12 top web application firewalls compared

A web application firewall (WAF) is a critical component of an enterprise security infrastructure, providing a key security layer for web-facing applications and APIs.

firewall network security lock padlock cyber security

Credit: MF3d / Getty Images

As web applications mature and become more popular, organizations need to focus more on maintaining a positive security footprint around them. Traditionally, web application security was handled using a combination of the corporate firewall, authentication to an LDAP directory, and a hardened web server in the DMZ network. In a modern infrastructure, where attacks are more sophisticated and cloud-based resources are commonplace, these security measures are often still in place, but can be further enhanced by a web application firewall (WAF).

Web application firewall (WAF) definition

A WAF is a critical component of an enterprise security infrastructure, providing protection between end users and your web application, potentially at multiple layers of the Open Systems Interconnection (OSI) model. Most WAFs offer rule-based protection against application-level attacks such as SQL injection or cross-site scripting, but several of the options on this list also offer features as far down as the IP layer such as DDoS protection and load balancing.

Top web application firewalls

We break down the top 12 web application firewalls, presented in alphabetical order, to help you determine which WAF suites and services best suit your organization’s needs, along with peer review ratings from Gartner PeerInsights.

1. Akamai Kona Site Defender

Akamai touts Kona Site Defender as a comprehensive WAF that enables customized protection at multiple layers, providing an optimized solution for the specific needs of your application. Kona Site Defender offers support for DevOps environments, giving you the ability to manage your security controls programmatically, enabling efficient updates that fit into your existing application development workflow.

Performance is another reason to consider Akamai Kona Site Defender. Akamai’s cloud-based infrastructure includes more than 200,000 servers worldwide, allowing traffic destined for your web application to be run through their filters whether it resides in your corporate datacenter or in the cloud. Akamai can also provide performance enhancements and high availability in addition to protecting your web application from DDoS and application-level attacks.

2. AWS WAF

Amazon Web Services (AWS) is a solid top-tier cloud service provider by anyone’s standard, which should make its WAF awfully tempting for both existing customers and those without an AWS presence. AWS WAF by itself does not offer the same sort of features you could expect from other solutions on this list, but coupled with other AWS solutions (Amazon CloudFront, AWS Shield, Amazon CloudWatch, etc.) AWS WAF becomes as flexible as any competing solution.

Existing AWS customers will see the most value in selecting AWS WaF due to the architecture benefits of staying with a single vendor. Familiarity with AWS management practices, APIs, and even documentation will also bring value. Smaller businesses looking for an easy way to secure their apps may need to engage a consultant or look elsewhere, as the AWS learning curve can be steep for the uninitiated.

3. Barracuda Web Application Firewall

Barracuda offers a full set of WAF architectures and features starting with support for physical and virtual appliances, public cloud-based implementations (AWS, Azure and Google Cloud), as well as managed service provider and SaaS offerings from Barracuda. Each architecture comes with its own set of pros and cons, varying from the simplicity of the SaaS option to the fine-grained control over configuration and deployment with the appliance-based offerings.

Barracuda’s various configurations offer very similar functionality, though there are some differences here and there. Server cloaking limits the amount of intel a potential attacker can gain on your configuration by hiding server banners, errors, identifying HTTP headers, return codes, and debug information. Server cloaking is available on all versions of the web application firewall, as is DDoS protection. URL encryption however is limited to certain models. Application authentication using SAML, client certificates, Active Directory Federation Services (ADFS), and various other standards are also supported across the board.

4. Citrix Web App Firewall

Citrix has been in the business of providing secure remote access to applications as long as anyone, so it’s no surprise it offers a WAF. Citrix Web App Firewall (formerly NetScaler AppFirewall) is a cloud-based application firewall that covers the basics in web application protection, though on its own it doesn’t have the same protections against DDoS as other solutions on this list. Citrix does, however, claim the title of the highest performing web application firewall.

Citrix Web App Firewall is available as a standalone appliance or as a component of the Citrix ADC (Application Delivery Controller) family of products, which offer layer 4-7 load balancing and application performance tools.

5. CloudFlare Cloud Web Application Firewall

CloudFlare is a respected name in the web performance arena, particularly in the content delivery segment, and offers a suite of complementary tools (DDoS protection, load balancing, rate limiting and Captcha, and IP-based rules) which compare favorably to the high end of the web application firewall market.

One potential knock against CloudFlare Cloud Web Application Firewall is that it’s solely cloud-based. No on-premises solution is available in the form of a hardware or virtual appliance-based option. Of course, CloudFlare can protect on-premises workloads as easily as your cloud-based apps, but if your business requires a WAF as part of your corporate-owned infrastructure CloudFlare isn’t for you.

6. DenyAll rWeb

DenyAll’s rWeb WAF solution offers a number of architecture options to best meet your business requirements: hardware or virtual appliances, cloud-based offerings in AWS, Microsoft Azure, OpenStack platforms, or as a service. Configurations such as pooling, multi-DMZ (a layered approach with an instance in the DMZ and one within the primary LAN segment), or node synchronization for high availability are also supported.

The flexibility rWeb offers extends to its protection capabilities. Requests are evaluated and given a security score, bounced against known vulnerabilities, user behavior is tracked, and both white and black lists employed in order to best secure your applications. DenyAll even allows you to create custom script-based firewall directives to fine tune your protection.

7. Ergon Informatik Airlock WAF

Airlock WAF from Ergon Informatik is a full featured web application firewall, offering methods to secure your APIs from unauthorized or malformed requests, reverse proxy functionality, and content filtering. Airlock WAF can be implemented using either a hardware or virtual appliance depending on your corporate needs.

Airlock WAF can also leverage Airlock IAM and/or Airlock Login to incorporate authentication into the WAF security layer. Airlock Login supports authentication to an existing directory or RADIUS server (including support for RSA SecurID or various other 2-factor methods), while Airlock IAM is geared toward more complex situations such as multiple domains, user self-service, or the authentication needs to be integrated back into the application using web services.

8. F5 Advanced Web Application Firewall

F5 is one of the more well respected names in the network performance world, with some serious offerings in the high availability/load balancing space. F5 Advanced WAF has all the features you would expect from F5, in particular DoS and bot protection. F5 considers its DataSafe application-layer encryption a key feature as it contributes to preventing identity-based attacks, which it says makes up 75 percent of data breaches. DataSafe injects JavaScript-based tools to encrypt and obfuscate HTML form data as it’s being populated by a user, protecting it from malicious browser plugins or man in the middle attacks.