I want to compile a list of security features of F5 and how these compete against AWS "ALB/ELB + WAF" and Azure "Load Balancer + WAF" capabilities ? Every solution have its own pros and cons in terms of availability, scalability, cost and most importantly the security features offered. But for this discussion, my main point is security advantage ONLY.
Any advise will be highly appreciated.
AWS/Azure offers good integration with other AWS/Azure services but the major benefits are limited to AWS/Azure clients.
BIG-IP ASM offers some of the following advantages (from the security perspective):
These are ASM security features from the product data sheet. I was mainly looking for the comparison of security features offered by F5 vs AWS/Azure to understand and justify the cost.
A pre-configured retail WAF solution typically has at least 85% of configuration done for you. As the end-user, you will end up having a few drop-down menus here and there, all laid out in an elegant and very easy-to-use management dashboard. There's very little actual control over security. In simple terms, you end up surrendering some quality of your security in return for a lower price. You trust the 85% they have done for you. You can take for granted, it's either too restrictive and bulky policy which ends up slowing your application due to a number of irrelevant security checks, or it's too loose, providing very little actual security benefit. And if you are not happy with that one-size-fits all glove, you will pay for additional exceptions and extended control.
If cost aspect should be ignored, then I'm not sure if I understand your question. There is not a single security benefit of having just one piece of protective glove for every application out there. Self-managed WAF with a fully 'customized for application' security policy wins all the time, every time, in every security aspect, or by minimum is on par in some aspects. I don't think this list would have much meaning, so best to disregard security aspect and focus on others - manageability, cost (one-time product + on-going management) and do not forget the most important one - degradation of app performance. The last one in particular is something you should clarify before signing any contracts. The best WAF policy is the one that offers all the relevant-for-your-application protection with minimal degradation of app performance.
Thanks, I appreciate your feedback and agree with all of your points.
I simply need to document the security features of AWS/Azure WAF VS F5 WAF (to complete the paper work) i.e.
1 - Live signature updates
2 - WebSocket traffic filtering
Thanks in advance.
Well, as I see it, you can make up your own security rules/solutions when and where you need them, unlike in AWS, you pay $ for each existing rule you choose to use. You have control with F5.