ymg800
asked on
Need help to make Comparison between Imperva, Websense, Citrix Netscaler
hi all
i new in the company and there was some meeting and some solution for WAF( WEB APPLICATION FIREWALL) was made on Citrix Netscaler .
now i suggested, based on things i heard and learned , that the best-of-bread in WAP are
Imperva and Websense.
now i was asked by the CTO to make Comparison table between the 3 product, and i dont know where to begin...
i think that this kind of table is not really practicall to generate , at least one that can give you a real picture.
so i tried to search gartner reashe Studies that can prove my case, i know they have those charts called Magic Quadrant that show there findings about the best-of-bread product,
for example:
this chart is about firewall, but i google and read that they made simular research about web application firewalls (WAF), how ever i couldnt access in from the site as they want u to pay alot of $$$ for the complite reaseach
i dont need the complite research, only the Magic Quadrant graph, can someone tell me where i can find it?
or mabye as althenetive, some comperision table between those product as i was request by the CTO? (or tips how to make usfule one, it also be good that this comperision table will point that imperva and websense are better solution overall, to support my case when i stated that they are the "best-in-bread" products.
any help will be appriciated
thx in advannce
i new in the company and there was some meeting and some solution for WAF( WEB APPLICATION FIREWALL) was made on Citrix Netscaler .
now i suggested, based on things i heard and learned , that the best-of-bread in WAP are
Imperva and Websense.
now i was asked by the CTO to make Comparison table between the 3 product, and i dont know where to begin...
i think that this kind of table is not really practicall to generate , at least one that can give you a real picture.
so i tried to search gartner reashe Studies that can prove my case, i know they have those charts called Magic Quadrant that show there findings about the best-of-bread product,
for example:
this chart is about firewall, but i google and read that they made simular research about web application firewalls (WAF), how ever i couldnt access in from the site as they want u to pay alot of $$$ for the complite reaseach
i dont need the complite research, only the Magic Quadrant graph, can someone tell me where i can find it?
or mabye as althenetive, some comperision table between those product as i was request by the CTO? (or tips how to make usfule one, it also be good that this comperision table will point that imperva and websense are better solution overall, to support my case when i stated that they are the "best-in-bread" products.
any help will be appriciated
thx in advannce
There is no gartner for web application firewall as yet and pls do not confuse it with the term such as next generation firewall or unified threat mgmt module. Complete different objective and capability. Web application focus primarily on layer 7 prtection like web traffic, like http, https, web services 2.0, xml firewall etc. there are a few more recognised waf such as f5 asm, trustwave...
Some are evem mentioned in sans top 20 critical controls, there is memtioned of some good waf
http://www.sans.org/critical-security-controls/control.php?id=6
Also should not neglect there capability top have compliance checks as part of pci dss compliance. F5 and imperva has that. Mostly there is virtial edition of waf as services which can give and advantage edge in cloud deployment. Knew both of th are into these spaces. Probably these defendng of L7 ddos is one criteria top make judgemental call to...who can handle slowloris, slow post http attack and apache killer easily at time of exploit release
The Web Application Firewall Evaluation Criteria project (WAFEC), this open community of users, vendors, academia and independent analysts and researchers created a common
Poevaluation criterion for WAF adoption that is still maintained today.
Some are evem mentioned in sans top 20 critical controls, there is memtioned of some good waf
http://www.sans.org/critical-security-controls/control.php?id=6
Also should not neglect there capability top have compliance checks as part of pci dss compliance. F5 and imperva has that. Mostly there is virtial edition of waf as services which can give and advantage edge in cloud deployment. Knew both of th are into these spaces. Probably these defendng of L7 ddos is one criteria top make judgemental call to...who can handle slowloris, slow post http attack and apache killer easily at time of exploit release
The Web Application Firewall Evaluation Criteria project (WAFEC), this open community of users, vendors, academia and independent analysts and researchers created a common
Poevaluation criterion for WAF adoption that is still maintained today.
breadtan, thanks for the infos they're helpfull, somehow (my comments below are no personal offence:)
> .. capability top have compliance checks as part of pci dss compliance.
LOL
some WAFs claim to protect agains OWASP Top 10, but this is technical BS as it is impossible for now
seen in the papers:
> Active Learning – The Candidate Web Application Firewall Product must be capable of
augmenting web application protection with an active learning mechanism without negatively affecting intended functionality of the protected web application.
ROFLOL, such a requirement could only be written by someone who never configured a WAF for real life applications
depending on your application and/or WAF, if you use active learning, your WAF learns the attacks too, as attacker I'd love such things :-)
> VT2 – The Candidate Web Application Firewall Product must demonstrate through testing that it is not vulnerable to any publicly known exploits or vulnerabilities.
haha, some of the products listed at icsalabs site are vulnerable to CSRF since ages ...
---
evaluating a WAF is no simple work (as I already explained), and I highly recommend that you test a WAF yourself with your application before you bye one
WAFs are a proper protection, but only if used properly, then you have a good system and a defense in depth
> .. capability top have compliance checks as part of pci dss compliance.
LOL
some WAFs claim to protect agains OWASP Top 10, but this is technical BS as it is impossible for now
seen in the papers:
> Active Learning – The Candidate Web Application Firewall Product must be capable of
augmenting web application protection with an active learning mechanism without negatively affecting intended functionality of the protected web application.
ROFLOL, such a requirement could only be written by someone who never configured a WAF for real life applications
depending on your application and/or WAF, if you use active learning, your WAF learns the attacks too, as attacker I'd love such things :-)
> VT2 – The Candidate Web Application Firewall Product must demonstrate through testing that it is not vulnerable to any publicly known exploits or vulnerabilities.
haha, some of the products listed at icsalabs site are vulnerable to CSRF since ages ...
---
evaluating a WAF is no simple work (as I already explained), and I highly recommend that you test a WAF yourself with your application before you bye one
WAFs are a proper protection, but only if used properly, then you have a good system and a defense in depth
Definitely seeing these same light ahoffmann. Thks. Indeed without the knowledge of web apply and briding these vulnerability exposed, no device will be maximise top defend or perform virtual patching. That said secure coding practices need to be adopted as eventually we are not saying waf is these silver bullet. It can be also a point of failure interesting since it can be deployed inline behind firewall and infront of your web server. In short, many consideration to factor in for a unified security architecture rollout.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
hmm, there'are different opinions about that, and they all -the opinions- are right in some way
> .. to make Comparison table ..., and i dont know where to begin...
for comparsion *and just for that: comparsion* see here
http://www.webappsec.org/projects/wafec/WAFEC
> .. search gartner ..
IMHO that's a worse place to get technical information about the "best bread"
and the magic quadrant is far too old, as a couple of new products entered the market in last 2 years
> .. some comperision table between those product ..
you won't find one, except biased ones
(if you find one, tell me:)
i.g. I highly recommend that you make yourself used to WAFs, how they work, what they do, how they protect, what they protect, how they are integrated and what you need to change in your network topology
after doing that, you need think about operation and such
a good starter for all that is:
https://www.owasp.org/index.php/Best_Practices:_Web_Application_Firewalls
if you compare magic quadrants you get differnt results than when you compare coloured product sheets, or if you compare your requirements with marketing buzzwords of vendors
I won't name "best bread" and I won't prefere any vendor or product as they all have their pros & cons, so this list of current products (not vendors) incomplete and unsorted in any way:
Airlock, ASM, BeeWare, FortiWeb, hyperguard, Model 460/660/860, ModSecurity, NetScaler, rWeb, SecureSpere, StingRay