Technical Evaluation

The technical evaluation of vendors is split into three categories:

Deployment options, mitigation capabilities, and user experience UX. The following table provides a top-level summary of all three categories; a detailed analysis can be found in each of the following sections.

DDoS-Intro-Image

The technical evaluation of vendors is split into three categories:

Deployment options, mitigation capabilities, and user experience UX. The following table provides a top-level summary of all three categories; a detailed analysis can be found in each of the following sections.

DDoS-Intro-Image
       

Deployment & Service Options

Cloud Protection

A DDoS protection provisioned as a service that is based on scrubbing centers on the cloud to which organizational traffic is routed. (read more)

On-premises Protection

On-premises DDoS protection is a term used in DDoS mitigation architecture to describe technologies positioned at customer premises typically an appliance or a virtual appliance inside the customer data center. On-premises is in contrast to cloud based protection. (read more)

Web Protection (DNS diversion)

The diversion of traffic from the customer to the DDoS cloud provider using a Domain Name Server (DNS) change. DNS diversion is one of the primary methods used divert traffic to a DDoS mitigation cloud service. (read more)

Infrastructure Protection (BGP diverstion)

The diversion of traffic from the customer to the DDoS mitigation cloud provider using a BGP (Border Gateway Protocol) change. BGP diversion is one of the primary methods used divert traffic to a DDoS mitigation cloud service. (read more)

Fully Managed Service

A DDoS service where the customer isn’t required to take any proactive action in order be fully protected, and the vendor is responsible for initiating all security activities. (read more)

F5 offers fully managed service.

Non-web protocols Support

Non-web protocols support refers to the ability to protect non-web protocols (e.g., proprietary gaming protocols) even if the organization does not poses a Class C network. (read more)

Number of Data Centers

The number of data centers, also referred as POPs (points of presence) or ‘scrubbing centers’, that a vendor offers. It does not have a direct impact on the DDoS mitigation but may still act as an important decision factor. (read more)

30864

SMB plans

DDoS SMB mitigation plans are intended for SMBs (Small-Medium Business) and are defined here as plans with a cost lower than $5,000 annually. (read more)

On top of their Enterprise plan, CloudFlare and Incapsula offer lower-end plans for SMBs. see SMB Section

Overall Deployment Score

72%69%65%

Mitigation Completeness

CloudFlare mitigation is solid, but Incapsula and F5 are much more mature.

Reverse Proxy & Caching

Web Challenges

A set of technologies used to filter out DDoS bots from real human beings by sending a certain request (the challenge) that typically legitimate human-based browsers will pass, and DDoS bots will fail. (read more)

Signatures

A detection mechanism in which DDoS attacks are detected and blocked based on their known pattern or signature associated with a particular kind of attack. Signatures are saved in a database for matching when an attack is encountered. (read more)

Blacklist/Whitelist

Blacklist and whitelists enable blocking or allowing network access to entities based on parameters such as a IP address, geographical location or URL path. (read more)

Rate limit

A technology used in DDoS mitigation that ensures that each entity does not send too many transactions to the protected server or network. (read more)

DNS Protection

The technology or service in charge of protecting DNS Servers. (read more)

Overall Mitigation Score

96%73%100%

UX and Reporting

Incapsula User Experience (UX) is excellent, CloudFlare is also very good, F5 is basic.

Look and Feel

The overall user experience provided by a service – the graphical design, organization of data and ease of navigation. (read more)

ExcellentGoodBasic

Easy of Navigation

ExcellentExcellentGood

Security Configuration

GoodBasicBasic

Security Events

ExcellentGoodExcellent

Forensics

DDoS Forensics is the digital forensic process to better understand a DDoS attack, past or-going. The output of forensics can shed light on the attack vectors, attack tools and the attacker characteristics or identity.

vDTP 05

ARE YOU READY?

Answer seven online questions and get a free report assessing your protection status with recommendations for improvement


Free DDoS Assesment

BasicBasicExcellent
F5 has excellent DDoS Forensics.

Overall UX and Reporting Score

77%69%65%
       

Deployment & Service Options

Cloud Protection

A DDoS protection provisioned as a service that is based on scrubbing centers on the cloud to which organizational traffic is routed. (read more)

On-premises Protection

On-premises DDoS protection is a term used in DDoS mitigation architecture to describe technologies positioned at customer premises typically an appliance or a virtual appliance inside the customer data center. On-premises is in contrast to cloud based protection. (read more)

Web Protection (DNS diversion)

The diversion of traffic from the customer to the DDoS cloud provider using a Domain Name Server (DNS) change. DNS diversion is one of the primary methods used divert traffic to a DDoS mitigation cloud service. (read more)

Infrastructure Protection (BGP diverstion)

The diversion of traffic from the customer to the DDoS mitigation cloud provider using a BGP (Border Gateway Protocol) change. BGP diversion is one of the primary methods used divert traffic to a DDoS mitigation cloud service. (read more)

Fully Managed Service

A DDoS service where the customer isn’t required to take any proactive action in order be fully protected, and the vendor is responsible for initiating all security activities. (read more)

F5 offers fully managed service.

Non-web protocols Support

Non-web protocols support refers to the ability to protect non-web protocols (e.g., proprietary gaming protocols) even if the organization does not poses a Class C network. (read more)

Number of Data Centers

The number of data centers, also referred as POPs (points of presence) or ‘scrubbing centers’, that a vendor offers. It does not have a direct impact on the DDoS mitigation but may still act as an important decision factor. (read more)

30864

SMB plans

DDoS SMB mitigation plans are intended for SMBs (Small-Medium Business) and are defined here as plans with a cost lower than $5,000 annually. (read more)

On top of their Enterprise plan, CloudFlare and Incapsula offer lower-end plans for SMBs. see SMB Section

Overall Deployment Score

72%69%65%

Mitigation Completeness

CloudFlare mitigation is solid, but Incapsula and F5 are much more mature.

Reverse Proxy & Caching

Web Challenges

A set of technologies used to filter out DDoS bots from real human beings by sending a certain request (the challenge) that typically legitimate human-based browsers will pass, and DDoS bots will fail. (read more)

Signatures

A detection mechanism in which DDoS attacks are detected and blocked based on their known pattern or signature associated with a particular kind of attack. Signatures are saved in a database for matching when an attack is encountered. (read more)

Blacklist/Whitelist

Blacklist and whitelists enable blocking or allowing network access to entities based on parameters such as a IP address, geographical location or URL path. (read more)

Rate limit

A technology used in DDoS mitigation that ensures that each entity does not send too many transactions to the protected server or network. (read more)

DNS Protection

The technology or service in charge of protecting DNS Servers. (read more)

Overall Mitigation Score

96%73%100%

UX and Reporting

Incapsula User Experience (UX) is excellent, CloudFlare is also very good, F5 is basic.

Look and Feel

The overall user experience provided by a service – the graphical design, organization of data and ease of navigation. (read more)

ExcellentGoodBasic

Easy of Navigation

ExcellentExcellentGood

Security Configuration

GoodBasicBasic

Security Events

ExcellentGoodExcellent

Forensics

DDoS Forensics is the digital forensic process to better understand a DDoS attack, past or-going. The output of forensics can shed light on the attack vectors, attack tools and the attacker characteristics or identity.

vDTP 05

ARE YOU READY?

Answer seven online questions and get a free report assessing your protection status with recommendations for improvement


Free DDoS Assesment

BasicBasicExcellent
F5 has excellent DDoS Forensics.

Overall UX and Reporting Score

77%69%65%

Technical Evaluation Analysis Summary

A Word on Pricing

Pricing is obviously a major factor in selecting a vendor.  Where possible we added the pricing of the portrayed services including pricing of SMBs plans and naked pricing factors for F5 and Incapsula. Unfortunately, vendor do not will to share their Enterprise prices and you will need to toil and get a quote from each one.

Deployment & Service Options

This section compares the cloud-based and appliance-based deployment options provided by vendors. This section, more than any other, contains items that are “deal breakers” for the customer and can scope out a vendor.

Cloud Deployment

Diversion Methods

When using a cloud-based protection service, the first question you should ask is how will your traffic traverse your provider data centers (or scrubbing centers, in DDoS jargon)? The first method is DNS diversion, also referred to as web protection. Another method is BGP diversion, also called infrastructure protection. F5 and Incapsula fully support these diversion methods. CloudFlare also claims to support it, but we did not have sufficient data to validate its extent.

There is another more specific diversion method for non-web protocols that only Incapsula and F5 support.

Service Features

Service level options are critical evaluation criteria for many organizations. When under attack (‘War Time’), all vendors will assume full responsibility and provide emergency response. In ‘Peace Time,’ CloudFlare and Incapsula mostly rely on self-service, whereas F5 provides fully managed service.

 

       

Diversion Method: DNS

The diversion of traffic from the customer to the DDoS cloud provider using a Domain Name Server (DNS) change. DNS diversion is one of the primary methods used divert traffic to a DDoS mitigation cloud service. (read more)

Always-on

A DDoS mitigation architecture where traffic is diverted to a cloud provider’s data centers. In ‘Always-on’ the diversion is permanent whereas in ‘On-demand’ the diversion is made only during an attack. (read more)

On-demand

A DDoS mitigation architecture that is in contrast to ‘Always-on’ diverts traffic only during an attack. Before and after the attack, traffic goes directly to the customer without DDoS mitigation. (read more)

Non-web protocols

Non-web protocols support refers to the ability to protect non-web protocols (e.g., proprietary gaming protocols) even if the organization does not poses a Class C network. (read more)


(IP Protection)
Both vendors support non- web protocols.

Diversion Method: BGP

Border Gateway Protocol (BGP) is one of the prominent techniques used in DDoS mitigation to divert an organizations’ traffic to a cloud service provider for inspection before it reaches the enterprise network. (read more)

Always-on

A DDoS mitigation architecture where traffic is diverted to a cloud provider’s data centers. In ‘Always-on’ the diversion is permanent whereas in ‘On-demand’ the diversion is made only during an attack. (read more)

On-demand

A DDoS mitigation architecture that is in contrast to ‘Always-on’ diverts traffic only during an attack. Before and after the attack, traffic goes directly to the customer without DDoS mitigation. (read more)

Service Features

SSL support – HSM

A hardware security module (HSM) is a physical computing device that safeguards and manages digital keys for strong authentication and provides cryptoprocessing. (read more)

Emergency Response

A team of experts that can help customers while under DDoS attack to identify, analyze and mitigate the attack. (read more)

Fully managed service

A DDoS service where the customer isn’t required to take any proactive action in order be fully protected, and the vendor is responsible for initiating all security activities. (read more)

F5 offers fully managed service.

Number of Data Centers

The number of data centers, also referred as POPs (points of presence) or ‘scrubbing centers’, that a vendor offers. It does not have a direct impact on the DDoS mitigation but may still act as an important decision factor. (read more)

30
see locations
86
see locations
4

see locations

San Jose, CA US; Ashburn, VA US; Frankfurt, DE; Singapore, SG

If you have acceleration needs, F5 is likely to be ruled out.

Entry Level

SMB plans

DDoS SMB mitigation plans are intended for SMBs (Small-Medium Business) and are defined here as plans with a cost lower than $5,000 annually. (read more)

F5 and Incapsula offer a plan for SMBs
       

Diversion Method: DNS

The diversion of traffic from the customer to the DDoS cloud provider using a Domain Name Server (DNS) change. DNS diversion is one of the primary methods used divert traffic to a DDoS mitigation cloud service. (read more)

Always-on

A DDoS mitigation architecture where traffic is diverted to a cloud provider’s data centers. In ‘Always-on’ the diversion is permanent whereas in ‘On-demand’ the diversion is made only during an attack. (read more)

On-demand

A DDoS mitigation architecture that is in contrast to ‘Always-on’ diverts traffic only during an attack. Before and after the attack, traffic goes directly to the customer without DDoS mitigation. (read more)

Non-web protocols

Non-web protocols support refers to the ability to protect non-web protocols (e.g., proprietary gaming protocols) even if the organization does not poses a Class C network. (read more)


(IP Protection)
Both vendors support non- web protocols.

Diversion Method: BGP

Border Gateway Protocol (BGP) is one of the prominent techniques used in DDoS mitigation to divert an organizations’ traffic to a cloud service provider for inspection before it reaches the enterprise network. (read more)

Always-on

A DDoS mitigation architecture where traffic is diverted to a cloud provider’s data centers. In ‘Always-on’ the diversion is permanent whereas in ‘On-demand’ the diversion is made only during an attack. (read more)

On-demand

A DDoS mitigation architecture that is in contrast to ‘Always-on’ diverts traffic only during an attack. Before and after the attack, traffic goes directly to the customer without DDoS mitigation. (read more)

Service Features

SSL support – HSM

A hardware security module (HSM) is a physical computing device that safeguards and manages digital keys for strong authentication and provides cryptoprocessing. (read more)

Emergency Response

A team of experts that can help customers while under DDoS attack to identify, analyze and mitigate the attack. (read more)

Fully managed service

A DDoS service where the customer isn’t required to take any proactive action in order be fully protected, and the vendor is responsible for initiating all security activities. (read more)

F5 offers fully managed service.

Number of Data Centers

The number of data centers, also referred as POPs (points of presence) or ‘scrubbing centers’, that a vendor offers. It does not have a direct impact on the DDoS mitigation but may still act as an important decision factor. (read more)

30
see locations
86
see locations
4

see locations

San Jose, CA US; Ashburn, VA US; Frankfurt, DE; Singapore, SG

If you have acceleration needs, F5 is likely to be ruled out.

Entry Level

SMB plans

DDoS SMB mitigation plans are intended for SMBs (Small-Medium Business) and are defined here as plans with a cost lower than $5,000 annually. (read more)

F5 and Incapsula offer a plan for SMBs

All-in-All Comparison – Cloud Deployment

The number of data centers can be essential. If you want the service to give you acceleration, only CloudFlare and Incapsula offer a CDN with 86 and 30 POPs, respectively. Even if improving acceleration is not a goal, it is still an advantage because it ensures that you will not suffer any performance degradation. It can also be important for regulatory compliance, for example, in cases in which you cannot use a POP outside your own country.

Entry Level

Budget is always a critical factor. If you cannot spend more than 5,000 USD annually on DDoS mitigation, only the CloudFlare Business and Incapsula Business plans targeting SMBs are suitable. (See more under the SMBs section.)

Appliance Deployment

Another way to implement DDoS mitigation is to use appliances: physical or virtual, DDoS dedicated or as a feature inside WAF or IPS. The report does not cover appliances, but it is important to know which vendor has them in case you go for a hybrid approach. F5 offers ASM (Application Security Module), while Imperva Incapsula offers Imperva SecureSphere. Both are WAF (Web Application Firewall) with DDoS capabilities.

       

Dedicated DDoS Appliance

An appliance whose primary function is DDoS mitigation. A DDoS appliance can be either physical or virtual. (read more)

Physical Appliance

Virtual Appliance

WAF Appliance with DDoS

A technology that protects web servers form many types of attacks and also acts as DDoS mitigation layer. (read more)

Both F5 and Imperva/Incapsula offer DDoS mitigation features on top of their WAF appliances: F5 with ASM and Imperva with SecureSphere.

Physical Appliance

Virtual Appliance

       

Dedicated DDoS Appliance

An appliance whose primary function is DDoS mitigation. A DDoS appliance can be either physical or virtual. (read more)

Physical Appliance

Virtual Appliance

WAF Appliance with DDoS

A technology that protects web servers form many types of attacks and also acts as DDoS mitigation layer. (read more)

Both F5 and Imperva/Incapsula offer DDoS mitigation features on top of their WAF appliances: F5 with ASM and Imperva with SecureSphere.

Physical Appliance

Virtual Appliance

       

Dedicated DDoS Appliance

An appliance whose primary function is DDoS mitigation. A DDoS appliance can be either physical or virtual. (read more)

Physical Appliance

Virtual Appliance

WAF Appliance with DDoS

A technology that protects web servers form many types of attacks and also acts as DDoS mitigation layer. (read more)

Both F5 and Imperva/Incapsula offer DDoS mitigation features on top of their WAF appliances: F5 with ASM and Imperva with SecureSphere.

Physical Appliance

Virtual Appliance

Technical Evaluation - Appliance Deployment

Mitigation

DDoS mitigation capabilities are the core of your decision. All vendors can block the majority of DDoS attacks. Nevertheless, there are some differences that are covered below. CloudFlare has significant security gaps because it lacks Rate Limit and its web challenges type is partial.

DDoS mitigation capabilities are the core of your decision. All vendors can block the majority of DDoS attacks. Nevertheless, there are some differences that are covered below. CloudFlare has significant security gaps because it lacks Rate Limit and its web challenges type is partial.

Proxy/Caching

All vendors offer web proxy with caching capabilities. This extremely basic technology is the most effective, and will block many attacks.

However, attackers are persistent today, and can find ways to pass this mitigation, foremost by attacking dynamic pages, leading us to the next most significant mitigation - web challenges.

Web Challenges

Ideally, we want the vendor to address the entire spectrum of challenges. F5 fulfills this demand completely! Incapsula is almost there, with one challenge (NoCAPTCHA ReCAPTCHA) missing. CloudFlare, on the other hand, has more gaps. It does not have the Cookie Validation, which in most cases is all you need to stop an attack with minimal impact on legitimate traffic.

       

Proxy / Caching

Reverse Proxy

A server that receives the client’s request, and then requests it indirectly from the web server.
Reverse proxies can act as an effective DDoS mitigation layer by reducing the attack surface from the targeted server. (read more)

Caching

In DDoS mitigation, web caching is done by reverse-proxies which act in tandem as prominent line of defense by blocking attacks from reaching the web server. (read more)

Web Challenges

A set of technologies used to filter out DDoS bots from real human beings by sending a certain request (the challenge) that typically legitimate human-based browsers will pass, and DDoS bots will fail. (read more)

CloudFlare Web Challenges coverage is partial.

Cookie Validation

A type of Web Challenge used in DDoS mitigation to filter out DDoS attackers from legitimate clients by sending a web cookie and requesting the client to send it back. (read more)

JavaScript Challenge

A Web Challenge that is used in DDoS mitigation to filter out attackers from legitimate clients by sending a JavaScript code that most attackers are unable to process and pass successfully. (read more)

Silent Bot Detection

An advanced web challenge technology that detects bots using passive and active checks to validate if the client is a human or a bot – for example, by checking for the existence of mouse and keyboard. (read more)

Modern CAPTCHA

A type of challenge intended to differentiate between computers and humans. A modern CAPTCHA is designed to be easier to pass for humans than CAPTCHA. (read more)

CAPTCHA

A type of challenge-response that helps mitigate DDoS attacks by blocking attacking computers while allowing entry to legitimate human users. (read more)

Signatures

A detection mechanism in which DDoS attacks are detected and blocked based on their known pattern or signature associated with a particular kind of attack. Signatures are saved in a database for matching when an attack is encountered. (read more)

Vendor

Vendor signatures come in large number and are based on the vendor research.

Customer

Customer signatures, or ‘user signatures’ are signatures created by the user typically during and attack or after it.

Blacklist/Whitelist

Blacklist and whitelists enable blocking or allowing network access to entities based on parameters such as a IP address, geographical location or URL path. (read more)

BL IP

BL URL

BL Geo-Protection

Whitelist

Rate limit

A technology used in DDoS mitigation that ensures that each entity does not send too many transactions to the protected server or network. (read more)

CloudFlare has a security gap in Rate Limit.

IP

URL

Geo-Protection

DNS

DNS Protection

The technology or service in charge of protecting DNS Servers. (read more)

SCORE

96%73%100%
CloudFlare mitigation is good, but F5 and Incapsula mitigation stack is excellent. This allows them to block attacks more accurately.
       

Proxy / Caching

Reverse Proxy

A server that receives the client’s request, and then requests it indirectly from the web server.
Reverse proxies can act as an effective DDoS mitigation layer by reducing the attack surface from the targeted server. (read more)

Caching

In DDoS mitigation, web caching is done by reverse-proxies which act in tandem as prominent line of defense by blocking attacks from reaching the web server. (read more)

Web Challenges

A set of technologies used to filter out DDoS bots from real human beings by sending a certain request (the challenge) that typically legitimate human-based browsers will pass, and DDoS bots will fail. (read more)

CloudFlare Web Challenges coverage is partial.

Cookie Validation

A type of Web Challenge used in DDoS mitigation to filter out DDoS attackers from legitimate clients by sending a web cookie and requesting the client to send it back. (read more)

JavaScript Challenge

A Web Challenge that is used in DDoS mitigation to filter out attackers from legitimate clients by sending a JavaScript code that most attackers are unable to process and pass successfully. (read more)

Silent Bot Detection

An advanced web challenge technology that detects bots using passive and active checks to validate if the client is a human or a bot – for example, by checking for the existence of mouse and keyboard. (read more)

Modern CAPTCHA

A type of challenge intended to differentiate between computers and humans. A modern CAPTCHA is designed to be easier to pass for humans than CAPTCHA. (read more)

CAPTCHA

A type of challenge-response that helps mitigate DDoS attacks by blocking attacking computers while allowing entry to legitimate human users. (read more)

Signatures

A detection mechanism in which DDoS attacks are detected and blocked based on their known pattern or signature associated with a particular kind of attack. Signatures are saved in a database for matching when an attack is encountered. (read more)

Vendor

Vendor signatures come in large number and are based on the vendor research.

Customer

Customer signatures, or ‘user signatures’ are signatures created by the user typically during and attack or after it.

Blacklist/Whitelist

Blacklist and whitelists enable blocking or allowing network access to entities based on parameters such as a IP address, geographical location or URL path. (read more)

BL IP

BL URL

BL Geo-Protection

Whitelist

Rate limit

A technology used in DDoS mitigation that ensures that each entity does not send too many transactions to the protected server or network. (read more)

CloudFlare has a security gap in Rate Limit.

IP

URL

Geo-Protection

DNS

DNS Protection

The technology or service in charge of protecting DNS Servers. (read more)

SCORE

96%73%100%
CloudFlare mitigation is good, but F5 and Incapsula mitigation stack is excellent. This allows them to block attacks more accurately.

All-in-All: Mitigation (application protection)

CloudFlare does not have Silent Human Investigation and, in case of a JS passing bot, you will be forced to escalate to intrusive NoCAPTCHA ReCAPTCHA. Another disturbing point is that the CloudFlare JS challenge is visible to the user. It informs the user that it is being challenged with an advertisement of CloudFlare at the same time. Not cool.

Signatures

All vendors offer both vendor signatures and user signatures. In vendor signatures, CloudFlare has the advantage because it lets you see and even tune them (while Incapsula and F5 signatures perform as a black-box). In user signatures, Incapsula has the upper hand due to the simplicity of signature creation, discussed in the next section.

Rate Limit

CloudFlare does not offer any Rate Limit-based mitigation, which is a significant security gap. Typically, it is not recommended to stop attacks with Rate Limit technologies because it can also “rate limit” legitimate users. However, in some scenarios it is still an important tool. One prominent example is to protect mobile API: Challenges are not efficient, as they often cannot be used with RESTful APIs. In these cases, Rate Limit can be your only savior.

BGP-Based Protection

In addition to Application Protection, also known as Web Protection, all vendors offer Network Protection (BGP-based). All vendors have a black-box approach without any visibility into the technologies being used or the ability to make any configurations.

UX and Reporting

Good User Experience (UX) is more than a nice-to-have feature. It determines how much of the existing functionality you will utilize, how quickly you will understand a security event, and how quickly you can respond while under attack.

All vendors provide a decent UX, but undoubtedly Incapsula has a clear lead over the others. Incapsula offers an excellent user interface, navigation, and look and feel. CloudFlare also has a good look and feel, but it still seems a bit outdated compared to today’s slick SaaS application designs. F5, on the other hand, is still in the appliance age in terms of UI/UX. Apart from the real-time monitoring part, its interface is outdated and resembles the configuration of an appliance rather than an intuitive cloud application. To summarize: both CloudFlare and Incapsula are easy to navigate. F5 is a little behind.

Deploying servers

Deploying a new web server is easy with CloudFlare and Incapsula, and also with F5 Silverline despite its outdated user interface. Deployment of a new network, in contrast, is easiest with Silverline where you self-service wise insert your network, and submit it for their NOC for review and final confirmation. With Incapsula it is a full service only – you can add new network by requesting it from their support.

Configuring security options

Blocking an IP is easy and simple with all vendors. However, when you want to block a URL, CloudFlare requires that you request it from their support, which seems a hassle for such a simple action. Same for creating a signature. Incapsula is leading here with its simple yet expressive IncapsRules. F5 offers its famous iRules, which are the most expressive but more technical. In Customer Signatures CloudFlare has the upper hand as its rules are visible and configurable. With Incapsula you get the rules as black-box.

Real-time Monitoring (RTM)

F5 and Incapsula monitoring is excellent – granular, shows well normal traffic versus attack traffic. With Incapsula it took only 15 seconds for traffic to be displayed, which is very good for distributed cloud service.

       

Look and Feel

The overall user experience provided by a service – the graphical design, organization of data and ease of navigation. (read more)

ExcellentGoodBasic
Incapsula's look and feel is excellent, making the user experience both enjoyable and productive.

Ease of Navigation

ExcellentExcellentBasic

Deployment

New website (DNS)

ExcellentExcellentBasic

New network (BGP)

Full ServiceUnknown Excellent

Security

Block IP

ExcellentExcellentExcellent

Block URL

ExcellentFull Service Good
Oddly, blocking a URL in CloudFlare can be done only with a request to its support.

Web challenge

A set of technologies used to filter out DDoS bots from real human beings by sending a certain request (the challenge) that typically legitimate human-based browsers will pass, and DDoS bots will fail. (read more)

ExcellentExcellentBasic

Signatures (vendor)

Vendor signatures come in large number and are based on the vendor research.

BlackboxExcellentBasic
CloudFlare is the only one to provide visibility and control of its own signatures.

Signatures (customer)

Customer signatures, or ‘user signatures’ are signatures created by the user typically during and attack or after it.

ExcellentFull ServiceGood
Incapsula user signatures ‘IncapRules’ are both powerful and intuitive to use. F5 ‘iRules’ are powerful but less intuitive. CloudFlare signatures are made only by its support.

Real-Time Reporting

Real traffic

ExcellentUnknownExcellent

Blocked traffic

ExcellentUnknownExcellent

Response time

ExcellentUnknown Unknown

Events

CloudFlare event methods are partial.

Web logs

ExcellentExcellentExcellent

Email

Call

Syslog

REST

Forensics

DDoS Forensics is the digital forensic process to better understand a DDoS attack, past or-going. The output of forensics can shed light on the attack vectors, attack tools and the attacker characteristics or identity.

vDTP 05

ARE YOU READY?

Answer seven online questions and get a free report assessing your protection status with recommendations for improvement


Free DDoS Assesment

F5 is the only vendor to provide decent forensics by providing capture files (real-time and per event).

Detailed alert

ExcellentExcellentExcellent

Event capture file

Good

RT capture file

Full

Score

77%69%65%
       

Look and Feel

The overall user experience provided by a service – the graphical design, organization of data and ease of navigation. (read more)

ExcellentGoodBasic
Incapsula's look and feel is excellent, making the user experience both enjoyable and productive.

Ease of Navigation

ExcellentExcellentBasic

Deployment

New website (DNS)

ExcellentExcellentBasic

New network (BGP)

Full ServiceUnknown Excellent

Security

Block IP

ExcellentExcellentExcellent

Block URL

ExcellentFull Service Good
Oddly, blocking a URL in CloudFlare can be done only with a request to its support.

Web challenge

A set of technologies used to filter out DDoS bots from real human beings by sending a certain request (the challenge) that typically legitimate human-based browsers will pass, and DDoS bots will fail. (read more)

ExcellentExcellentBasic

Signatures (vendor)

Vendor signatures come in large number and are based on the vendor research.

BlackboxExcellentBasic
CloudFlare is the only one to provide visibility and control of its own signatures.

Signatures (customer)

Customer signatures, or ‘user signatures’ are signatures created by the user typically during and attack or after it.

ExcellentFull ServiceGood
Incapsula user signatures ‘IncapRules’ are both powerful and intuitive to use. F5 ‘iRules’ are powerful but less intuitive. CloudFlare signatures are made only by its support.

Real-Time Reporting

Real traffic

ExcellentUnknownExcellent

Blocked traffic

ExcellentUnknownExcellent

Response time

ExcellentUnknown Unknown

Events

CloudFlare event methods are partial.

Web logs

ExcellentExcellentExcellent

Email

Call

Syslog

REST

Forensics

DDoS Forensics is the digital forensic process to better understand a DDoS attack, past or-going. The output of forensics can shed light on the attack vectors, attack tools and the attacker characteristics or identity.

vDTP 05

ARE YOU READY?

Answer seven online questions and get a free report assessing your protection status with recommendations for improvement


Free DDoS Assesment

F5 is the only vendor to provide decent forensics by providing capture files (real-time and per event).

Detailed alert

ExcellentExcellentExcellent

Event capture file

Good

RT capture file

Full

Score

77%69%65%

All-in-All: UX and Reporting

Forensic

With Forensics, F5 has the lead. While all vendors provide informative alerts, F5 allows you to extract the capture of an alert [self-service], and take real-time capture files [full service]. Furthermore, the customer can open a chat on an alert and discuss it with the SOC and peers.

Pricing

CloudFlare, Incapsula and F5 do not provide official pricing for their Enterprise service, so you’ll have to request a quote.

F5 pricing model is a fully Customer Oriented Pricing Model. The factors that determine the price are (a) clean traffic rate, (b) number of web sites and data centers and (c) on-demand versus always-on plan. Always-on customers do not pay extra for inclusive managed service, nor need to worry about attack data volumes.

Incapsula has a similar pricing model.  The only difference is that it also differentiates prices based on traffic volume. This is a disadvantage as it puts customer in a difficult spot in make an educated decision about something that cannot be really estimated (see more under Customer Oriented Pricing Model).

CloudFlare pricing model was unavailable.

SMB Pricing SMB Pricing is covered in the SMBs – CloudFlare Business vs Incapsula Business section.

Additional Relevant Chapters:

Additional Relevant Chapters: