Web application firewalls (WAFs) are a key component of enterprise security, and can be found in about 70% of U.S. enterprises. The best ones find the right balance between performance, security effectiveness, and overall cost.
The job of the WAF is to protect a specific application from web-based attacks. Instead of protecting ports like a network firewall, they provide application-layer protection, typically sitting between a perimeter firewall and a web server or web application server to make it much more difficult for cybercriminals to gather information about the server or application.
Key functions of a WAF include application protection, the ability to filter out abnormal traffic and requests, signature-based protection, and anomaly detection. Beyond the core functions, WAF products are differentiated by the additional features they offer and their method of delivery. Some WAFs add in load balancing, intrusion prevention (IPS), or integration with threat intelligence feeds. Others are part of a larger next-generation firewall (NGFW) or unified threat management (UTM) suite. They can be delivered as hardware appliances, as software, or as virtual appliances. While most are deployed on-premises, the cloud is a growing market for WAFs. In addition, WAFs vary in sophistication, pricing, ease of installation and use, and performance.
Here are our picks for top WAF vendors, with links to in-depth pieces on each vendor and a chart at the end of this article comparing key metrics like percentage of exploits blocked and total cost of ownership (TCO). For information on our top vendor methodology, see Our Top Security Vendor Methodology.
- Fortinet FortiWeb
- Citrix NetScaler AppFirewall
- F5 Advanced WAF
- Radware AppWall
- Symantec WAF
- Barracuda WAF
- Imperva WAF
- Sophos XG Firewall
- SonicWall NSa
NSS Labs graded FortiWeb ahead of all competitors except for Citrix in terms of performance, security effectiveness, and TCO. It also scored well in Gartner Peer Reviews, second only to Radware. Users especially like its advanced security features and the flexibility of its pricing. If you are an enterprise looking for performance and value, Fortinet is a top contender.https://o1.qnsr.com/log/p.gif?;n=203;c=204660767;s=9477;x=7936;f=201812281314300;u=j;z=TIMESTAMP;a=20392941;e=i
Citrix AppFirewall scored very well on NSS Labs testing, coming out on top in security effectiveness, TCO, connections per second (CPS) and transactions per second. It scored second in block rate, just behind Fortinet. It scales up to very large deployments effectively. AppFirewall, an add-on to NetScaler, does well with existing Citrix customers. Anyone already running Citrix Application Delivery Control (ADC) and other Citrix tools have AppFirewall as an obvious choice.
Read our in-depth review of Citrix NetScaler AppFirewall
Analysts, product testers and users all rate F5 highly. Forrester and Gartner rate F5 as a leader, and Gartner says it is one of the most frequently cited vendors in WAF appliance shortlists. Users rate it a close second behind Radware, giving it high marks for bot mitigation, advanced security, and support. Tests by NSS Labs placed F5 third in performance and TCO. It came out on top in security effectiveness, but placed fourth in block rate. All that makes F5 an obvious candidate to consider in any evaluation of WAF vendors, especially for large organizations.
Read our in-depth review of F5 Advanced WAF
Radware was tops in NSS Labs testing for security effectiveness and block rate, and second in TCO and connections per second (CPS). Its scalability and performance placed fourth in maximum CPS and transactions per second. Users grade it favorably overall, high in API security but low in bot mitigation. Radware doesn't appear in enterprise shortlists as frequently as some competitors and thus be better for the midmarket and carrier markets, particularly for buyers also seeking DDoS protection.
Read our in-depth review of Radware AppWall
Symantec's previous WAF solution known as Blue Coat scored poorly in NSS Labs testing and in Gartner Peer Reviews. Gartner did not list Symantec in its last Magic Quadrant for WAFs. Since then, the company has released a new WAF product. It remains to be seen how it stacks up against the competition. Due to lack of independent evaluation, those considering it are advised to test it in their own environment.
Read our in-depth review of Symantec WAF
Barracuda Networks is a strong contender for deployment in application environments where the primary requirements for selecting a WAF appliance are cost or a virtual appliance on a Microsoft Azure IaaS platform. It primarily caters to midsize enterprises. Users grade it well on support but gave it low marks for bot mitigation, API security, alerting, and reporting. Larger enterprises are unlikely to favor Barracuda WAF but it will be a contender for small and midsize enterprises (SMEs) and other value-conscious organizations, in addition to organizations moving applications to public cloud IaaS environments.
Imperva WAF scores well on just about every front. It was a close second to Radware in Gartner Peer Review comparisons. Reviewer comments are consistently high in all areas except for pricing flexibility and contracting. The Forrester Wave for WAF ranks Imperva a Leader for DDoS service providers. Gartner said: "Imperva can provide strong WAF functionality as a traditional appliance and cloud-based WAF service, but faces stronger competition for its cloud offering." Anyone wanting an on-premises WAF should give serious consideration to Imperva.
Analyst firms and testing labs don't try to compare Sophos XG Firewall to other WAFs, as it is really aimed at the much broader next-gen firewall or UTM markets. It is probably best suited to SMB and mid-market organizations, as well as those protecting IaaS solutions in Microsoft Azure. If you want only a WAF, look elsewhere. But if you need a broader feature set, consider Sophos.
SonicWall NSA scored well in NSS Labs testing in security effectiveness, block rate and TCO. It is, however, more of a next-generation firewall with a WAF feature than it is a standalone WAF. As such, it may be overkill for those looking only for WAF functionality. But for existing SonicWall customers, as well as those looking for a WAF and NGFW combo, it is a strong candidate.