Enterprise Web & Infrastructure Protection
Enterprise Web & Infrastructure Protection
Incapsula vs F5
The Enterprise Web & Infrastructure Protection’ is for an enterprise that needs to protect both the website and network assets (VPNs, Class C networks, etc). Enterprises that look for an end-to-end DDoS solution will require web protection (DNS-based), infrastructure protection (BGP-based), and possibly even an on-premises appliance. The annual budget for a DDoS solution would start at a range of $50-100K.
In this report, two vendors provide a ‘full-scale enterprise’ solution: F5 Silverline and Incapsula. CloudFlare was not included because we did not have sufficient data to warrant if its infrastructure protection is good enough to enter the category.
Deployment & Service Options
 |
 |
|||
|---|---|---|---|---|
Diversion Method: DNSThe diversion of traffic from the customer to the DDoS cloud provider using a Domain Name Server (DNS) change. DNS diversion is one of the primary methods used divert traffic to a DDoS mitigation cloud service. (read more) |
||||
Always-onA DDoS mitigation architecture where traffic is diverted to a cloud provider’s data centers. In ‘Always-on’ the diversion is permanent whereas in ‘On-demand’ the diversion is made only during an attack. (read more) |
||||
On-demandA DDoS mitigation architecture that is in contrast to ‘Always-on’ diverts traffic only during an attack. Before and after the attack, traffic goes directly to the customer without DDoS mitigation. (read more) |
||||
Non-web protocols |
(IP Protection) | Both vendors support non- web protocols. | ||
Diversion Method: BGP |
||||
Always-onA DDoS mitigation architecture where traffic is diverted to a cloud provider’s data centers. In ‘Always-on’ the diversion is permanent whereas in ‘On-demand’ the diversion is made only during an attack. (read more) |
||||
On-demandA DDoS mitigation architecture that is in contrast to ‘Always-on’ diverts traffic only during an attack. Before and after the attack, traffic goes directly to the customer without DDoS mitigation. (read more) |
||||
|
Service Features |
||||
SSL support – HSM |
||||
Emergency responseA team of experts that can help customers while under DDoS attack to identify, analyze and mitigate the attack. (read more) |
||||
Fully managed serviceA DDoS service where the customer isn’t required to take any proactive action in order be fully protected, and the vendor is responsible for initiating all security activities. (read more) |
F5 offers fully managed service. | |||
Number of Data CentersThe number of data centers, also referred as POPs (points of presence) or ‘scrubbing centers’, that a vendor offers. It does not have a direct impact on the DDoS mitigation but may still act as an important decision factor. (read more) |
30 see locations | 4
see locations |
Incapsula has 30 data centers, F5 has only 4. |
|
|
|||
|---|---|---|---|---|
Diversion Method: DNSThe diversion of traffic from the customer to the DDoS cloud provider using a Domain Name Server (DNS) change. DNS diversion is one of the primary methods used divert traffic to a DDoS mitigation cloud service. (read more) |
||||
Always-onA DDoS mitigation architecture where traffic is diverted to a cloud provider’s data centers. In ‘Always-on’ the diversion is permanent whereas in ‘On-demand’ the diversion is made only during an attack. (read more) |
||||
On-demandA DDoS mitigation architecture that is in contrast to ‘Always-on’ diverts traffic only during an attack. Before and after the attack, traffic goes directly to the customer without DDoS mitigation. (read more) |
||||
Non-web protocols |
(IP Protection) | Both vendors support non- web protocols. | ||
Diversion Method: BGP |
||||
Always-onA DDoS mitigation architecture where traffic is diverted to a cloud provider’s data centers. In ‘Always-on’ the diversion is permanent whereas in ‘On-demand’ the diversion is made only during an attack. (read more) |
||||
On-demandA DDoS mitigation architecture that is in contrast to ‘Always-on’ diverts traffic only during an attack. Before and after the attack, traffic goes directly to the customer without DDoS mitigation. (read more) |
||||
|
Service Features |
||||
SSL support – HSM |
||||
Emergency responseA team of experts that can help customers while under DDoS attack to identify, analyze and mitigate the attack. (read more) |
||||
Fully managed serviceA DDoS service where the customer isn’t required to take any proactive action in order be fully protected, and the vendor is responsible for initiating all security activities. (read more) |
F5 offers fully managed service. | |||
Number of Data CentersThe number of data centers, also referred as POPs (points of presence) or ‘scrubbing centers’, that a vendor offers. It does not have a direct impact on the DDoS mitigation but may still act as an important decision factor. (read more) |
30 see locations | 4
see locations |
Incapsula has 30 data centers, F5 has only 4. |
Incapsula vs. F5 – Deployment
Incapsula Enterprise and F5 Silverline deployment options are very similar. Both offer DNS and BGP-based diversion, a solution for non-web protocols, and On-Demand and Always-On. F5 offers fully managed service, whereas Incapsula is only partially managed. Although not directly effecting DDoS, Incapsula offers web acceleration and has 30 POPs vs. F5 which only has 4 POPs. This can also effect organizations that do not wish to accelerate but only maintain their existing latency.
Mitigation
The Web Protection of both vendors is extremely good. They are both fully or almost fully loaded with all the required protection.
The Infrastructure Protection of both F5 and Incapsula is based on a black-box approach, which is less than perfect. Realistically, though, this is the common practice in cloud services.
|
|
|||
|---|---|---|---|---|
Proxy / CachingA server that receives the client’s request, and then requests it indirectly from the web server. |
||||
Reverse ProxyA server that receives the client’s request, and then requests it indirectly from the web server. |
||||
CachingIn DDoS mitigation, web caching is done by reverse-proxies which act in tandem as prominent line of defense by blocking attacks from reaching the web server. (read more) |
||||
Web Challenges |
F5 is the only one offering the entire web challenge spectrum. | |||
Cookie Validation |
||||
JavaScript Challenge |
||||
Silent Bot Detection |
||||
Modern CAPTCHA |
||||
CAPTCHA |
||||
Signatures |
||||
Vendor |
||||
Customer |
||||
Blacklist (BL) / Whitelist |
||||
|
BL IP |
||||
|
BL URL |
||||
|
BL Geo-protection |
||||
|
Whitelist |
||||
Rate LimitA technology used in DDoS mitigation that ensures that each entity does not send too many transactions to the protected server or network. (read more) |
||||
|
IP |
||||
|
URL |
||||
|
Geo-protection |
||||
|
DNS |
||||
DNS protection |
||||
|
SCORE |
96% | 100% | Both vendors have excellent mitigation technology coverage. |
|
|
|||
|---|---|---|---|---|
Proxy / CachingA server that receives the client’s request, and then requests it indirectly from the web server. |
||||
Reverse ProxyA server that receives the client’s request, and then requests it indirectly from the web server. |
||||
CachingIn DDoS mitigation, web caching is done by reverse-proxies which act in tandem as prominent line of defense by blocking attacks from reaching the web server. (read more) |
||||
Web Challenges |
F5 is the only one offering the entire web challenge spectrum. | |||
Cookie Validation |
||||
JavaScript Challenge |
||||
Silent Bot Detection |
||||
Modern CAPTCHA |
||||
CAPTCHA |
||||
Signatures |
||||
Vendor |
||||
Customer |
||||
Blacklist (BL) / Whitelist |
||||
|
BL IP |
||||
|
BL URL |
||||
|
BL Geo-protection |
||||
|
Whitelist |
||||
Rate LimitA technology used in DDoS mitigation that ensures that each entity does not send too many transactions to the protected server or network. (read more) |
||||
|
IP |
||||
|
URL |
||||
|
Geo-protection |
||||
|
DNS |
||||
DNS protection |
||||
|
SCORE |
96% | 100% | Both vendors have excellent mitigation technology coverage. |
Incapsula vs. F5 – Mitigation
UX and Reporting
Incapsula has a clear advantage with user experience (UX). F5 Silverline configuration screens seem to have paused in the “network appliance age”, with certain screens of the Cloud WAF service resembling the F5 ASM product.
To balance this picture slightly, F5 Silverline real-time traffic monitoring screens are much better.
When you deploy a new web asset to protect the UX will be better with Incapsula. However, if you want to protect a new network, with F5 it is a self-service and with Incapsula you need full-service.
In forensics, F5 has an advantage, while Incapsula will provide you the basic alert details, with F5 you can get the event capture file, you can also record the traffic in real time and even instantly open a request to investigate by their SOC.
|
|
|||
|---|---|---|---|---|
Look and FeelThe overall user experience provided by a service – the graphical design, organization of data and ease of navigation. (read more) |
Excellent | Basic | Incapsula’s look and feel and ease of navigation is much better than F5’s. | |
|
Ease-of-Navigation |
Excellent | Basic | ||
|
Deployment |
||||
|
New website (DNS) |
Excellent | Basic | ||
|
New network (BGP) |
Full Service |
Excellent | ||
|
Security |
||||
|
Block IP (BGP) |
Excellent | Excellent | ||
|
Block URL |
Excellent | Good | ||
Web Challenge |
Excellent | Basic | ||
Signatures (vendor) |
Signatures (vendor) | Basic | Incapsula’s user signatures ‘IncapRules’ is both powerful and intuitive. F5’s ‘iRules’ is powerful but less intuitive. | |
Signatures (customer) |
Excellent | Good | ||
|
Security |
||||
|
Real Traffic |
Excellent | Excellent | ||
|
Blocked Traffic |
Excellent | Excellent | ||
|
Response Time |
Excellent | Unknown | ||
|
Events |
||||
|
Web logs |
Excellent | Excellent | ||
|
|
||||
|
Call |
||||
|
Syslog |
||||
|
REST |
||||
ForensicsDDoS Forensics is the digital forensic process to better understand a DDoS attack, past or-going. The output of forensics can shed light on the attack vectors, attack tools and the attacker characteristics or identity. ARE YOU READY?Answer seven online questions and get a free report assessing your protection status with recommendations for improvement |
F5 provides decent forensics with capture files (real-time and per-event). | |||
|
Detailed alertn |
Excellent | Excellent | ||
|
Event capture file |
Good | |||
|
RT capture file |
Full | |||
|
SCORE |
77% | 65% |
|
|
|||
|---|---|---|---|---|
Look and FeelThe overall user experience provided by a service – the graphical design, organization of data and ease of navigation. (read more) |
Excellent | Basic | Incapsula’s look and feel and ease of navigation is much better than F5’s. | |
|
Ease-of-Navigation |
Excellent | Basic | ||
|
Deployment |
||||
|
New website (DNS) |
Excellent | Basic | ||
|
New network (BGP) |
Full Service |
Excellent | ||
|
Security |
||||
|
Block IP (BGP) |
Excellent | Excellent | ||
|
Block URL |
Excellent | Good | ||
Web Challenge |
Excellent | Basic | ||
Signatures (vendor) |
Signatures (vendor) | Basic | Incapsula’s user signatures ‘IncapRules’ is both powerful and intuitive. F5’s ‘iRules’ is powerful but less intuitive. | |
Signatures (customer) |
Excellent | Good | ||
|
Security |
||||
|
Real Traffic |
Excellent | Excellent | ||
|
Blocked Traffic |
Excellent | Excellent | ||
|
Response Time |
Excellent | Unknown | ||
|
Events |
||||
|
Web logs |
Excellent | Excellent | ||
|
|
||||
|
Call |
||||
|
Syslog |
||||
|
REST |
||||
ForensicsDDoS Forensics is the digital forensic process to better understand a DDoS attack, past or-going. The output of forensics can shed light on the attack vectors, attack tools and the attacker characteristics or identity. ARE YOU READY?Answer seven online questions and get a free report assessing your protection status with recommendations for improvement |
F5 provides decent forensics with capture files (real-time and per-event). | |||
|
Detailed alertn |
Excellent | Excellent | ||
|
Event capture file |
Good | |||
|
RT capture file |
Full | |||
|
SCORE |
77% | 65% |
Incapsula vs. F5 – UX & Reporting
Incapsula vs. F5 – An Incapsula security
An F5 security configuration screen.
Pricing
Both vendors do not publicly provide their enterprise plans. Their pricing factors are relatively similar. The only difference is that Incapsula also adds attack traffic as a pricing factor, which we consider a disadvantage (see Customer Oriented Pricing Model).
Bottom line
The technical comparison of the two vendors shows that there is no clear-cut conclusion. Both vendors offer rich deployment and mitigation options.
Enterprises looking for a fully-managed service will find a better home with F5. The user-interface of Incapsula is clearly better and today this is not a luxury item anymore.
Another factor that may be relevant in the decision is that Incapsula offers a CDN while F5 Silverline does not. This can also be a critical advantage if you need the data center to be in specific geographical areas either due to regulation or to reduce latency.
| How to make a decision? | • Receive quote. • Investigate the stability and support of reach vendor. • Read the How to Complete the Vendor Selection Section |
Addional Relevant Chapters:
- Individual vendor reviews: Incapsula, F5
- Next steps – completing your evaluation
Addional Relevant Chapters:
- Individual vendor reviews: Incapsula, F5
- Next steps – completing your evaluation
Newsletter
Stay up to day with the latest DDoS news
Error: Contact form not found.