Enterprise Web Protection
Incapsula vs cloudflare

Some organizations require strong web protection (DNS diversion), but can do without infrastructure protection (BGP diversion) or a physical appliance. This will be the case when the DDoS threat and/or the potential damage are not considered critical enough to justify the extra investment.

For such requirements, CloudFlare and Incapsula provide solutions that also include acceleration built into the DDoS service.

DDoS Review

Deployment & Service Options

With cloud based service, both CloudFlare and Incpasula offer basic web protection (DNS) and network protection (BGP). They both provide free tiered services, services for SMBs and for Enterprises.

CloudFlare offers 86 POPs vs. Incapsula with only 30, But the effect of this on DDoS mitigation is only indirect (see Number of Data Center).

If your organization has a non-web service like a proprietary protocol, then only Incapsula can serve you with its latest IP Protection topology.

 
On the cloud front, vendor deployment and service options are relatively similar.
   

DNS

Always-on

A DDoS mitigation architecture where traffic is diverted to a cloud provider’s data centers. In ‘Always-on’ the diversion is permanent whereas in ‘On-demand’ the diversion is made only during an attack. (read more)

On-demand

A DDoS mitigation architecture that is in contrast to ‘Always-on’ diverts traffic only during an attack. Before and after the attack, traffic goes directly to the customer without DDoS mitigation. (read more)

Non-web protocols

Non-web protocols support refers to the ability to protect non-web protocols (e.g., proprietary gaming protocols) even if the organization does not poses a Class C network. (read more)


(IP Protection)
Incapsula can protect non-web protocols even if you don’t have a class C network.

Service Features

SSL support – HSM

A hardware security module (HSM) is a physical computing device that safeguards and manages digital keys for strong authentication and provides cryptoprocessing. (read more)

Emergency response

A team of experts that can help customers while under DDoS attack to identify, analyze and mitigate the attack. (read more)

Fully managed service

A DDoS service where the customer isn’t required to take any proactive action in order be fully protected, and the vendor is responsible for initiating all security activities. (read more)

Number of data centers

The number of data centers, also referred as POPs (points of presence) or ‘scrubbing centers’, that a vendor offers. It does not have a direct impact on the DDoS mitigation but may still act as an important decision factor. (read more)

30
see locations
79
see locations
 
On the cloud front, vendor deployment and service options are relatively similar.
   

DNS

Always-on

A DDoS mitigation architecture where traffic is diverted to a cloud provider’s data centers. In ‘Always-on’ the diversion is permanent whereas in ‘On-demand’ the diversion is made only during an attack. (read more)

On-demand

A DDoS mitigation architecture that is in contrast to ‘Always-on’ diverts traffic only during an attack. Before and after the attack, traffic goes directly to the customer without DDoS mitigation. (read more)

Non-web protocols

Non-web protocols support refers to the ability to protect non-web protocols (e.g., proprietary gaming protocols) even if the organization does not poses a Class C network. (read more)


(IP Protection)
Incapsula can protect non-web protocols even if you don’t have a class C network.

Service Features

SSL support – HSM

A hardware security module (HSM) is a physical computing device that safeguards and manages digital keys for strong authentication and provides cryptoprocessing. (read more)

Emergency response

A team of experts that can help customers while under DDoS attack to identify, analyze and mitigate the attack. (read more)

Fully managed service

A DDoS service where the customer isn’t required to take any proactive action in order be fully protected, and the vendor is responsible for initiating all security activities. (read more)

Number of data centers

The number of data centers, also referred as POPs (points of presence) or ‘scrubbing centers’, that a vendor offers. It does not have a direct impact on the DDoS mitigation but may still act as an important decision factor. (read more)

30
see locations
79
see locations

Incapsula vs. CloudFlare - Deployment

Mitigation

Web proxy and caching

Both vendors have web proxy with caching capabilities. This may not be the most sophisticated technology yet it is the most effective and will succeed blocking many attacks. However, today’s attackers are persistent and will find ways to pass this mitigation. Foremost by attacking dynamic pages.

Web Challenges

This leads us to the next most significant mitigation - web challenges. Ideally we want the vendor to provide all the challenge spectrum (read more). Incapsula offers 4 out of the 5 challenges. The only one that is missing is the modern CAPTCHA, and in the unlikely event that its JS challenge will not be effective it would have been slightly better to have this. CloudFlare offers only two out of the five challenges. It is not that they will not be able to stop DDoS attacks, it is only that you will need to use a bigger hammer than you intended. CloudFlare does not have plain Cookie Validation, and in most cases this will be enough to stop the attack with minimal impact to legitimate users and legitimate bots. CloudFlare also does not have Silent Human Investigation and in the case of a JS passing bot (e.g. PhantomJS), you will be forced to escalate to the intrusive modern CAPTCHA. The traditional CAPTCHA is also not used by CloudFlare, but since they have the modern version this is reasonable. Another annoying thing is that CloudFlare JS challenge is visible to the user.

Signatures

Both vendors offer signature and customer signatures options. CloudFlare is better at the vendor signature as it provides visibility to the signature name and allows the user to control its action, while with Incapsula it is a black-box service. In user signatures Incapsula is better with its excellent pre-IncapRules language allowing even beginners to compose meaningful signatures. CloudFlare takes a different approach – you write in plain English what you want the signature to do and submit. CloudFlare’s support writes the signature for you, which means you will not be able to review it or change its action.

       

Reverse Proxy

A server that receives the client’s request, and then requests it indirectly from the web server.
Reverse proxies can act as an effective DDoS mitigation layer by reducing the attack surface from the targeted server. (read more)

Reverse Proxy

A server that receives the client’s request, and then requests it indirectly from the web server.
Reverse proxies can act as an effective DDoS mitigation layer by reducing the attack surface from the targeted server. (read more)

Caching

In DDoS mitigation, web caching is done by reverse-proxies which act in tandem as prominent line of defense by blocking attacks from reaching the web server. (read more)

Web Challenges

A set of technologies used to filter out DDoS bots from real human beings by sending a certain request (the challenge) that typically legitimate human-based browsers will pass, and DDoS bots will fail. (read more)

Cookie Validation

A type of Web Challenge used in DDoS mitigation to filter out DDoS attackers from legitimate clients by sending a web cookie and requesting the client to send it back. (read more)

Incapsula offers most of the web challenges available.

JavaScript Challenge

A Web Challenge that is used in DDoS mitigation to filter out attackers from legitimate clients by sending a JavaScript code that most attackers are unable to process and pass successfully. (read more)

Silent Bot Detection

An advanced web challenge technology that detects bots using passive and active checks to validate if the client is a human or a bot – for example, by checking for the existence of mouse and keyboard. (read more)

Modern CAPTCHA

A type of challenge intended to differentiate between computers and humans. A modern CAPTCHA is designed to be easier to pass for humans than CAPTCHA. (read more)

CAPTCHA

A type of challenge-response that helps mitigate DDoS attacks by blocking attacking computers while allowing entry to legitimate human users. (read more)

Signatures

A detection mechanism in which DDoS attacks are detected and blocked based on their known pattern or signature associated with a particular kind of attack. Signatures are saved in a database for matching when an attack is encountered. (read more)

Vendor

Vendor signatures come in large number and are based on the vendor research.

Customer

Customer signatures, or ‘user signatures’ are signatures created by the user typically during and attack or after it.

Blacklist (BL) / Whitelist

Blacklist and whitelists enable blocking or allowing network access to entities based on parameters such as a IP address, geographical location or URL path. (read more)

BL IP

BL Geo-protection

Whitelist

BL URL

BL IP

Rate Limit

A technology used in DDoS mitigation that ensures that each entity does not send too many transactions to the protected server or network. (read more)

IP

URL

CloudFlare’s largest security gap is the lack of rate limit protections.

Geo-protection

DNS

DNS protection

The technology or service in charge of protecting DNS Servers. (read more)

SCORE

96%73%
       

Reverse Proxy

A server that receives the client’s request, and then requests it indirectly from the web server.
Reverse proxies can act as an effective DDoS mitigation layer by reducing the attack surface from the targeted server. (read more)

Reverse Proxy

A server that receives the client’s request, and then requests it indirectly from the web server.
Reverse proxies can act as an effective DDoS mitigation layer by reducing the attack surface from the targeted server. (read more)

Caching

In DDoS mitigation, web caching is done by reverse-proxies which act in tandem as prominent line of defense by blocking attacks from reaching the web server. (read more)

Web Challenges

A set of technologies used to filter out DDoS bots from real human beings by sending a certain request (the challenge) that typically legitimate human-based browsers will pass, and DDoS bots will fail. (read more)

Cookie Validation

A type of Web Challenge used in DDoS mitigation to filter out DDoS attackers from legitimate clients by sending a web cookie and requesting the client to send it back. (read more)

Incapsula offers most of the web challenges available.

JavaScript Challenge

A Web Challenge that is used in DDoS mitigation to filter out attackers from legitimate clients by sending a JavaScript code that most attackers are unable to process and pass successfully. (read more)

Silent Bot Detection

An advanced web challenge technology that detects bots using passive and active checks to validate if the client is a human or a bot – for example, by checking for the existence of mouse and keyboard. (read more)

Modern CAPTCHA

A type of challenge intended to differentiate between computers and humans. A modern CAPTCHA is designed to be easier to pass for humans than CAPTCHA. (read more)

CAPTCHA

A type of challenge-response that helps mitigate DDoS attacks by blocking attacking computers while allowing entry to legitimate human users. (read more)

Signatures

A detection mechanism in which DDoS attacks are detected and blocked based on their known pattern or signature associated with a particular kind of attack. Signatures are saved in a database for matching when an attack is encountered. (read more)

Vendor

Vendor signatures come in large number and are based on the vendor research.

Customer

Customer signatures, or ‘user signatures’ are signatures created by the user typically during and attack or after it.

Blacklist (BL) / Whitelist

Blacklist and whitelists enable blocking or allowing network access to entities based on parameters such as a IP address, geographical location or URL path. (read more)

BL IP

BL Geo-protection

Whitelist

BL URL

BL IP

Rate Limit

A technology used in DDoS mitigation that ensures that each entity does not send too many transactions to the protected server or network. (read more)

IP

URL

CloudFlare’s largest security gap is the lack of rate limit protections.

Geo-protection

DNS

DNS protection

The technology or service in charge of protecting DNS Servers. (read more)

SCORE

96%73%

Incapsula vs. CloudFlare - Mitigation

Rate Limit

In Rate Limit CloudFlare has a large and important gap.  While usually it is not recommended to stop attacks with Rate Limit technologies that eventually can also “rate-limit” legitimate users, in some scenarios it is still important, such as to protect mobile APIs. Challenges are not good as they often cannot be used with RESTful API, and Rate Limit can be your only savior.

Network Protection

Incapsula Network Protection (BGP) is a black-box. You cannot configure or understand what actions are taking place and how effective they are. No information could be received from CloudFlare on this issue.

CloudFlare Web Challenge

UX and Reporting

User Experience (UX) is important as it determines how much of the existing functionality you will utilize, how quickly you will understand a security event, and how quickly you can respond while under attack.

In UX per se, the difference between the vendors is not dramatic.  Incapsula look-and-feel is really excellent and CloudFlare is somewhat old school relative to cloud services. Nevertheless it is still very easy to navigate and find the function you need with both vendors.

Security Configuration

Both vendors’ security configuration is good and the limitation of each vendor in using signatures has been covered earlier. One disturbing element with CloudFlare is the ability to independently block a URL – probably the most basic thing you can ask from a WAF. This can be done, but it is a full-service feature. Why not provide a simple interface just like the one provided for blocking an IP or a country?

Real-time monitoring

We did not have access to CloudFlare’s real-time monitoring (RTM). Incapsula’s RTM, which we did a review, is great. It is granular and shows well allowed versus blocked traffic. It took about 15 seconds for traffic to appear, which is an excellent performance for a cloud service with distributed POPs.

You can consume the security events generated by Incapsula in several ways - on their portal, by receiving an email, via a syslog, and when under attack they will also call you. CloudFlare displays events on their portal and will call you in the case of a severe attack. It lacks a push notification method and offers no email or syslog options. CloudFlare does offer a REST API to pull the alerts. But it is unlikely that everyone would like to implement a REST client to know what is going their network.

Forensic

CloudFlare and Incapsula like most vendors out there, do not provide official pricing for their Enterprise service, and the only way to retrieve it is to request a quote.

 
Oddly, blocking a URL in CloudFlare can be done only with a request to its support.
   

Look and Feel

The overall user experience provided by a service – the graphical design, organization of data and ease of navigation. (read more)

Excellent Good

Ease-of-Navigation

Excellent Good
Both vendors provide good look and feel, but Incapsula is better.

Deployment

CloudFlare provides visibility and control of its own signatures.

New website (DNS)

ExcellentExcellent

New network (BGP)

Full Service

Unknown

Security

Block IP

ExcellentExcellent

Block URL

Excellent

Full Service

Incapsula provides more options to send events.

Web Challenge

A set of technologies used to filter out DDoS bots from real human beings by sending a certain request (the challenge) that typically legitimate human-based browsers will pass, and DDoS bots will fail. (read more)

ExcellentExcellent

Signatures (vendor)

Vendor signatures come in large number and are based on the vendor research.

Black-boxExcellent

Signatures (Customer)

Customer signatures, or ‘user signatures’ are signatures created by the user typically during and attack or after it.

Excellent

Full Service

Security

Real Traffic

ExcellentUnknown

Blocked Traffic

ExcellentUnknown

Block IP

Response TimeUnknown

Events

Web logs

ExcellentExcellent

Email

Call

Syslog

REST

Forensics

DDoS Forensics is the digital forensic process to better understand a DDoS attack, past or-going. The output of forensics can shed light on the attack vectors, attack tools and the attacker characteristics or identity.

vDTP 05

ARE YOU READY?

Answer seven online questions and get a free report assessing your protection status with recommendations for improvement


Free DDoS Assesment

Detailed alert

ExcellentExcellent

Event capture file

RT capture file

Score

77%69%
 
Oddly, blocking a URL in CloudFlare can be done only with a request to its support.
   

Look and Feel

The overall user experience provided by a service – the graphical design, organization of data and ease of navigation. (read more)

Excellent Good

Ease-of-Navigation

Excellent Good
Both vendors provide good look and feel, but Incapsula is better.

Deployment

CloudFlare provides visibility and control of its own signatures.

New website (DNS)

ExcellentExcellent

New network (BGP)

Full Service

Unknown

Security

Block IP

ExcellentExcellent

Block URL

Excellent

Full Service

Incapsula provides more options to send events.

Web Challenge

A set of technologies used to filter out DDoS bots from real human beings by sending a certain request (the challenge) that typically legitimate human-based browsers will pass, and DDoS bots will fail. (read more)

ExcellentExcellent

Signatures (vendor)

Vendor signatures come in large number and are based on the vendor research.

Black-boxExcellent

Signatures (Customer)

Customer signatures, or ‘user signatures’ are signatures created by the user typically during and attack or after it.

Excellent

Full Service

Security

Real Traffic

ExcellentUnknown

Blocked Traffic

ExcellentUnknown

Block IP

Response TimeUnknown

Events

Web logs

ExcellentExcellent

Email

Call

Syslog

REST

Forensics

DDoS Forensics is the digital forensic process to better understand a DDoS attack, past or-going. The output of forensics can shed light on the attack vectors, attack tools and the attacker characteristics or identity.

vDTP 05

ARE YOU READY?

Answer seven online questions and get a free report assessing your protection status with recommendations for improvement


Free DDoS Assesment

Detailed alert

ExcellentExcellent

Event capture file

RT capture file

Score

77%69%

CloudFlare vs. Incapsula - UX & Reporting

Pricing

CloudFlare and Incapsula, like most vendors, do not provide official pricing for their Enterprise service; the only way to retrieve this information is to request a quote.

SMB Pricing SMB Pricing is covered in the SMBs – CloudFlare Business vs Incapsula Business section.

Bottom Line

If we are taking the liberty to compare the vendors from a higher ground, observing the entire portfolio, it seems that CloudFlare targets a much wider audience. It offers numerous services, operates in an application market, and appeals to the multiple needs of different organizations, especially SMBs. Incapsula offers fewer services, but they seem to be more complete and focused.

From the narrow DDoS point of view, both services are mature; choosing either of them to protect your service from DDoS attacks would be a good option. However, Incapsula’s service is more complete than CloudFlare’s in all the categories reviewed. Put differently, if you need only DDoS protection and you receive the same quote, Incapsula has a clear advantage.

How to make a decision? • Receive a quote.
• Investigate the stability and support of each vendor.
• Read the How to Complete the Vendor Selection Section

Additional Relevant Chapters:

Additional Relevant Chapters: