F5

F5 Networks (in short, 'F5') was founded in 1996 and is known for its load-balancing products. In 2004 it acquired and incorporated a WAF technology branded as ASM (Application Security Manager). When DDoS became mainstream, it added to the WAF multiple DDoS mitigation features.

In 2014 it acquired Defense.Net, a cloud-based DDoS mitigation service similar to Prolexic. (In fact, it is a reboot of the same founder.) Defense.Net was branded as F5 Silverline. With this step, F5 positioned itself as a significant player in the DDoS market, at least based on its technology portfolio.

f5-screen-1

F5 Silverline

Deployment & Service Options

F5 Silverline’s cloud-based protection provides both BGP and DNS-based diversion, always-on and on-demand, and supports L4 proxy for non-web protocols.

For an on-premise solution, F5 has its matured WAF ASM, which can reside on top of its BIG IP load-balancer or stand alone. It can be either physical or virtual.

F5 easily addresses the deployment requirements of most enterprise organizations. It will also secure the investment for those organizations, as it offers various means to expand the service, especially by adding a hybrid solution.

F5 has two main deployment limitations. The first is that it does not have a dedicated DDoS Appliance for organizations that wish to protect most attacks on-site rather than on the cloud. The second limitation is that F5 Silverline has no offering for SMBs or enterprises with modest DDoS needs. Its cheapest cloud service is $75,600 USD per year (pricelist). F5’s solutions can be very appealing to organizations that already have the common F5 BIG IP.

F5 Silverline has four data centers, which is very limited. (In comparison, Incapsula has 30, CloudFlare 86, and Akamai 1000.) However, F5 Silverline is not intended to act as a CDN, and this is not considered a direct limitation from a mere DDoS point of view. It can be a drawback to customers who have specific latency or data center location requirements (see Number of Data Centers).

       

Diversion Method: DNS

F5 deployment and service options can cater to most organizations. F5 also has a WAF appliance.

Always-on

A DDoS mitigation architecture where traffic is diverted to a cloud provider’s data centers. In ‘Always-on’ the diversion is permanent whereas in ‘On-demand’ the diversion is made only during an attack. (read more)

On-demand

A DDoS mitigation architecture that is in contrast to ‘Always-on’ diverts traffic only during an attack. Before and after the attack, traffic goes directly to the customer without DDoS mitigation. (read more)

Non-web protocols

Non-web protocols support refers to the ability to protect non-web protocols (e.g., proprietary gaming protocols) even if the organization does not poses a Class C network. (read more)

F5’s unique ‘L4 Proxy’ can protect non-web services even if the organization does not have a class C network.

Diversion Method: BGP

Border Gateway Protocol (BGP) is one of the prominent techniques used in DDoS mitigation to divert an organizations’ traffic to a cloud service provider for inspection before it reaches the enterprise network. (read more)

Always-on

A DDoS mitigation architecture where traffic is diverted to a cloud provider’s data centers. In ‘Always-on’ the diversion is permanent whereas in ‘On-demand’ the diversion is made only during an attack. (read more)

On-demand

A DDoS mitigation architecture that is in contrast to ‘Always-on’ diverts traffic only during an attack. Before and after the attack, traffic goes directly to the customer without DDoS mitigation. (read more)

Service Features

SSL support – HSM

A hardware security module (HSM) is a physical computing device that safeguards and manages digital keys for strong authentication and provides cryptoprocessing. (read more)

Emergency response

A team of experts that can help customers while under DDoS attack to identify, analyze and mitigate the attack. (read more)

F5 offers fully managed services.

Fully managed service

A DDoS service where the customer isn’t required to take any proactive action in order be fully protected, and the vendor is responsible for initiating all security activities. (read more)

Number of Data Centers

The number of data centers, also referred as POPs (points of presence) or ‘scrubbing centers’, that a vendor offers. It does not have a direct impact on the DDoS mitigation but may still act as an important decision factor. (read more)

4

see locations

San Jose, CA US; Ashburn, VA US; Frankfurt, DE; Singapore, SG

Entry Level

F5’s entry level does not allow SMBs to join in

SMB plans

DDoS SMB mitigation plans are intended for SMBs (Small-Medium Business) and are defined here as plans with a cost lower than $5,000 annually. (read more)

       

Diversion Method: DNS

F5 deployment and service options can cater to most organizations. F5 also has a WAF appliance.

Always-on

A DDoS mitigation architecture where traffic is diverted to a cloud provider’s data centers. In ‘Always-on’ the diversion is permanent whereas in ‘On-demand’ the diversion is made only during an attack. (read more)

On-demand

A DDoS mitigation architecture that is in contrast to ‘Always-on’ diverts traffic only during an attack. Before and after the attack, traffic goes directly to the customer without DDoS mitigation. (read more)

Non-web protocols

Non-web protocols support refers to the ability to protect non-web protocols (e.g., proprietary gaming protocols) even if the organization does not poses a Class C network. (read more)

F5’s unique ‘L4 Proxy’ can protect non-web services even if the organization does not have a class C network.

Diversion Method: BGP

Border Gateway Protocol (BGP) is one of the prominent techniques used in DDoS mitigation to divert an organizations’ traffic to a cloud service provider for inspection before it reaches the enterprise network. (read more)

Always-on

A DDoS mitigation architecture where traffic is diverted to a cloud provider’s data centers. In ‘Always-on’ the diversion is permanent whereas in ‘On-demand’ the diversion is made only during an attack. (read more)

On-demand

A DDoS mitigation architecture that is in contrast to ‘Always-on’ diverts traffic only during an attack. Before and after the attack, traffic goes directly to the customer without DDoS mitigation. (read more)

Service Features

SSL support – HSM

A hardware security module (HSM) is a physical computing device that safeguards and manages digital keys for strong authentication and provides cryptoprocessing. (read more)

Emergency response

A team of experts that can help customers while under DDoS attack to identify, analyze and mitigate the attack. (read more)

F5 offers fully managed services.

Fully managed service

A DDoS service where the customer isn’t required to take any proactive action in order be fully protected, and the vendor is responsible for initiating all security activities. (read more)

Number of Data Centers

The number of data centers, also referred as POPs (points of presence) or ‘scrubbing centers’, that a vendor offers. It does not have a direct impact on the DDoS mitigation but may still act as an important decision factor. (read more)

4

see locations

San Jose, CA US; Ashburn, VA US; Frankfurt, DE; Singapore, SG

Entry Level

F5’s entry level does not allow SMBs to join in

SMB plans

DDoS SMB mitigation plans are intended for SMBs (Small-Medium Business) and are defined here as plans with a cost lower than $5,000 annually. (read more)

F5 Deployment & Service Options

Mitigation

Web Protection

F5 has literally all the mitigation technologies mapped by this report (100% coverage). Most are accessible directly, and the rest can be configured via its iRules. The perfect coverage allows F5 to not only protect virtually any attack out there, but to protect it very accurately (without false positive).

Infrastructure Protection

F5’s Silverline Route is its network protection, based on BGP diversion. Like all cloud-based services reviewed in this report, the network mitigation is a black-box, which does not enable assessing the quality of protection.  On the bright side, F5 Silverline is forthcoming with its data center architecture, and the details provided provide certain, yet limited, confidence. See more details below.

Data Center Structure

F5 Silverline is forthcoming with its data center structure and states its general structure, providing visibility to its customers and prospects.

F5 Scrubbing Center Architecture

       

Proxy / Caching

A server that receives the client’s request, and then requests it indirectly from the web server.
Reverse proxies can act as an effective DDoS mitigation layer by reducing the attack surface from the targeted server. (read more)

Reverse Proxy

A server that receives the client’s request, and then requests it indirectly from the web server.
Reverse proxies can act as an effective DDoS mitigation layer by reducing the attack surface from the targeted server. (read more)

Caching

In DDoS mitigation, web caching is done by reverse-proxies which act in tandem as prominent line of defense by blocking attacks from reaching the web server. (read more)

Web Challenges

A set of technologies used to filter out DDoS bots from real human beings by sending a certain request (the challenge) that typically legitimate human-based browsers will pass, and DDoS bots will fail. (read more)

F5 offers all the web challenges in the spectrum.

Cookie Validation

A type of Web Challenge used in DDoS mitigation to filter out DDoS attackers from legitimate clients by sending a web cookie and requesting the client to send it back. (read more)

JavaScript Challenge

A Web Challenge that is used in DDoS mitigation to filter out attackers from legitimate clients by sending a JavaScript code that most attackers are unable to process and pass successfully. (read more)

Silent Bot Detection

An advanced web challenge technology that detects bots using passive and active checks to validate if the client is a human or a bot – for example, by checking for the existence of mouse and keyboard. (read more)

Modern CAPTCHA

A type of challenge intended to differentiate between computers and humans. A modern CAPTCHA is designed to be easier to pass for humans than CAPTCHA. (read more)

CAPTCHA

A type of challenge-response that helps mitigate DDoS attacks by blocking attacking computers while allowing entry to legitimate human users. (read more)

Signatures

A detection mechanism in which DDoS attacks are detected and blocked based on their known pattern or signature associated with a particular kind of attack. Signatures are saved in a database for matching when an attack is encountered. (read more)

Vendor

Vendor signatures come in large number and are based on the vendor research.

Customer

Customer signatures, or ‘user signatures’ are signatures created by the user typically during and attack or after it.

Blacklist (BL) / Whitelist

Blacklist and whitelists enable blocking or allowing network access to entities based on parameters such as a IP address, geographical location or URL path. (read more)

BL IP

BL URL

BL Geo-protection

Whitelist

Rate Limit

A technology used in DDoS mitigation that ensures that each entity does not send too many transactions to the protected server or network. (read more)

IP

URL

Geo-protection

DNS

DNS protection

The technology or service in charge of protecting DNS Servers. (read more)

SCORE

100%
F5 mitigation technologies are literally complete.
       

Proxy / Caching

A server that receives the client’s request, and then requests it indirectly from the web server.
Reverse proxies can act as an effective DDoS mitigation layer by reducing the attack surface from the targeted server. (read more)

Reverse Proxy

A server that receives the client’s request, and then requests it indirectly from the web server.
Reverse proxies can act as an effective DDoS mitigation layer by reducing the attack surface from the targeted server. (read more)

Caching

In DDoS mitigation, web caching is done by reverse-proxies which act in tandem as prominent line of defense by blocking attacks from reaching the web server. (read more)

Web Challenges

A set of technologies used to filter out DDoS bots from real human beings by sending a certain request (the challenge) that typically legitimate human-based browsers will pass, and DDoS bots will fail. (read more)

F5 offers all the web challenges in the spectrum.

Cookie Validation

A type of Web Challenge used in DDoS mitigation to filter out DDoS attackers from legitimate clients by sending a web cookie and requesting the client to send it back. (read more)

JavaScript Challenge

A Web Challenge that is used in DDoS mitigation to filter out attackers from legitimate clients by sending a JavaScript code that most attackers are unable to process and pass successfully. (read more)

Silent Bot Detection

An advanced web challenge technology that detects bots using passive and active checks to validate if the client is a human or a bot – for example, by checking for the existence of mouse and keyboard. (read more)

Modern CAPTCHA

A type of challenge intended to differentiate between computers and humans. A modern CAPTCHA is designed to be easier to pass for humans than CAPTCHA. (read more)

CAPTCHA

A type of challenge-response that helps mitigate DDoS attacks by blocking attacking computers while allowing entry to legitimate human users. (read more)

Signatures

A detection mechanism in which DDoS attacks are detected and blocked based on their known pattern or signature associated with a particular kind of attack. Signatures are saved in a database for matching when an attack is encountered. (read more)

Vendor

Vendor signatures come in large number and are based on the vendor research.

Customer

Customer signatures, or ‘user signatures’ are signatures created by the user typically during and attack or after it.

Blacklist (BL) / Whitelist

Blacklist and whitelists enable blocking or allowing network access to entities based on parameters such as a IP address, geographical location or URL path. (read more)

BL IP

BL URL

BL Geo-protection

Whitelist

Rate Limit

A technology used in DDoS mitigation that ensures that each entity does not send too many transactions to the protected server or network. (read more)

IP

URL

Geo-protection

DNS

DNS protection

The technology or service in charge of protecting DNS Servers. (read more)

SCORE

100%
F5 mitigation technologies are literally complete.

F5 Mitigation

WORTH NOTING crubbing Center White-Box Approach
Vendors specify the number of scrubbing centers (SCs) and locations, but the scrubbing centers themselves are presented as black-boxes. F5 Silverline is unique in specifying its SC architecture. This report gives credit to such an approach because it benefits end users. It allows for scrutiny and criticism; for example, if any of the technologies used has limitations, customers can inquire how they will be affected. Many vendors hesitate to reveal their architecture due to competition; however, the white-box approach benefits the end user and is therefore encouraged.

UX and Reporting

Configuration

The experience with the F5 user interface starts with deployment options. The screens are very basic, yet efficient. When you configure a new entry and save it, the input goes to the SOC, which then approves and applies the setting. This adds a layer of expert control without affecting the positive self-service approach.

The mitigation screens of the F5 Silverline are very similar to those of the F5 ASM (as, indeed, the former is based upon the latter). The screens are not very well organized - there are too many objects and it is difficult to distinguish between the detection and mitigation parameters. It feels more like a traditional network appliance UI than a modern, cloud-based service.

Mitigation Configuration

Real-Time Monitoring

Things get better in terms of real-time reporting. As you can see in the snapshots, the graphs are nice and accurate.

F5 Real-Time Monitoring

 
F5’s look and feel and navigation are only basic.
   

Look and Feel

The overall user experience provided by a service – the graphical design, organization of data and ease of navigation. (read more)

Basic

Ease-of-Navigation

Basic

Deployment

New website (DNS)

Basic

New Network (BGP)

Excellent

Security

Block IP (BGP)

Excellent

Block URL

Good

Web Challenge

A set of technologies used to filter out DDoS bots from real human beings by sending a certain request (the challenge) that typically legitimate human-based browsers will pass, and DDoS bots will fail. (read more)

Basic
F5’s vendor signatures are not available to view or configure.

Signatures (vendor)

Vendor signatures come in large number and are based on the vendor research.

Basic
F5 users can create signatures using the iRule syntax.

Signatures (customer)

Customer signatures, or ‘user signatures’ are signatures created by the user typically during and attack or after it.

Good

Security

Real Traffic

Excellent

Blocked Traffic

Excellent

Response Time

Unknown
Multiple methods to receive alerts.

Events

Web logs

Excellent

Email

Call

Syslog

REST

Excellent forensics with good alerts and the ability to extract capture files.

Forensics

DDoS Forensics is the digital forensic process to better understand a DDoS attack, past or-going. The output of forensics can shed light on the attack vectors, attack tools and the attacker characteristics or identity.

vDTP 05

ARE YOU READY?

Answer seven online questions and get a free report assessing your protection status with recommendations for improvement


Free DDoS Assesment

Detailed alertn

Excellent

Event capture file

Good

RT capture file

Full

SCORE

65%
 
F5’s look and feel and navigation are only basic.
   

Look and Feel

The overall user experience provided by a service – the graphical design, organization of data and ease of navigation. (read more)

Basic

Ease-of-Navigation

Basic

Deployment

New website (DNS)

Basic

New Network (BGP)

Excellent

Security

Block IP (BGP)

Excellent

Block URL

Good

Web Challenge

A set of technologies used to filter out DDoS bots from real human beings by sending a certain request (the challenge) that typically legitimate human-based browsers will pass, and DDoS bots will fail. (read more)

Basic
F5’s vendor signatures are not available to view or configure.

Signatures (vendor)

Vendor signatures come in large number and are based on the vendor research.

Basic
F5 users can create signatures using the iRule syntax.

Signatures (customer)

Customer signatures, or ‘user signatures’ are signatures created by the user typically during and attack or after it.

Good

Security

Real Traffic

Excellent

Blocked Traffic

Excellent

Response Time

Unknown
Multiple methods to receive alerts.

Events

Web logs

Excellent

Email

Call

Syslog

REST

Excellent forensics with good alerts and the ability to extract capture files.

Forensics

DDoS Forensics is the digital forensic process to better understand a DDoS attack, past or-going. The output of forensics can shed light on the attack vectors, attack tools and the attacker characteristics or identity.

vDTP 05

ARE YOU READY?

Answer seven online questions and get a free report assessing your protection status with recommendations for improvement


Free DDoS Assesment

Detailed alertn

Excellent

Event capture file

Good

RT capture file

Full

SCORE

65%

F5 - UX & Reporting

DDoS Forensic

The logs of the network protection and application protection are unified. There is an interesting chat feature allowing you to issue a query to the SOC team to get more details about a security log. This is an excellent “SOC management tool” indicating the highly managed service level that F5 provides.

F5 Silverline Security Logs

Pricing

F5 Silverline has a fully Customer-Oriented Pricing Model. It is based on three parameters. The first is the service type: always-on versus on-demand ("always available" in F5's language). The second is the clean traffic bandwidth, and the third is the DC size and number of VIPs combined into one parameter.

F5 Silverline does not charge extra for its fully managed service, but realistically only always-on will benefit from it. It does not charge for attack traffic bandwidth; this is a unique yet very important positive factor in terms of its pricing model.

Pricing Factors
Always-on / On-demand
Clean traffic
Number of websites and data centers

F5 Pricing Model

Additional Relevant Chapters:

Additional Relevant Chapters: