Impreva  Incapsula

Imperva Incapsula DDoS Product Line

Incapsula is a company founded by Imperva in 2009. It spun off on its own for a short while, but was then re-acquired by Imperva in 2014. Incapsula started as a cloud-based WAF, but like many similar services became a CDN+WAF+DDOS cloud solution. It served SMB originally, but with time its DDoS appetite increased and it started to compete at the enterprises level. Because of this, it had to complete its BGP-based offering (on top of its traditional DNS diversion method). This latest addition was followed by a unique IP Protection diversion method fully released in 2016. With its acquisition by Imperva, the joined brand has Imperva WAFs, which also has on-premises DDoS capabilities. Together, the vendor has hybrid protection and the portfolio is very mature.

incapsula-screen-1

The following ‘Deployment’ section analyzes the Incapsula service and Imperva WAF product, while the rest of the analysis focuses on the Incapsula cloud service.

Incapsula Enterprise

Deployment & Service Options

On the cloud front, Incapsula supports all diversion methods, including DNS and BGP, and has introduced a new diversion method - IP Protection - to the market (read more). The significance of supporting all diversion methods must be emphasized; the Incapsula service can be shaped to support any organization, but more important is the fact that it reduces risks. If the organization migrates some of its services to the cloud, acquires a Class C network, forfeits a Class C, or undergoes any other architectural change, Incapsula will still be able to follow and provision the new architecture.

On the on-premises front, Imperva offers both a physical and virtual WAF. The company, however, does not offer a dedicated DDoS appliance.

Imperva-Incapsula has two deployment limitations. The first is that it does not have a DDoS-dedicated appliance. Organizations that wish to invest in very strong on-premises DDoS protection are likely to avoid Incapsula. The second limitation is that it does not have a fully managed service, although a partially managed service can be added on top of its Enterprise plan.

 
Incapsula’s deployment and service options cater to most organizations. Imperva also has a WAF appliance.
   

Diversion Method: DNS

The diversion of traffic from the customer to the DDoS cloud provider using a Domain Name Server (DNS) change. DNS diversion is one of the primary methods used divert traffic to a DDoS mitigation cloud service. (read more)

Always-on

A DDoS mitigation architecture where traffic is diverted to a cloud provider’s data centers. In ‘Always-on’ the diversion is permanent whereas in ‘On-demand’ the diversion is made only during an attack. (read more)

On-demand

A DDoS mitigation architecture that is in contrast to ‘Always-on’ diverts traffic only during an attack. Before and after the attack, traffic goes directly to the customer without DDoS mitigation. (read more)

Non-web protocols

Non-web protocols support refers to the ability to protect non-web protocols (e.g., proprietary gaming protocols) even if the organization does not poses a Class C network. (read more)


(IP Protection)
Incapsula’s unique ‘IP Protection’ can protect non-web services even if the organization does not have a class C network.

Diversion Method: BGP

Border Gateway Protocol (BGP) is one of the prominent techniques used in DDoS mitigation to divert an organizations’ traffic to a cloud service provider for inspection before it reaches the enterprise network. (read more)

Always-on

A DDoS mitigation architecture where traffic is diverted to a cloud provider’s data centers. In ‘Always-on’ the diversion is permanent whereas in ‘On-demand’ the diversion is made only during an attack. (read more)

On-demand

A DDoS mitigation architecture that is in contrast to ‘Always-on’ diverts traffic only during an attack. Before and after the attack, traffic goes directly to the customer without DDoS mitigation. (read more)

Service Features

SSL support – HSM

A hardware security module (HSM) is a physical computing device that safeguards and manages digital keys for strong authentication and provides cryptoprocessing. (read more)

Fully managed service

A DDoS service where the customer isn’t required to take any proactive action in order be fully protected, and the vendor is responsible for initiating all security activities. (read more)

The Incapsula service is partially managed, but is not a fully managed service.

Emergency response

A team of experts that can help customers while under DDoS attack to identify, analyze and mitigate the attack. (read more)

Number of data centers

The number of data centers, also referred as POPs (points of presence) or ‘scrubbing centers’, that a vendor offers. It does not have a direct impact on the DDoS mitigation but may still act as an important decision factor. (read more)

30
see locations

Entry Level

SMB plans

DDoS SMB mitigation plans are intended for SMBs (Small-Medium Business) and are defined here as plans with a cost lower than $5,000 annually. (read more)

SMBs and enterprises with modest budgets have a lower entry level.
 
Incapsula’s deployment and service options cater to most organizations. Imperva also has a WAF appliance.
   

Diversion Method: DNS

The diversion of traffic from the customer to the DDoS cloud provider using a Domain Name Server (DNS) change. DNS diversion is one of the primary methods used divert traffic to a DDoS mitigation cloud service. (read more)

Always-on

A DDoS mitigation architecture where traffic is diverted to a cloud provider’s data centers. In ‘Always-on’ the diversion is permanent whereas in ‘On-demand’ the diversion is made only during an attack. (read more)

On-demand

A DDoS mitigation architecture that is in contrast to ‘Always-on’ diverts traffic only during an attack. Before and after the attack, traffic goes directly to the customer without DDoS mitigation. (read more)

Non-web protocols

Non-web protocols support refers to the ability to protect non-web protocols (e.g., proprietary gaming protocols) even if the organization does not poses a Class C network. (read more)


(IP Protection)
Incapsula’s unique ‘IP Protection’ can protect non-web services even if the organization does not have a class C network.

Diversion Method: BGP

Border Gateway Protocol (BGP) is one of the prominent techniques used in DDoS mitigation to divert an organizations’ traffic to a cloud service provider for inspection before it reaches the enterprise network. (read more)

Always-on

A DDoS mitigation architecture where traffic is diverted to a cloud provider’s data centers. In ‘Always-on’ the diversion is permanent whereas in ‘On-demand’ the diversion is made only during an attack. (read more)

On-demand

A DDoS mitigation architecture that is in contrast to ‘Always-on’ diverts traffic only during an attack. Before and after the attack, traffic goes directly to the customer without DDoS mitigation. (read more)

Service Features

SSL support – HSM

A hardware security module (HSM) is a physical computing device that safeguards and manages digital keys for strong authentication and provides cryptoprocessing. (read more)

Fully managed service

A DDoS service where the customer isn’t required to take any proactive action in order be fully protected, and the vendor is responsible for initiating all security activities. (read more)

The Incapsula service is partially managed, but is not a fully managed service.

Emergency response

A team of experts that can help customers while under DDoS attack to identify, analyze and mitigate the attack. (read more)

Number of data centers

The number of data centers, also referred as POPs (points of presence) or ‘scrubbing centers’, that a vendor offers. It does not have a direct impact on the DDoS mitigation but may still act as an important decision factor. (read more)

30
see locations

Entry Level

SMB plans

DDoS SMB mitigation plans are intended for SMBs (Small-Medium Business) and are defined here as plans with a cost lower than $5,000 annually. (read more)

SMBs and enterprises with modest budgets have a lower entry level.

Imperva-Incapsula Deployment

Mitigation

Application Protection

Incapsula Web Protection is fully loaded with mitigation technology and is almost complete (96%). The wide technology coverage combined means that virtually all type of attacks can be blocked, and can be blocked accurately (with minimal significant false positives).

Infrastructure Protection

The network mitigation is a black-box, so that the customer cannot assess the quality of the protection nor control it.

       

Proxy / Caching

A server that receives the client’s request, and then requests it indirectly from the web server.
Reverse proxies can act as an effective DDoS mitigation layer by reducing the attack surface from the targeted server. (read more)

Reverse Proxy

A server that receives the client’s request, and then requests it indirectly from the web server.
Reverse proxies can act as an effective DDoS mitigation layer by reducing the attack surface from the targeted server. (read more)

Caching

In DDoS mitigation, web caching is done by reverse-proxies which act in tandem as prominent line of defense by blocking attacks from reaching the web server. (read more)

Web Challenges

A set of technologies used to filter out DDoS bots from real human beings by sending a certain request (the challenge) that typically legitimate human-based browsers will pass, and DDoS bots will fail. (read more)

Incapsula offers almost all the web challenges in the spectrum.

Cookie Validation

A type of Web Challenge used in DDoS mitigation to filter out DDoS attackers from legitimate clients by sending a web cookie and requesting the client to send it back. (read more)

JavaScript Challenge

A Web Challenge that is used in DDoS mitigation to filter out attackers from legitimate clients by sending a JavaScript code that most attackers are unable to process and pass successfully. (read more)

Silent Bot Detection

An advanced web challenge technology that detects bots using passive and active checks to validate if the client is a human or a bot – for example, by checking for the existence of mouse and keyboard. (read more)

Modern CAPTCHA

A type of challenge intended to differentiate between computers and humans. A modern CAPTCHA is designed to be easier to pass for humans than CAPTCHA. (read more)

CAPTCHA

A type of challenge-response that helps mitigate DDoS attacks by blocking attacking computers while allowing entry to legitimate human users. (read more)

Signatures

A detection mechanism in which DDoS attacks are detected and blocked based on their known pattern or signature associated with a particular kind of attack. Signatures are saved in a database for matching when an attack is encountered. (read more)

Vendor

Vendor signatures come in large number and are based on the vendor research.

Customer

Customer signatures, or ‘user signatures’ are signatures created by the user typically during and attack or after it.

Blacklist (BL) / Whitelist

Blacklist and whitelists enable blocking or allowing network access to entities based on parameters such as a IP address, geographical location or URL path. (read more)

BL IP

BL URL

BL Geo-protection

Whitelist

Rate Limit

A technology used in DDoS mitigation that ensures that each entity does not send too many transactions to the protected server or network. (read more)

IP

URL

Geo-protection

DNS

DNS protection

The technology or service in charge of protecting DNS Servers. (read more)

SCORE

96%
Incapsula mitigation technologies are very complete.
       

Proxy / Caching

A server that receives the client’s request, and then requests it indirectly from the web server.
Reverse proxies can act as an effective DDoS mitigation layer by reducing the attack surface from the targeted server. (read more)

Reverse Proxy

A server that receives the client’s request, and then requests it indirectly from the web server.
Reverse proxies can act as an effective DDoS mitigation layer by reducing the attack surface from the targeted server. (read more)

Caching

In DDoS mitigation, web caching is done by reverse-proxies which act in tandem as prominent line of defense by blocking attacks from reaching the web server. (read more)

Web Challenges

A set of technologies used to filter out DDoS bots from real human beings by sending a certain request (the challenge) that typically legitimate human-based browsers will pass, and DDoS bots will fail. (read more)

Incapsula offers almost all the web challenges in the spectrum.

Cookie Validation

A type of Web Challenge used in DDoS mitigation to filter out DDoS attackers from legitimate clients by sending a web cookie and requesting the client to send it back. (read more)

JavaScript Challenge

A Web Challenge that is used in DDoS mitigation to filter out attackers from legitimate clients by sending a JavaScript code that most attackers are unable to process and pass successfully. (read more)

Silent Bot Detection

An advanced web challenge technology that detects bots using passive and active checks to validate if the client is a human or a bot – for example, by checking for the existence of mouse and keyboard. (read more)

Modern CAPTCHA

A type of challenge intended to differentiate between computers and humans. A modern CAPTCHA is designed to be easier to pass for humans than CAPTCHA. (read more)

CAPTCHA

A type of challenge-response that helps mitigate DDoS attacks by blocking attacking computers while allowing entry to legitimate human users. (read more)

Signatures

A detection mechanism in which DDoS attacks are detected and blocked based on their known pattern or signature associated with a particular kind of attack. Signatures are saved in a database for matching when an attack is encountered. (read more)

Vendor

Vendor signatures come in large number and are based on the vendor research.

Customer

Customer signatures, or ‘user signatures’ are signatures created by the user typically during and attack or after it.

Blacklist (BL) / Whitelist

Blacklist and whitelists enable blocking or allowing network access to entities based on parameters such as a IP address, geographical location or URL path. (read more)

BL IP

BL URL

BL Geo-protection

Whitelist

Rate Limit

A technology used in DDoS mitigation that ensures that each entity does not send too many transactions to the protected server or network. (read more)

IP

URL

Geo-protection

DNS

DNS protection

The technology or service in charge of protecting DNS Servers. (read more)

SCORE

96%
Incapsula mitigation technologies are very complete.

Incapsula Mitigation

UX & Reporting

Configuration

Incapsula’s user experience (UX) is at the top level of a modern SaaS service. Both beginners and experts will find it efficient.

Incapsula offers other services (CDN, WAF, LB). The downside of this is that there is no single DDoS view on the system and DDoS features are spread over two or three locations. Overall, this is a minor issue.

The User Signatures, called 'IncapRules', use a very intuitive language, allowing even beginners to compose complex signatures including rate-limit rules. Nevertheless, this language does have limitations, and not everything you wish can be expressed. In this case, Incapsula’s professional support team can be used to compose such rules.

Incapsula User Interface

Real-Time Reporting

Real-Time Monitoring

Incapsula provides sufficient real-time monitoring (RTM) that is especially valuable while under attacks. The RTM graph is very granular, clearly showing allowed traffic in comparison to blocked traffic, and the response time is excellent. It takes only 15 seconds for the traffic to appear, which is very good for a distributed cloud service.

       

Look and Feel

The overall user experience provided by a service – the graphical design, organization of data and ease of navigation. (read more)

Excellent
Incapsula’s look and feel is excellent, making the user experience both enjoyable and productive.

Ease-of-Navigation

Excellent

Deployment

New website (DNS)

Excellent

New network (BGP)

Full Service

Security

Block IP

Excellent

Block URL

Excellent

Web Challenge

A set of technologies used to filter out DDoS bots from real human beings by sending a certain request (the challenge) that typically legitimate human-based browsers will pass, and DDoS bots will fail. (read more)

Excellent
Incapsula’s vendor signatures cannot be viewed or configured

Signatures (vendor)

Vendor signatures come in large number and are based on the vendor research.

Black-box
Incapsula’s user signatures ‘IncapRules’ are both powerful and intuitive to use.

Signatures (customer)

Customer signatures, or ‘user signatures’ are signatures created by the user typically during and attack or after it.

Excellent

Security

Real Traffic

Excellent

Blocked Traffic

Excellent

Block IP

Response Time

Events

Web logs

Excellent
Multiple methods to receive alerts.

Email

Call

Syslog

REST

Detailed alerts, but capture files cannot be extracted.

Forensics

DDoS Forensics is the digital forensic process to better understand a DDoS attack, past or-going. The output of forensics can shed light on the attack vectors, attack tools and the attacker characteristics or identity.

vDTP 05

ARE YOU READY?

Answer seven online questions and get a free report assessing your protection status with recommendations for improvement


Free DDoS Assesment

Detailed alert

Excellent

Event capture file

RT capture file

Score

77%
       

Look and Feel

The overall user experience provided by a service – the graphical design, organization of data and ease of navigation. (read more)

Excellent
Incapsula’s look and feel is excellent, making the user experience both enjoyable and productive.

Ease-of-Navigation

Excellent

Deployment

New website (DNS)

Excellent

New network (BGP)

Full Service

Security

Block IP

Excellent

Block URL

Excellent

Web Challenge

A set of technologies used to filter out DDoS bots from real human beings by sending a certain request (the challenge) that typically legitimate human-based browsers will pass, and DDoS bots will fail. (read more)

Excellent
Incapsula’s vendor signatures cannot be viewed or configured

Signatures (vendor)

Vendor signatures come in large number and are based on the vendor research.

Black-box
Incapsula’s user signatures ‘IncapRules’ are both powerful and intuitive to use.

Signatures (customer)

Customer signatures, or ‘user signatures’ are signatures created by the user typically during and attack or after it.

Excellent

Security

Real Traffic

Excellent

Blocked Traffic

Excellent

Block IP

Response Time

Events

Web logs

Excellent
Multiple methods to receive alerts.

Email

Call

Syslog

REST

Detailed alerts, but capture files cannot be extracted.

Forensics

DDoS Forensics is the digital forensic process to better understand a DDoS attack, past or-going. The output of forensics can shed light on the attack vectors, attack tools and the attacker characteristics or identity.

vDTP 05

ARE YOU READY?

Answer seven online questions and get a free report assessing your protection status with recommendations for improvement


Free DDoS Assesment

Detailed alert

Excellent

Event capture file

RT capture file

Score

77%

Incapsula UX & Reporting

WORTH NOTING Incapsula User Interface Standard
Driving Incapsula is like driving a spaceship. It starts with a comfortable feeling by just gazing at the screen. It continues with the navigation process, which is very intuitive. For example, it is very easy to find the location of a certain property you configured a month ago. Real-time reporting is immediate and flexible. The IncapRules presentation and syntax allow a novice user to create expert signatures. This intuitive UI increases productivity and improves security, and can shorten mitigation time when under real-time attacks.

Reporting

Incapsula provides multiple reporting methods:

  • Email
  • Syslog
  • Call from Incapsula support

Incapsula does support REST API for a multitude of its functions, but not for security events, as it has the Syslog option to compensate for that.

Incapsula Alerts

DDoS Forensic

Incapsula’s DDoS Forensic is comprised of detailed and very accessible alerts. It offers a multitude of other real-time and historical reports that are not covered here, some of which can be used for DDoS.

An important caveat is that there are no logs for Infra. Protection at all, and there is no ability to extract a capture file.

Forensic Function

Exist

Detailed alert

Real-time capture file

Historical capture file

Forensic Function

Exist

Detailed alert

Real-time capture file

Historical capture file

Incapsula Forensics

Pricing

Incapsula, like most vendors, does not publish its Enterprise pricelist, so the only way to know it is to request a quote.

Price Model

Incapsula’s pricing model is not a fully Customer-Oriented Pricing Model. We don’t like the fact that the pricing factor is based on the ‘maximal attack size’ because it rolls to the customer a responsibility that is difficult to address.

Pricing Factors
Always-on / On-demand
Clean traffic
Number of websites and data centers
Maximal attack size
Pricing Factors
Always-on / On-demand
Clean traffic
Number of websites and data centers
Maximal attack size

Incapsula Pricing Model

Incapsula Business (for SMB)

Incapsula’s Business plan costs $300 monthly ($3,600 USD annually) per web site, and gives you DDoS protection with some important limitations: no phone support, no real-time monitoring, and no network protection (BGP). Despite these limitations, it provides a good DDoS entry point for organizations with clear DDoS needs but without the budget for full-fledged protection.

Additional Relevant Chapters:

Additional Relevant Chapters: