clients, I ran tests for a month on both Imperva, F5, and Akamai. I found F5 to be more regress in terms of infections than Imperva. It could be because of the teams on-site, representing these companies, doing their job right or wrong. If a PS consultant from Imperva did not configure the policies right, it probably would have scored less.
What do I think about the scalability of the solution?
I know that F5 Silverline Web Application Firewall is scalable. We are using this product in two enterprise setups that can have a hundred thousand-plus requests at any given time.
Scalability for products like F5 Silverline Web Application Firewall or Incapsula is pretty easy because their sizing is managed by the vendor. Therefore, you don't have to really bother about what goes in there because that's a black box for you. However, if you are doing it on-premises, it's a task.
I've been involved in upgrading a traditional WAF to Advanced WAF. It's basically a license upgrade involving testing and re-profiling of applications and things like that. It's a sort of straightforward task. If you have the right team, it is not something really difficult. It isn't something like where you just add a few boxes and then scale.
Our airline client has millions of customers, and all this data is going via F5 Silverline Web Application Firewall, which is a lot of data. It's an enterprise kind of setup. We're not talking about end-user traffic here. We're talking about B2C traffic. For end-user traffic, we have around 400-odd unique URLs behind the F5 Silverline Web Application Firewall on-premises, which is again an Advanced WAF module. F5 Silverline Web Application Firewall has around 60,000 to 80,000 users, not at the peak but spread over time. All B2C requests coming into the website, like booking or looking for your seats on the flight, go via F5 Silverline Web Application Firewall, and that could go up to millions of hits a day.
How are customer service and technical support?
We have a personal rapport with both Imperva and F5 in UAE because we have worked with them for more than a year. I have found them to be really good. I may have once or twice talked to their central support team as the contact person for the account was not available. Otherwise, it has been a personalized experience for both products because we know the teams.
How was the initial setup?
The initial setup is certainly straightforward because F5 Silverline Web Application Firewall does the setup for you. All that you need to worry about doing is routing your DNS via F5 Silverline Web Application Firewall.
If I have a website, I would just make sure that it routes via F5 Silverline Web Application Firewall DNS, and then I would only whitelist the traffic between F5 Silverline Web Application Firewall and my application pool. That's the only configuration that I need to worry about, unlike a traditional WAF that you need to set up. You can't just say that it is a strength of F5 Silverline Web Application Firewall because Imperva's WAF on the cloud, Incapsula, also works the same way.
What's my experience with pricing, setup cost, and licensing?
F5 Silverline Web Application Firewall works based on your bandwidth. They look at the clean bandwidth and do the pricing. 20% of a total pipe would be a clean bandwidth.
The list price or a non-negotiated price for F5 Silverline Web Application Firewall would be around $2,200 per application per year for everything that you need. When you get into an enterprise kind of a setup, they negotiate this to the last bit. I would easily take 20% on that, which would be the cost, but it should cover all your Advance WAF features, bot protection, tech campaign, etc. It is built as a package and gives you most of the capability.
You don't get the mobile SDK, which is an additional license. Mobile SDK is required only if you're buying or if you have a mobile application, and you are going to instrument F5 or Imperva into your mobile appliance. This anyways would be an additional module. It doesn't come within the WAF, but it is a WAF feature.
Which other solutions did I evaluate?
There are a lot of gray areas in WAF. If you take a look at the top ten WAF solutions, most of the WAFs in the market, or at least the advanced ones, do it right because the WAF technology is evolved.
If you look at bot protection, it is probably not everyone's game. I've seen Imperva doing it really well. If I masquerade a browser, for example, if I masquerade a Chrome browser by changing the agent files and make it look like Firefox, and then if I send a request to my F5 Silverline Web Application Firewall (or Imperva firewall), I would want to see if it identifies the real browser behind it. I've seen F5 Silverline Web Application Firewall (and Imperva) handling most of such cases well, but other WAF products in the market fail.
If you look at Imperva, their strength primarily is on the DDoS capability. In the volumetric attack part, Imperva scores or has at least a record of doing better than F5 Silverline Web Application Firewall. Imperva is also in the public domain, so they have mitigated larger attacks than F5 Silverline Web Application Firewall, but this is not something you can test in the lab. You wait for the doomsday, and then you do your actual test.
Overall, if you say F5 Silverline Web Application Firewall as a product, I would vote it over Imperva. It may be because I'm more inclined to work on F5 Silverline Web Application Firewall. I found working with it easier than Imperva.
What other advice do I have?
You should know what you're actually blocking. A lot of customers move to WAF or AWAF because they were told to do that, but they need to identify what they're actually looking to inspect. For example, one of the clients I worked with did not understand the differences in capabilities between a next-generation firewall and a WAF. When I say WAF, I am talking about AWAF, not the previous generation WAF. No one considers that anymore.
People who try to put WAF and think that they are secure are not really secure. There is still a fine grain of security that you need on a next-generation firewall. For example, if I inject a payload, I'm going to have HTTPS traffic that I pass on to WAF. If I do not do my SSL termination and just inspect the remaining stuff, such as headers, WAF is basically useless.
If you're using a WAF solution like F5 Silverline Web Application Firewall, one thing it does really well is the orchestration part. It can terminate your SSL and do the encryption. Basically, it may make your stream decrypted via texts, inspect every element of it, decrypt it back, and then send it.
As a security consultant, I would add another next-generation firewall behind F5 Silverline Web Application Firewall. I will make sure that I do a service chaining, and every single stream or packet that is decrypted is again routed via a next-generation firewall to do IPS. This is because your WAF cannot do IPS. It is not its major strength; it is a firewall capability. Let's say you have a website where you upload files, and you are going to upload a file that probably has some malicious code that could be executed. When you upload it, it is going to sit on your system. How do you know that a file that is attached to a website is not malicious? A WAF generally doesn't take this up. That's where a combination of WAF and firewall comes into the picture.
It's about defining and ensuring what is your load and how many applications you want to protect. Do you really have the skills to manage those policies in-house? If you don't have really good engineers who look at the policies and manage these boxes, then it is better to go for managers like Silverline. If you have good hands on the ground, then use an Advanced WAF in your data center.
Some companies might not need on-premises deployments because they might be using a cloud. In that case, run this on the cloud. You could have virtual licenses or virtual machines running on the cloud, or you could use Silverline. If you're more security passionate, then you probably will have to have a Silverline for it and then another WAF within your cloud. Again, there's no one way to do it. It depends on your network, but do not rely on one product because every product has its limitations.
I would easily rate F5 Silverline Web Application Firewall a seven out of ten. I won't give it an eight because I haven't tested it for a longer period.