Enterprise Web & Infrastructure Protection
Incapsula vs F5

 

The Enterprise Web & Infrastructure Protection’ is for an enterprise that needs to protect both the website and network assets (VPNs, Class C networks, etc). Enterprises that look for an end-to-end DDoS solution will require web protection (DNS-based), infrastructure protection (BGP-based), and possibly even an on-premises appliance. The annual budget for a DDoS solution would start at a range of $50-100K.

In this report, two vendors provide a ‘full-scale enterprise’ solution: F5 Silverline and Incapsula. CloudFlare was not included because we did not have sufficient data to warrant if its infrastructure protection is good enough to enter the category.

DDoS Review

Deployment & Service Options

       

Diversion Method: DNS

The diversion of traffic from the customer to the DDoS cloud provider using a Domain Name Server (DNS) change. DNS diversion is one of the primary methods used divert traffic to a DDoS mitigation cloud service. (read more)

Always-on

A DDoS mitigation architecture where traffic is diverted to a cloud provider’s data centers. In ‘Always-on’ the diversion is permanent whereas in ‘On-demand’ the diversion is made only during an attack. (read more)

On-demand

A DDoS mitigation architecture that is in contrast to ‘Always-on’ diverts traffic only during an attack. Before and after the attack, traffic goes directly to the customer without DDoS mitigation. (read more)

Non-web protocols

Non-web protocols support refers to the ability to protect non-web protocols (e.g., proprietary gaming protocols) even if the organization does not poses a Class C network. (read more)


(IP Protection)
Both vendors support non- web protocols.

Diversion Method: BGP

Border Gateway Protocol (BGP) is one of the prominent techniques used in DDoS mitigation to divert an organizations’ traffic to a cloud service provider for inspection before it reaches the enterprise network. (read more)

Always-on

A DDoS mitigation architecture where traffic is diverted to a cloud provider’s data centers. In ‘Always-on’ the diversion is permanent whereas in ‘On-demand’ the diversion is made only during an attack. (read more)

On-demand

A DDoS mitigation architecture that is in contrast to ‘Always-on’ diverts traffic only during an attack. Before and after the attack, traffic goes directly to the customer without DDoS mitigation. (read more)

Service Features

SSL support – HSM

A hardware security module (HSM) is a physical computing device that safeguards and manages digital keys for strong authentication and provides cryptoprocessing. (read more)

Emergency response

A team of experts that can help customers while under DDoS attack to identify, analyze and mitigate the attack. (read more)

Fully managed service

A DDoS service where the customer isn’t required to take any proactive action in order be fully protected, and the vendor is responsible for initiating all security activities. (read more)

F5 offers fully managed service.

Number of Data Centers

The number of data centers, also referred as POPs (points of presence) or ‘scrubbing centers’, that a vendor offers. It does not have a direct impact on the DDoS mitigation but may still act as an important decision factor. (read more)

30
see locations
4

see locations

San Jose, CA US; Ashburn, VA US; Frankfurt, DE; Singapore, SG

Incapsula has 30 data centers, F5 has only 4.
       

Diversion Method: DNS

The diversion of traffic from the customer to the DDoS cloud provider using a Domain Name Server (DNS) change. DNS diversion is one of the primary methods used divert traffic to a DDoS mitigation cloud service. (read more)

Always-on

A DDoS mitigation architecture where traffic is diverted to a cloud provider’s data centers. In ‘Always-on’ the diversion is permanent whereas in ‘On-demand’ the diversion is made only during an attack. (read more)

On-demand

A DDoS mitigation architecture that is in contrast to ‘Always-on’ diverts traffic only during an attack. Before and after the attack, traffic goes directly to the customer without DDoS mitigation. (read more)

Non-web protocols

Non-web protocols support refers to the ability to protect non-web protocols (e.g., proprietary gaming protocols) even if the organization does not poses a Class C network. (read more)


(IP Protection)
Both vendors support non- web protocols.

Diversion Method: BGP

Border Gateway Protocol (BGP) is one of the prominent techniques used in DDoS mitigation to divert an organizations’ traffic to a cloud service provider for inspection before it reaches the enterprise network. (read more)

Always-on

A DDoS mitigation architecture where traffic is diverted to a cloud provider’s data centers. In ‘Always-on’ the diversion is permanent whereas in ‘On-demand’ the diversion is made only during an attack. (read more)

On-demand

A DDoS mitigation architecture that is in contrast to ‘Always-on’ diverts traffic only during an attack. Before and after the attack, traffic goes directly to the customer without DDoS mitigation. (read more)

Service Features

SSL support – HSM

A hardware security module (HSM) is a physical computing device that safeguards and manages digital keys for strong authentication and provides cryptoprocessing. (read more)

Emergency response

A team of experts that can help customers while under DDoS attack to identify, analyze and mitigate the attack. (read more)

Fully managed service

A DDoS service where the customer isn’t required to take any proactive action in order be fully protected, and the vendor is responsible for initiating all security activities. (read more)

F5 offers fully managed service.

Number of Data Centers

The number of data centers, also referred as POPs (points of presence) or ‘scrubbing centers’, that a vendor offers. It does not have a direct impact on the DDoS mitigation but may still act as an important decision factor. (read more)

30
see locations
4

see locations

San Jose, CA US; Ashburn, VA US; Frankfurt, DE; Singapore, SG

Incapsula has 30 data centers, F5 has only 4.

Incapsula vs. F5 - Deployment

Incapsula Enterprise and F5 Silverline deployment options are very similar. Both offer DNS and BGP-based diversion, a solution for non-web protocols, and On-Demand and Always-On. F5 offers fully managed service, whereas Incapsula is only partially managed. Although not directly effecting DDoS, Incapsula offers web acceleration and has 30 POPs vs. F5 which only has 4 POPs. This can also effect organizations that do not wish to accelerate but only maintain their existing latency.

Mitigation

The Web Protection of both vendors is extremely good. They are both fully or almost fully loaded with all the required protection.

The Infrastructure Protection of both F5 and Incapsula is based on a black-box approach, which is less than perfect. Realistically, though, this is the common practice in cloud services.

       

Proxy / Caching

A server that receives the client’s request, and then requests it indirectly from the web server.
Reverse proxies can act as an effective DDoS mitigation layer by reducing the attack surface from the targeted server. (read more)

Reverse Proxy

A server that receives the client’s request, and then requests it indirectly from the web server.
Reverse proxies can act as an effective DDoS mitigation layer by reducing the attack surface from the targeted server. (read more)

Caching

In DDoS mitigation, web caching is done by reverse-proxies which act in tandem as prominent line of defense by blocking attacks from reaching the web server. (read more)

Web Challenges

A set of technologies used to filter out DDoS bots from real human beings by sending a certain request (the challenge) that typically legitimate human-based browsers will pass, and DDoS bots will fail. (read more)

F5 is the only one offering the entire web challenge spectrum.

Cookie Validation

A type of Web Challenge used in DDoS mitigation to filter out DDoS attackers from legitimate clients by sending a web cookie and requesting the client to send it back. (read more)

JavaScript Challenge

A Web Challenge that is used in DDoS mitigation to filter out attackers from legitimate clients by sending a JavaScript code that most attackers are unable to process and pass successfully. (read more)

Silent Bot Detection

An advanced web challenge technology that detects bots using passive and active checks to validate if the client is a human or a bot – for example, by checking for the existence of mouse and keyboard. (read more)

Modern CAPTCHA

A type of challenge intended to differentiate between computers and humans. A modern CAPTCHA is designed to be easier to pass for humans than CAPTCHA. (read more)

CAPTCHA

A type of challenge-response that helps mitigate DDoS attacks by blocking attacking computers while allowing entry to legitimate human users. (read more)

Signatures

A detection mechanism in which DDoS attacks are detected and blocked based on their known pattern or signature associated with a particular kind of attack. Signatures are saved in a database for matching when an attack is encountered. (read more)

Vendor

Vendor signatures come in large number and are based on the vendor research.

Customer

Customer signatures, or ‘user signatures’ are signatures created by the user typically during and attack or after it.

Blacklist (BL) / Whitelist

Blacklist and whitelists enable blocking or allowing network access to entities based on parameters such as a IP address, geographical location or URL path. (read more)

BL IP

BL URL

BL Geo-protection

Whitelist

Rate Limit

A technology used in DDoS mitigation that ensures that each entity does not send too many transactions to the protected server or network. (read more)

IP

URL

Geo-protection

DNS

DNS protection

The technology or service in charge of protecting DNS Servers. (read more)

SCORE

96%100%
Both vendors have excellent mitigation technology coverage.
       

Proxy / Caching

A server that receives the client’s request, and then requests it indirectly from the web server.
Reverse proxies can act as an effective DDoS mitigation layer by reducing the attack surface from the targeted server. (read more)

Reverse Proxy

A server that receives the client’s request, and then requests it indirectly from the web server.
Reverse proxies can act as an effective DDoS mitigation layer by reducing the attack surface from the targeted server. (read more)

Caching

In DDoS mitigation, web caching is done by reverse-proxies which act in tandem as prominent line of defense by blocking attacks from reaching the web server. (read more)

Web Challenges

A set of technologies used to filter out DDoS bots from real human beings by sending a certain request (the challenge) that typically legitimate human-based browsers will pass, and DDoS bots will fail. (read more)

F5 is the only one offering the entire web challenge spectrum.

Cookie Validation

A type of Web Challenge used in DDoS mitigation to filter out DDoS attackers from legitimate clients by sending a web cookie and requesting the client to send it back. (read more)

JavaScript Challenge

A Web Challenge that is used in DDoS mitigation to filter out attackers from legitimate clients by sending a JavaScript code that most attackers are unable to process and pass successfully. (read more)

Silent Bot Detection

An advanced web challenge technology that detects bots using passive and active checks to validate if the client is a human or a bot – for example, by checking for the existence of mouse and keyboard. (read more)

Modern CAPTCHA

A type of challenge intended to differentiate between computers and humans. A modern CAPTCHA is designed to be easier to pass for humans than CAPTCHA. (read more)

CAPTCHA

A type of challenge-response that helps mitigate DDoS attacks by blocking attacking computers while allowing entry to legitimate human users. (read more)

Signatures

A detection mechanism in which DDoS attacks are detected and blocked based on their known pattern or signature associated with a particular kind of attack. Signatures are saved in a database for matching when an attack is encountered. (read more)

Vendor

Vendor signatures come in large number and are based on the vendor research.

Customer

Customer signatures, or ‘user signatures’ are signatures created by the user typically during and attack or after it.

Blacklist (BL) / Whitelist

Blacklist and whitelists enable blocking or allowing network access to entities based on parameters such as a IP address, geographical location or URL path. (read more)

BL IP

BL URL

BL Geo-protection

Whitelist

Rate Limit

A technology used in DDoS mitigation that ensures that each entity does not send too many transactions to the protected server or network. (read more)

IP

URL

Geo-protection

DNS

DNS protection

The technology or service in charge of protecting DNS Servers. (read more)

SCORE

96%100%
Both vendors have excellent mitigation technology coverage.

Incapsula vs. F5 - Mitigation

UX and Reporting

Incapsula has a clear advantage with user experience (UX). F5 Silverline configuration screens seem to have paused in the “network appliance age”, with certain screens of the Cloud WAF service resembling the F5 ASM product.

To balance this picture slightly, F5 Silverline real-time traffic monitoring screens are much better.

When you deploy a new web asset to protect the UX will be better with Incapsula. However, if you want to protect a new network, with F5 it is a self-service and with Incapsula you need full-service.

In forensics, F5 has an advantage, while Incapsula will provide you the basic alert details, with F5 you can get the event capture file, you can also record the traffic in real time and even instantly open a request to investigate by their SOC.

       

Look and Feel

The overall user experience provided by a service – the graphical design, organization of data and ease of navigation. (read more)

Excellent Basic
Incapsula’s look and feel and ease of navigation is much better than F5’s.

Ease-of-Navigation

ExcellentBasic

Deployment

New website (DNS)

ExcellentBasic

New network (BGP)

Full Service

Excellent

Security

Block IP (BGP)

ExcellentExcellent

Block URL

ExcellentGood

Web Challenge

A set of technologies used to filter out DDoS bots from real human beings by sending a certain request (the challenge) that typically legitimate human-based browsers will pass, and DDoS bots will fail. (read more)

ExcellentBasic

Signatures (vendor)

Vendor signatures come in large number and are based on the vendor research.

Signatures (vendor) Basic
Incapsula’s user signatures ‘IncapRules’ is both powerful and intuitive. F5’s ‘iRules’ is powerful but less intuitive.

Signatures (customer)

Customer signatures, or ‘user signatures’ are signatures created by the user typically during and attack or after it.

ExcellentGood

Security

Real Traffic

ExcellentExcellent

Blocked Traffic

ExcellentExcellent

Response Time

ExcellentUnknown

Events

Web logs

ExcellentExcellent

Email

Call

Syslog

REST

Forensics

DDoS Forensics is the digital forensic process to better understand a DDoS attack, past or-going. The output of forensics can shed light on the attack vectors, attack tools and the attacker characteristics or identity.

vDTP 05

ARE YOU READY?

Answer seven online questions and get a free report assessing your protection status with recommendations for improvement


Free DDoS Assesment

F5 provides decent forensics with capture files (real-time and per-event).

Detailed alertn

ExcellentExcellent

Event capture file

Good

RT capture file

Full

SCORE

77%65%
       

Look and Feel

The overall user experience provided by a service – the graphical design, organization of data and ease of navigation. (read more)

Excellent Basic
Incapsula’s look and feel and ease of navigation is much better than F5’s.

Ease-of-Navigation

ExcellentBasic

Deployment

New website (DNS)

ExcellentBasic

New network (BGP)

Full Service

Excellent

Security

Block IP (BGP)

ExcellentExcellent

Block URL

ExcellentGood

Web Challenge

A set of technologies used to filter out DDoS bots from real human beings by sending a certain request (the challenge) that typically legitimate human-based browsers will pass, and DDoS bots will fail. (read more)

ExcellentBasic

Signatures (vendor)

Vendor signatures come in large number and are based on the vendor research.

Signatures (vendor) Basic
Incapsula’s user signatures ‘IncapRules’ is both powerful and intuitive. F5’s ‘iRules’ is powerful but less intuitive.

Signatures (customer)

Customer signatures, or ‘user signatures’ are signatures created by the user typically during and attack or after it.

ExcellentGood

Security

Real Traffic

ExcellentExcellent

Blocked Traffic

ExcellentExcellent

Response Time

ExcellentUnknown

Events

Web logs

ExcellentExcellent

Email

Call

Syslog

REST

Forensics

DDoS Forensics is the digital forensic process to better understand a DDoS attack, past or-going. The output of forensics can shed light on the attack vectors, attack tools and the attacker characteristics or identity.

vDTP 05

ARE YOU READY?

Answer seven online questions and get a free report assessing your protection status with recommendations for improvement


Free DDoS Assesment

F5 provides decent forensics with capture files (real-time and per-event).

Detailed alertn

ExcellentExcellent

Event capture file

Good

RT capture file

Full

SCORE

77%65%

Incapsula vs. F5 – UX & Reporting

Incapsula vs. F5 – An Incapsula security

An F5 security configuration screen.

Pricing

Both vendors do not publicly provide their enterprise plans. Their pricing factors are relatively similar. The only difference is that Incapsula also adds attack traffic as a pricing factor, which we consider a disadvantage (see Customer Oriented Pricing Model).

Bottom line

The technical comparison of the two vendors shows that there is no clear-cut conclusion. Both vendors offer rich deployment and mitigation options.

Enterprises looking for a fully-managed service will find a better home with F5. The user-interface of Incapsula is clearly better and today this is not a luxury item anymore.

Another factor that may be relevant in the decision is that Incapsula offers a CDN while F5 Silverline does not. This can also be a critical advantage if you need the data center to be in specific geographical areas either due to regulation or to reduce latency.

How to make a decision? • Receive quote.
• Investigate the stability and support of reach vendor.
• Read the How to Complete the Vendor Selection Section

Addional Relevant Chapters:

Addional Relevant Chapters: