WAFv2 with header  
 

Recently the NSS testing lab published results of their first test recommending top technical Web Application Firewall technologies. F5 was one of 5 vendors NSS rated as “Recommended” for overall security effectiveness and total cost over performance, moving ahead of competitors like Imperva for the first time. This is great news for F5 and follows similar recent news from 451 and Gartner. NSS Labs executed critical testing using thousands of signatures to understand just how effective some of the most recognized WAF products would respond. What I like about this report is the fact that they ranked the firewalls based on actual and relevant product testing and usage, rather than more anecdotal surveyed information. If you’re interested in the methodology used to conduct this report, please check it out here at the NSS site.

NSS has summarized their finding in the Security Value Map (SVM), shown above. The Security Value Map shows how vendor products faired during testing of overall “Security Effectiveness” and “TCO per Protected-CPS”. Let me help you make sense of the value map and share some insights into data it represents.

Looking at the graph, you will see two dots for each vendor product tested. The top-level dot reflects product ranking using highly tuned security policies. The second dot is the ranking resulting from testing without tuning (protections turned off to prevent false positives). You can easily see that Imperva and F5 performed well in both cases. Dots representing each case are basically in the same place for these vendors representing the fact that F5 and Imperva WAFs are flexible enough to work in most scenarios. F5 comes out slightly ahead of Imperva, however, as enterprises want high performance, complete capability to write custom rules and a solid management interface in a WAF—things that F5 does slightly better. Barracuda, on the other hand, only scored high when policies were specifically tuned for the environment. Unfortunately security effectiveness went down significantly for Barracuda when tuning was omitted. Citrix and Fortinet had similar results.

BIG-IP Application Security Manager is very well positioned on the SVM, delivering one of the highest ratings for security effectiveness, with very low false positives and exceptional total cost of ownership per protected-CPS.

This Security Value Map is great confirmation of what we at F5 have known all along: BIG-IP Application Security Manager is a world class WAF, flexible enough to work in just about any environment, and should be an vital part of any company’s security infrastructure whether in house or adding value to cloud security services.

BIG-IP ASM delivers industry leading WAF capabilities for large-scale enterprises, service providers, and web properties that require a granular rules customization with high performance and unmatched scalability. ASM provides the most flexibility in policy creation with effective learning and policy management, and best-in-class protections against automated attacks, with the most comprehensive DAST integration solutions for streamlined and efficient virtual patching. ASM delivers more firsts than any other WAF vendor on the market, including the first to provide immediate solutions for Shellshock. Maybe that’s why analyst Daniel Kennedy in his recently published article titled ‘Diversifying Web Application Firewalls’ stated “Leadership in the WAF category changed from Imperva to F5 Networks”.

Read more about ASM

If you are an ASM customer this may be of interest to you

3 Way to Learn about turning on protections for Shellshock

If you are considering using BIG-ASM to protect your application

Visit the ASM product page on F5.com

Look at the Product Datasheet

Read the case study - Perkins Insurance

Download the Product Analysis Report from NSS labs

Learn about the differences between BIG-IP ASM and IPS