Security Features Comparison of F5 vs AWS and Azure Load Balancers + WAF

Hi,

AWS/Azure offers good integration with other AWS/Azure services but the major benefits are limited to AWS/Azure clients.

BIG-IP ASM offers some of the following advantages (from the security perspective):

1. PCI Compliance
2. Carrier-Grade Hardware Platform (On-Premise Option)
3. Advanced L7 DoS and DDoS detection including: HASH DoS, Slowloris, floods, Keep dead, XML bomb
4. Web scraping prevention
5. Advanced automated attack defense and bot detection
6. Advanced protections against threats including: Web injections, data leakage, session hijacking, HPP attacks, buffer overflows, shellshock
7. Geolocation blocking
8. IP Intelligence (IP reputation) services
9. SSL termination with re-encryption
10. Security incident and violation correlation
11. Client-side certification support
12. Client authentication LDAP, RADIUS
13. Database security integration (Oracle)
14. Response checking
15. Violation risk scoring
16. Web service encryption and decryption
17. Device-ID detection and finger printing
18. Live signature updates
19. WebSocket traffic filtering
20. IP shunning (layer 3 blacklisting in HW) with BIG-IP AFM

A pre-configured retail WAF solution typically has at least 85% of configuration done for you. As the end-user, you will end up having a few drop-down menus here and there, all laid out in an elegant and very easy-to-use management dashboard. There's very little actual control over security. In simple terms, you end up surrendering some quality of your security in return for a lower price. You trust the 85% they have done for you. You can take for granted, it's either too restrictive and bulky policy which ends up slowing your application due to a number of irrelevant security checks, or it's too loose, providing very little actual security benefit. And if you are not happy with that one-size-fits all glove, you will pay for additional exceptions and extended control.

If cost aspect should be ignored, then I'm not sure if I understand your question. There is not a single security benefit of having just one piece of protective glove for every application out there. Self-managed WAF with a fully 'customized for application' security policy wins all the time, every time, in every security aspect, or by minimum is on par in some aspects. I don't think this list would have much meaning, so best to disregard security aspect and focus on others - manageability, cost (one-time product + on-going management) and do not forget the most important one - degradation of app performance. The last one in particular is something you should clarify before signing any contracts. The best WAF policy is the one that offers all the relevant-for-your-application protection with minimal degradation of app performance.

A pre-configured retail WAF solution typically has at least 85% of configuration done for you. As the end-user, you will end up having a few drop-down menus here and there, all laid out in an elegant and very easy-to-use management dashboard. There's very little actual control over security. In simple terms, you end up surrendering some quality of your security in return for a lower price. You trust the 85% they have done for you. You can take for granted, it's either too restrictive and bulky policy which ends up slowing your application due to a number of irrelevant security checks, or it's too loose, providing very little actual security benefit. And if you are not happy with that one-size-fits all glove, you will pay for additional exceptions and extended control.

If cost aspect should be ignored, then I'm not sure if I understand your question. There is not a single security benefit of having just one piece of protective glove for every application out there. Self-managed WAF with a fully 'customized for application' security policy wins all the time, every time, in every security aspect, or by minimum is on par in some aspects. I don't think this list would have much meaning, so best to disregard security aspect and focus on others - manageability, cost (one-time product + on-going management) and do not forget the most important one - degradation of app performance. The last one in particular is something you should clarify before signing any contracts. The best WAF policy is the one that offers all the relevant-for-your-application protection with minimal degradation of app performance.

Well, as I see it, you can make up your own security rules/solutions when and where you need them, unlike in AWS, you pay $ for each existing rule you choose to use. You have control with F5.