Enterprise Web Protection
Incapsula vs cloudflare
Some organizations require strong web protection (DNS diversion), but can do without infrastructure protection (BGP diversion) or a physical appliance. This will be the case when the DDoS threat and/or the potential damage are not considered critical enough to justify the extra investment.
For such requirements, CloudFlare and Incapsula provide solutions that also include acceleration built into the DDoS service.
Deployment & Service Options
With cloud based service, both CloudFlare and Incpasula offer basic web protection (DNS) and network protection (BGP). They both provide free tiered services, services for SMBs and for Enterprises.
CloudFlare offers 86 POPs vs. Incapsula with only 30, But the effect of this on DDoS mitigation is only indirect (see Number of Data Center).
If your organization has a non-web service like a proprietary protocol, then only Incapsula can serve you with its latest IP Protection topology.
 |  | On the cloud front, vendor deployment and service options are relatively similar. | ||
|---|---|---|---|---|
DNS | ||||
Always-onA DDoS mitigation architecture where traffic is diverted to a cloud provider’s data centers. In ‘Always-on’ the diversion is permanent whereas in ‘On-demand’ the diversion is made only during an attack. (read more) | ||||
On-demandA DDoS mitigation architecture that is in contrast to ‘Always-on’ diverts traffic only during an attack. Before and after the attack, traffic goes directly to the customer without DDoS mitigation. (read more) | ||||
Non-web protocolsNon-web protocols support refers to the ability to protect non-web protocols (e.g., proprietary gaming protocols) even if the organization does not poses a Class C network. (read more) | (IP Protection) |
Incapsula can protect non-web protocols even if you don’t have a class C network. | ||
Service Features | ||||
SSL support – HSMA hardware security module (HSM) is a physical computing device that safeguards and manages digital keys for strong authentication and provides cryptoprocessing. (read more) | ||||
Emergency responseA team of experts that can help customers while under DDoS attack to identify, analyze and mitigate the attack. (read more) | ||||
Fully managed serviceA DDoS service where the customer isn’t required to take any proactive action in order be fully protected, and the vendor is responsible for initiating all security activities. (read more) | ||||
Number of data centersThe number of data centers, also referred as POPs (points of presence) or ‘scrubbing centers’, that a vendor offers. It does not have a direct impact on the DDoS mitigation but may still act as an important decision factor. (read more) | 30 see locations | 79 see locations |
| | On the cloud front, vendor deployment and service options are relatively similar. | ||
|---|---|---|---|---|
DNS | ||||
Always-onA DDoS mitigation architecture where traffic is diverted to a cloud provider’s data centers. In ‘Always-on’ the diversion is permanent whereas in ‘On-demand’ the diversion is made only during an attack. (read more) | ||||
On-demandA DDoS mitigation architecture that is in contrast to ‘Always-on’ diverts traffic only during an attack. Before and after the attack, traffic goes directly to the customer without DDoS mitigation. (read more) | ||||
Non-web protocolsNon-web protocols support refers to the ability to protect non-web protocols (e.g., proprietary gaming protocols) even if the organization does not poses a Class C network. (read more) | (IP Protection) |
Incapsula can protect non-web protocols even if you don’t have a class C network. | ||
Service Features | ||||
SSL support – HSMA hardware security module (HSM) is a physical computing device that safeguards and manages digital keys for strong authentication and provides cryptoprocessing. (read more) | ||||
Emergency responseA team of experts that can help customers while under DDoS attack to identify, analyze and mitigate the attack. (read more) | ||||
Fully managed serviceA DDoS service where the customer isn’t required to take any proactive action in order be fully protected, and the vendor is responsible for initiating all security activities. (read more) | ||||
Number of data centersThe number of data centers, also referred as POPs (points of presence) or ‘scrubbing centers’, that a vendor offers. It does not have a direct impact on the DDoS mitigation but may still act as an important decision factor. (read more) | 30 see locations | 79 see locations |
Incapsula vs. CloudFlare - Deployment
Mitigation
Web proxy and caching
Web Challenges
This leads us to the next most significant mitigation - web challenges. Ideally we want the vendor to provide all the challenge spectrum (read more). Incapsula offers 4 out of the 5 challenges. The only one that is missing is the modern CAPTCHA, and in the unlikely event that its JS challenge will not be effective it would have been slightly better to have this. CloudFlare offers only two out of the five challenges. It is not that they will not be able to stop DDoS attacks, it is only that you will need to use a bigger hammer than you intended. CloudFlare does not have plain Cookie Validation, and in most cases this will be enough to stop the attack with minimal impact to legitimate users and legitimate bots. CloudFlare also does not have Silent Human Investigation and in the case of a JS passing bot (e.g. PhantomJS), you will be forced to escalate to the intrusive modern CAPTCHA. The traditional CAPTCHA is also not used by CloudFlare, but since they have the modern version this is reasonable. Another annoying thing is that CloudFlare JS challenge is visible to the user.
Signatures
Both vendors offer signature and customer signatures options. CloudFlare is better at the vendor signature as it provides visibility to the signature name and allows the user to control its action, while with Incapsula it is a black-box service. In user signatures Incapsula is better with its excellent pre-IncapRules language allowing even beginners to compose meaningful signatures. CloudFlare takes a different approach – you write in plain English what you want the signature to do and submit. CloudFlare’s support writes the signature for you, which means you will not be able to review it or change its action.
| | |||
|---|---|---|---|---|
Reverse ProxyA server that receives the client’s request, and then requests it indirectly from the web server. | ||||
Reverse ProxyA server that receives the client’s request, and then requests it indirectly from the web server. | ||||
CachingIn DDoS mitigation, web caching is done by reverse-proxies which act in tandem as prominent line of defense by blocking attacks from reaching the web server. (read more) | ||||
Web ChallengesA set of technologies used to filter out DDoS bots from real human beings by sending a certain request (the challenge) that typically legitimate human-based browsers will pass, and DDoS bots will fail. (read more) | ||||
Cookie ValidationA type of Web Challenge used in DDoS mitigation to filter out DDoS attackers from legitimate clients by sending a web cookie and requesting the client to send it back. (read more) |
Incapsula offers most of the web challenges available. | |||
JavaScript ChallengeA Web Challenge that is used in DDoS mitigation to filter out attackers from legitimate clients by sending a JavaScript code that most attackers are unable to process and pass successfully. (read more) | ||||
Silent Bot DetectionAn advanced web challenge technology that detects bots using passive and active checks to validate if the client is a human or a bot – for example, by checking for the existence of mouse and keyboard. (read more) | ||||
Modern CAPTCHAA type of challenge intended to differentiate between computers and humans. A modern CAPTCHA is designed to be easier to pass for humans than CAPTCHA. (read more) | ||||
CAPTCHAA type of challenge-response that helps mitigate DDoS attacks by blocking attacking computers while allowing entry to legitimate human users. (read more) | ||||
SignaturesA detection mechanism in which DDoS attacks are detected and blocked based on their known pattern or signature associated with a particular kind of attack. Signatures are saved in a database for matching when an attack is encountered. (read more) | ||||
VendorVendor signatures come in large number and are based on the vendor research. | ||||
CustomerCustomer signatures, or ‘user signatures’ are signatures created by the user typically during and attack or after it. | ||||
Blacklist (BL) / WhitelistBlacklist and whitelists enable blocking or allowing network access to entities based on parameters such as a IP address, geographical location or URL path. (read more) | ||||
BL IP | ||||
BL Geo-protection | ||||
Whitelist | ||||
BL URL | ||||
BL IP | ||||
Rate LimitA technology used in DDoS mitigation that ensures that each entity does not send too many transactions to the protected server or network. (read more) | ||||
IP | ||||
URL |
CloudFlare’s largest security gap is the lack of rate limit protections. | |||
Geo-protection | ||||
DNS | ||||
DNS protectionThe technology or service in charge of protecting DNS Servers. (read more) | ||||
SCORE | 96% | 73% |
| | |||
|---|---|---|---|---|
Reverse ProxyA server that receives the client’s request, and then requests it indirectly from the web server. | ||||
Reverse ProxyA server that receives the client’s request, and then requests it indirectly from the web server. | ||||
CachingIn DDoS mitigation, web caching is done by reverse-proxies which act in tandem as prominent line of defense by blocking attacks from reaching the web server. (read more) | ||||
Web ChallengesA set of technologies used to filter out DDoS bots from real human beings by sending a certain request (the challenge) that typically legitimate human-based browsers will pass, and DDoS bots will fail. (read more) | ||||
Cookie ValidationA type of Web Challenge used in DDoS mitigation to filter out DDoS attackers from legitimate clients by sending a web cookie and requesting the client to send it back. (read more) |
Incapsula offers most of the web challenges available. | |||
JavaScript ChallengeA Web Challenge that is used in DDoS mitigation to filter out attackers from legitimate clients by sending a JavaScript code that most attackers are unable to process and pass successfully. (read more) | ||||
Silent Bot DetectionAn advanced web challenge technology that detects bots using passive and active checks to validate if the client is a human or a bot – for example, by checking for the existence of mouse and keyboard. (read more) | ||||
Modern CAPTCHAA type of challenge intended to differentiate between computers and humans. A modern CAPTCHA is designed to be easier to pass for humans than CAPTCHA. (read more) | ||||
CAPTCHAA type of challenge-response that helps mitigate DDoS attacks by blocking attacking computers while allowing entry to legitimate human users. (read more) | ||||
SignaturesA detection mechanism in which DDoS attacks are detected and blocked based on their known pattern or signature associated with a particular kind of attack. Signatures are saved in a database for matching when an attack is encountered. (read more) | ||||
VendorVendor signatures come in large number and are based on the vendor research. | ||||
CustomerCustomer signatures, or ‘user signatures’ are signatures created by the user typically during and attack or after it. | ||||
Blacklist (BL) / WhitelistBlacklist and whitelists enable blocking or allowing network access to entities based on parameters such as a IP address, geographical location or URL path. (read more) | ||||
BL IP | ||||
BL Geo-protection | ||||
Whitelist | ||||
BL URL | ||||
BL IP | ||||
Rate LimitA technology used in DDoS mitigation that ensures that each entity does not send too many transactions to the protected server or network. (read more) | ||||
IP | ||||
URL |
CloudFlare’s largest security gap is the lack of rate limit protections. | |||
Geo-protection | ||||
DNS | ||||
DNS protectionThe technology or service in charge of protecting DNS Servers. (read more) | ||||
SCORE | 96% | 73% |
Incapsula vs. CloudFlare - Mitigation
Rate Limit
In Rate Limit CloudFlare has a large and important gap. While usually it is not recommended to stop attacks with Rate Limit technologies that eventually can also “rate-limit” legitimate users, in some scenarios it is still important, such as to protect mobile APIs. Challenges are not good as they often cannot be used with RESTful API, and Rate Limit can be your only savior.
Network Protection
CloudFlare Web Challenge
UX and Reporting
User Experience (UX) is important as it determines how much of the existing functionality you will utilize, how quickly you will understand a security event, and how quickly you can respond while under attack.
In UX per se, the difference between the vendors is not dramatic. Incapsula look-and-feel is really excellent and CloudFlare is somewhat old school relative to cloud services. Nevertheless it is still very easy to navigate and find the function you need with both vendors.
Security Configuration
Both vendors’ security configuration is good and the limitation of each vendor in using signatures has been covered earlier. One disturbing element with CloudFlare is the ability to independently block a URL – probably the most basic thing you can ask from a WAF. This can be done, but it is a full-service feature. Why not provide a simple interface just like the one provided for blocking an IP or a country?
Real-time monitoring
We did not have access to CloudFlare’s real-time monitoring (RTM). Incapsula’s RTM, which we did a review, is great. It is granular and shows well allowed versus blocked traffic. It took about 15 seconds for traffic to appear, which is an excellent performance for a cloud service with distributed POPs.
You can consume the security events generated by Incapsula in several ways - on their portal, by receiving an email, via a syslog, and when under attack they will also call you. CloudFlare displays events on their portal and will call you in the case of a severe attack. It lacks a push notification method and offers no email or syslog options. CloudFlare does offer a REST API to pull the alerts. But it is unlikely that everyone would like to implement a REST client to know what is going their network.
Forensic
CloudFlare and Incapsula like most vendors out there, do not provide official pricing for their Enterprise service, and the only way to retrieve it is to request a quote.
| | Oddly, blocking a URL in CloudFlare can be done only with a request to its support. | ||
|---|---|---|---|---|
Look and FeelThe overall user experience provided by a service – the graphical design, organization of data and ease of navigation. (read more) | Excellent | Good | ||
Ease-of-Navigation | Excellent | Good |
Both vendors provide good look and feel, but Incapsula is better.
| |
Deployment |
CloudFlare provides visibility and control of its own signatures. | |||
New website (DNS) | Excellent | Excellent | ||
New network (BGP) | Full Service | Unknown | ||
Security | ||||
Block IP | Excellent | Excellent | ||
Block URL | Excellent | Full Service |
Incapsula provides more options to send events. | |
Web ChallengeA set of technologies used to filter out DDoS bots from real human beings by sending a certain request (the challenge) that typically legitimate human-based browsers will pass, and DDoS bots will fail. (read more) | Excellent | Excellent | ||
Signatures (vendor)Vendor signatures come in large number and are based on the vendor research. | Black-box | Excellent | ||
Signatures (Customer)Customer signatures, or ‘user signatures’ are signatures created by the user typically during and attack or after it. | Excellent | Full Service | ||
Security | ||||
Real Traffic | Excellent | Unknown | ||
Blocked Traffic | Excellent | Unknown | ||
Block IP | Response Time | Unknown | ||
Events | ||||
Web logs | Excellent | Excellent | ||
Call | ||||
Syslog | ||||
REST | ||||
ForensicsDDoS Forensics is the digital forensic process to better understand a DDoS attack, past or-going. The output of forensics can shed light on the attack vectors, attack tools and the attacker characteristics or identity. ARE YOU READY?Answer seven online questions and get a free report assessing your protection status with recommendations for improvement | ||||
Detailed alert | Excellent | Excellent | ||
Event capture file | ||||
RT capture file | ||||
Score | 77% | 69% |
| | Oddly, blocking a URL in CloudFlare can be done only with a request to its support. | ||
|---|---|---|---|---|
Look and FeelThe overall user experience provided by a service – the graphical design, organization of data and ease of navigation. (read more) | Excellent | Good | ||
Ease-of-Navigation | Excellent | Good |
Both vendors provide good look and feel, but Incapsula is better.
| |
Deployment |
CloudFlare provides visibility and control of its own signatures. | |||
New website (DNS) | Excellent | Excellent | ||
New network (BGP) | Full Service | Unknown | ||
Security | ||||
Block IP | Excellent | Excellent | ||
Block URL | Excellent | Full Service |
Incapsula provides more options to send events. | |
Web ChallengeA set of technologies used to filter out DDoS bots from real human beings by sending a certain request (the challenge) that typically legitimate human-based browsers will pass, and DDoS bots will fail. (read more) | Excellent | Excellent | ||
Signatures (vendor)Vendor signatures come in large number and are based on the vendor research. | Black-box | Excellent | ||
Signatures (Customer)Customer signatures, or ‘user signatures’ are signatures created by the user typically during and attack or after it. | Excellent | Full Service | ||
Security | ||||
Real Traffic | Excellent | Unknown | ||
Blocked Traffic | Excellent | Unknown | ||
Block IP | Response Time | Unknown | ||
Events | ||||
Web logs | Excellent | Excellent | ||
Call | ||||
Syslog | ||||
REST | ||||
ForensicsDDoS Forensics is the digital forensic process to better understand a DDoS attack, past or-going. The output of forensics can shed light on the attack vectors, attack tools and the attacker characteristics or identity. ARE YOU READY?Answer seven online questions and get a free report assessing your protection status with recommendations for improvement | ||||
Detailed alert | Excellent | Excellent | ||
Event capture file | ||||
RT capture file | ||||
Score | 77% | 69% |
CloudFlare vs. Incapsula - UX & Reporting
Pricing
CloudFlare and Incapsula, like most vendors, do not provide official pricing for their Enterprise service; the only way to retrieve this information is to request a quote.
| SMB Pricing | SMB Pricing is covered in the SMBs – CloudFlare Business vs Incapsula Business section. |
Bottom Line
If we are taking the liberty to compare the vendors from a higher ground, observing the entire portfolio, it seems that CloudFlare targets a much wider audience. It offers numerous services, operates in an application market, and appeals to the multiple needs of different organizations, especially SMBs. Incapsula offers fewer services, but they seem to be more complete and focused.
From the narrow DDoS point of view, both services are mature; choosing either of them to protect your service from DDoS attacks would be a good option. However, Incapsula’s service is more complete than CloudFlare’s in all the categories reviewed. Put differently, if you need only DDoS protection and you receive the same quote, Incapsula has a clear advantage.
| How to make a decision? |
• Receive a quote. • Investigate the stability and support of each vendor. • Read the How to Complete the Vendor Selection Section |
Additional Relevant Chapters:
- Individual vendor reviews: F5, CloudFlare
- Next steps - completing your evaluation
Additional Relevant Chapters:
- Individual vendor reviews: F5, CloudFlare
- Next steps - completing your evaluation