Improve company productivity with a Business Account.Sign Up


Need help to make Comparison between Imperva, Websense, Citrix Netscaler

Posted on 2012-03-13
Medium Priority
Last Modified: 2016-10-25
hi all

i new in the company and there was some meeting and some solution for WAF( WEB APPLICATION FIREWALL) was made on Citrix Netscaler .

now i suggested, based on things i heard and learned , that the best-of-bread in WAP are
Imperva and Websense.

now i was asked by the CTO to make Comparison table between the 3 product, and i dont know where to begin...

i think that this kind of table is not really practicall to generate , at least one that can give you a real picture.

so i tried to search gartner reashe Studies that can prove my case, i know they have those charts  called Magic Quadrant that show there findings about the best-of-bread product,
for example:

this chart is about firewall, but i google and read that they made simular research about web application firewalls (WAF), how ever i couldnt access in from the site as they want u to pay alot of $$$ for the complite reaseach

i dont need the complite research, only the Magic Quadrant graph, can someone tell me where i can find it?

or mabye as althenetive, some comperision table between those product as i was request by the CTO? (or tips how to make usfule one, it also be good that this  comperision table will point that imperva and websense are better solution overall, to support my case when i stated that they are the "best-in-bread" products.

any help will be appriciated

thx in advannce
Question by:ymg800
  • 3
  • 3
LVL 51

Expert Comment

ID: 37718586
> .. that the best-of-bread in WAP [sic!] are ...
hmm, there'are different opinions about that, and they all -the opinions- are right in some way

> .. to make Comparison table ..., and i dont know where to begin...
for comparsion *and just for that: comparsion* see here

> .. search gartner ..
IMHO that's a worse place to get technical information about the "best bread"
and the magic quadrant is far too old, as a couple of new products entered the market in last 2 years

> .. some comperision table between those product ..
you won't find one, except biased ones
(if you find one, tell me:)

i.g. I highly recommend that you make yourself used to WAFs, how they work, what they do, how they protect, what they protect, how they are integrated and what you need to change in your network topology
after doing that, you need think about operation and such
a good starter for all that is:

if you compare magic quadrants you get differnt results than when you compare coloured product sheets, or if you compare your requirements with marketing buzzwords of vendors

I won't name "best bread" and I won't prefere any vendor or product as they all have their pros & cons, so this list of current products (not vendors)  incomplete and unsorted in any way:
  Airlock, ASM, BeeWare, FortiWeb, hyperguard, Model 460/660/860, ModSecurity, NetScaler, rWeb, SecureSpere, StingRay
LVL 66

Expert Comment

ID: 37724424
There is no gartner for web application firewall as yet and pls do not confuse it with the term such as next generation firewall or unified threat mgmt module. Complete different objective and capability. Web application focus primarily on layer 7 prtection like web traffic, like http, https, web services 2.0, xml firewall etc. there are a few more recognised waf such as f5 asm, trustwave...

Some are evem mentioned in sans top 20 critical controls, there is memtioned of some good waf
Also should not neglect there capability top have compliance checks as part of pci dss compliance. F5 and imperva has that. Mostly there is virtial edition of waf as services which can give and advantage edge in cloud deployment. Knew both of th are into these spaces. Probably these defendng of L7 ddos is one criteria top make judgemental call to...who can handle slowloris, slow post http attack and apache killer easily at time of exploit release

 The Web Application Firewall Evaluation Criteria project (WAFEC), this open community of users, vendors, academia and independent analysts and researchers created a common
Poevaluation criterion for WAF adoption that is still maintained today.
LVL 66

Expert Comment

ID: 37724431
LVL 51

Expert Comment

ID: 37724629
breadtan, thanks for the infos they're helpfull, somehow (my comments below are no personal offence:)

> .. capability top have compliance checks as part of pci dss compliance.
some WAFs claim to protect agains OWASP Top 10, but this is technical BS as it is impossible for now

seen in the papers:
> Active Learning – The Candidate Web Application Firewall Product must be capable of
augmenting web application protection with an active learning mechanism without negatively affecting intended functionality of the protected web application.

ROFLOL, such a requirement could only be written by someone who never configured a WAF for real life applications
depending on your application and/or WAF, if you use active learning, your WAF learns the attacks too, as attacker I'd love such things :-)

> VT2 – The Candidate Web Application Firewall Product must demonstrate through testing that it is not vulnerable to any publicly known exploits or vulnerabilities.
haha, some of the products listed at icsalabs site are vulnerable to CSRF since ages ...

evaluating a WAF is no simple work (as I already explained), and I highly recommend that you test a WAF yourself with your application before you bye one
WAFs are a proper protection, but only if used properly, then you have a good system and a defense in depth
LVL 66

Expert Comment

ID: 37728271
Definitely seeing these same light ahoffmann. Thks. Indeed without the knowledge of web apply and briding these vulnerability exposed, no device will be maximise top defend or perform virtual patching. That said secure coding practices need to be adopted as eventually we are not saying waf is these silver bullet. It can be also a point of failure interesting since it can be deployed inline behind firewall and infront of your web server. In short, many consideration to factor in for a unified security architecture rollout.
LVL 51

Accepted Solution

ahoffmann earned 1500 total points
ID: 37728295
> In short, many consideration to factor in ...
that's deeply explained in the OWASP paper, see my very first comment
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Native ability to set a user account password via AD GPO was removed because the passwords can be easily decrypted by any authenticated user in the domain. Microsoft recommends LAPS as a replacement and I have written an article that does something …
A basic introduction to Website Security and the absolute minimal steps that anyone should take in order to protect against hostile intrusions. This is offered as a guide to getting started, not an exhaustive list of all precautions. Enjoy...
This video Micro Tutorial shows how to password-protect PDF files with free software. Many software products can do this, such as Adobe Acrobat (but not Adobe Reader), Nuance PaperPort, and Nuance Power PDF, but they are not free products. This vide…
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…

584 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question