Learn F5 Technologies, Get Answers & Share Community Solutions Join DevCentral

Filter by:
  • Solution
  • Technology
Answers

Security Features Comparison of F5 vs AWS and Azure Load Balancers + WAF

Hi Experts

I want to compile a list of security features of F5 and how these compete against AWS "ALB/ELB + WAF" and Azure "Load Balancer + WAF" capabilities ? Every solution have its own pros and cons in terms of availability, scalability, cost and most importantly the security features offered. But for this discussion, my main point is security advantage ONLY.

Any advise will be highly appreciated.

Thanks Porter

0
Rate this Question

Answers to this Question

placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

Hi,

AWS/Azure offers good integration with other AWS/Azure services but the major benefits are limited to AWS/Azure clients.

BIG-IP ASM offers some of the following advantages (from the security perspective):

  1. PCI Compliance
  2. Carrier-Grade Hardware Platform (On-Premise Option)
  3. Advanced L7 DoS and DDoS detection including: HASH DoS, Slowloris, floods, Keep dead, XML bomb
  4. Web scraping prevention
  5. Advanced automated attack defense and bot detection
  6. Advanced protections against threats including: Web injections, data leakage, session hijacking, HPP attacks, buffer overflows, shellshock
  7. Geolocation blocking
  8. IP Intelligence (IP reputation) services
  9. SSL termination with re-encryption
  10. Security incident and violation correlation
  11. Client-side certification support
  12. Client authentication LDAP, RADIUS
  13. Database security integration (Oracle)
  14. Response checking
  15. Violation risk scoring
  16. Web service encryption and decryption
  17. Device-ID detection and finger printing
  18. Live signature updates
  19. WebSocket traffic filtering
  20. IP shunning (layer 3 blacklisting in HW) with BIG-IP AFM
0
Comments on this Answer
Comment made 27-Aug-2017 by Porter-Ed 1

These are ASM security features from the product data sheet. I was mainly looking for the comparison of security features offered by F5 vs AWS/Azure to understand and justify the cost.

0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

A pre-configured retail WAF solution typically has at least 85% of configuration done for you. As the end-user, you will end up having a few drop-down menus here and there, all laid out in an elegant and very easy-to-use management dashboard. There's very little actual control over security. In simple terms, you end up surrendering some quality of your security in return for a lower price. You trust the 85% they have done for you. You can take for granted, it's either too restrictive and bulky policy which ends up slowing your application due to a number of irrelevant security checks, or it's too loose, providing very little actual security benefit. And if you are not happy with that one-size-fits all glove, you will pay for additional exceptions and extended control.

If cost aspect should be ignored, then I'm not sure if I understand your question. There is not a single security benefit of having just one piece of protective glove for every application out there. Self-managed WAF with a fully 'customized for application' security policy wins all the time, every time, in every security aspect, or by minimum is on par in some aspects. I don't think this list would have much meaning, so best to disregard security aspect and focus on others - manageability, cost (one-time product + on-going management) and do not forget the most important one - degradation of app performance. The last one in particular is something you should clarify before signing any contracts. The best WAF policy is the one that offers all the relevant-for-your-application protection with minimal degradation of app performance.

0
Comments on this Answer
Comment made 27-Aug-2017 by Porter-Ed 1

Thanks, I appreciate your feedback and agree with all of your points.

I simply need to document the security features of AWS/Azure WAF VS F5 WAF (to complete the paper work) i.e.

Features:

1 - Live signature updates

AWS: Yes Azure: No F5: Yes

2 - WebSocket traffic filtering

AWS: Yes Azure: No F5: Yes

--

--

Thanks in advance.

0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

Well, as I see it, you can make up your own security rules/solutions when and where you need them, unlike in AWS, you pay $ for each existing rule you choose to use. You have control with F5.

0