I'm trying to understand what limitations AWS WAF has vs other (alternative) Web Application Firewall (WAF) products.
I have had experienced with several WAF deployments and deep technical assessments of the following:
1. Imperva WAF
2. F5 WAF
3. Polarisec Cloud WAF
Typical limitations on cloud WAF is that the solution only includes generic level of web application protection. The difference primarily with on-premise WAF / dedicated WAF solution like Imperva is ability to protect business logic in the web application. This approach allows user to apply strict positive security as opposed to negative security model.
Cloud WAF typically revolves around technical level attacks mitigation such as SQLi, XSS, CSRF and bot related detection and mitigation. To do more customized rule settings (for instance to protect business logic), a multi-tenant capable solutions usually do not have high level of customization ability due to its nature of generic, wide range of client types coverage.
Nevertheless, the capability to protect technical level attacks might be sufficient for your web application, given the fact that AWS is tightly integrated in its PaaS offering, making the implementation and deployment much more seamless compared to the other products.
In my opinion, you could consider AWS WAF if:
1. Your web application do not serve complex business logic such as Internet Banking.
2. Your only concern about security is technical attacks mitigation.
3. Your web application is hosted in AWS infrastructure.
Hope this answers could be useful.
@John Rendy Also, if you are dependent on AWS certificate manager, as other WAF require you to provide your certificates which AWS will not export.
Hello @Venkatesh VRH , @Vinamra Singhai and @DanielSeco. Can you please help here?
We all know it's really hard to get good pricing and cost information.
Please share what you can so you can help your peers.
Should one go for a URL Filtering as an add-on to NGFW or just deploy a Web proxy, instead?I am one who advocates that firewalls with URL Filtering can't serve better than Web security solutions (i.e., a Web proxy).
What's your opinion?