I can give you good insight into both as i used to work for F5 as a presales engineer and i am now the security presales specialist at Akamai. I can tell you that F5's ASM is a feature rich product and you can fix any vulnerability under the sun (as long as you can configure it and write irules). The challenge is managing the ASM.
Application security is 10 to 20 x harder to manage than network security. So you will want to ensure you have the device setup correctly and have in-depth knowledge of all the inputs, forms, parameters, cookies, paths etc of your application. To be a good WAF engineer, you will need the skills of a penetration tester who understand the networking as well as the application. Most likely the people who contribute to DevCentral are some of the brightest engineers on the planet can handle the ASM.
Kona WAF is a highly distributed reverse proxy and WAF platform. It uses anomaly scoring and Big Data to ensure that the changing nature of attacks on the Internet are caught and there are minimal false positives. Akamai delivers about 30% of the BW used on the Internet on any given day, so they see a lot of good traffic as well as bad. All day every day the Kona platform is being attacked with application and DDoS attacks. So the guys at Akamai can keep their policy up to date blocking a lot of 0-day attacks using automated tools to provide the highest level of security.
Kona Rule Set provides the functionality similar to the old email antispam engines for web traffic, the more spam emails you see, the better the spam engine becomes to block spam emails.
You can never block 100% of application layer attacks. If any one that tells you they can, you should be very wary. One must be able to consider how many false positives and how much clean traffic must pass. With better intelligence, Kona WAF can increase the identification of True Positives (real attacks) & True Negatives (clean traffic) while reducing False Positives (clean traffic which was blocked) and False Negatives (attacks which were not picked up).
Blocking 100% of the application layer attacks could be like taking your network cable out, you cant just do that. You have to block traffic that has been unmistakable identified as bad while ensuring no good traffic has been accidently blocked.
Ultimately many Kona customers do exactly what you have proposed, to use F5 LTM/ASM at the datacenter and use a first layer of WAF defense with Akamai Kona. Akamai provides a really high level of blocking of attacks, mitigation of DDOS and acceleration of the content. F5 will be able to tie in things like XML gateway, ICAP AV scanning and other rich features.
The 2 technologies work well with each other to provide a very high level of security.
The Akamai platform is sort of like putting many F5's around the world in key locations. The functionality is very similar (except the APM).
In terms of SSL Certificates, Akamai is PCI DSS level 1 compliant and you don’t need to share your private keys/certificates. A new key pair must be provisioned on the Akamai platform and it is securely held in a key management interface. There are many financial institutions (including US, Canada, European, Swiss, Dutch, Japanese, Singaporean, Australian institutions) as well as US government organisations doing this today.
More recently, for the heartbleed SSL vulnerability announced on April 7th 2014, Akamai’s customers were not exposed. The GHost node manages its encryption memory heap in a secure space which was not vulnerable, so SSL keys were not exposed and they didn’t need to be revoked or reissued.
For customers going to the cloud, Akamai is a perfect solution as it doesn’t care where your servers are and you can scale up and down your cloud using Akamai’s datacenter load balancing using TCP rather than DNS. Akamai Site Shield is a whitelist of Akamai addresses that can be imported into the firewalls, a customer can block all access to the site from the internet, except from Akamai’s site shield. This essentially extends their security boundary to the Akamai GHost nodes at the client’s end, thus creating a DMZ-0.
Akamai Kona also reduces load on the ASM and other datacenter infrastructure. My banking customer gets 96% BW reduction to the origin datacenter and 70% reduction in server CPU/RAM/DISK IO while delivering faster internet banking to the client.
In summary, I strongly believe that F5’s technologies rock and I am big fan. Kona is highly complimentary and increases your web security posture, make application security easier to manage (or even outsource to Akamai it with Managed Kona) and increase web performance.