Forum Discussion

Iselator_38937's avatar
Iselator_38937
Icon for Nimbostratus rankNimbostratus
Feb 19, 2014

F5 ASM WAF vs. Akamai Kona WAF

Hi I would like to understand the pros/cons between F5 WAF (ASM) and the Akamai Kona Cloud based WAF solution. Is anybody aware of a battlesheet, feature comparison, technical document comparing these solutions or maybe providing some indications under which circumstances a solution would be the better choice. Thanks

 

6 Replies

  • My 2 cents would be if you are good with giving keys to the kingdom to Akamai Cloud then that might be a better option from a DDOS and capacity perspective. If you are conservative in security and capacity/DDOS is not a major factor then ASM would be a better option. Giving away keys how ever secure is a challenge from my perspective thought it has advantages. We can increase capacity with Viprions at a fraction of cost to Akamai but not to the level that Cloud can provide.

     

  • I plan to use them both. In my case I run ASM and LTM on the same BigIP engine, so I only unencrypt, decrypt one to do both cookie based persistence, uri based pool decisions, and now the ability to do WAF. We also use Akamai for performance enhancement, and are looking into whether it is the right idea economically to purchase their WAF services as well. I don't see these as competing products, more complementary. If you have Akamai hosting your web layer, then its certainly reasonable to think about using their WAF also at that layer, but if you aren't using Akamai for all your websites, then you would need ASM to protect those that aren't "Akamaized" Even for those that are "Akamaized" you could consider their WAF to be the wider mesh net, just catching the big, obvious fish, and do more granular protection with your local ASM

     

    • tinman_40165's avatar
      tinman_40165
      Icon for Nimbostratus rankNimbostratus
      I can give you good insight into both as i used to work for F5 as a presales engineer and i am now the security presales specialist at Akamai. I can tell you that F5's ASM is a feature rich product and you can fix any vulnerability under the sun (as long as you can configure it and write irules). The challenge is managing the ASM. Application security is 10 to 20 x harder to manage than network security. So you will want to ensure you have the device setup correctly and have in-depth knowledge of all the inputs, forms, parameters, cookies, paths etc of your application. To be a good WAF engineer, you will need the skills of a penetration tester who understand the networking as well as the application. Most likely the people who contribute to DevCentral are some of the brightest engineers on the planet can handle the ASM. Kona WAF is a highly distributed reverse proxy and WAF platform. It uses anomaly scoring and Big Data to ensure that the changing nature of attacks on the Internet are caught and there are minimal false positives. Akamai delivers about 30% of the BW used on the Internet on any given day, so they see a lot of good traffic as well as bad. All day every day the Kona platform is being attacked with application and DDoS attacks. So the guys at Akamai can keep their policy up to date blocking a lot of 0-day attacks using automated tools to provide the highest level of security. Kona Rule Set provides the functionality similar to the old email antispam engines for web traffic, the more spam emails you see, the better the spam engine becomes to block spam emails. You can never block 100% of application layer attacks. If any one that tells you they can, you should be very wary. One must be able to consider how many false positives and how much clean traffic must pass. With better intelligence, Kona WAF can increase the identification of True Positives (real attacks) & True Negatives (clean traffic) while reducing False Positives (clean traffic which was blocked) and False Negatives (attacks which were not picked up). Blocking 100% of the application layer attacks could be like taking your network cable out, you cant just do that. You have to block traffic that has been unmistakable identified as bad while ensuring no good traffic has been accidently blocked. Ultimately many Kona customers do exactly what you have proposed, to use F5 LTM/ASM at the datacenter and use a first layer of WAF defense with Akamai Kona. Akamai provides a really high level of blocking of attacks, mitigation of DDOS and acceleration of the content. F5 will be able to tie in things like XML gateway, ICAP AV scanning and other rich features. The 2 technologies work well with each other to provide a very high level of security. The Akamai platform is sort of like putting many F5's around the world in key locations. The functionality is very similar (except the APM). In terms of SSL Certificates, Akamai is PCI DSS level 1 compliant and you don’t need to share your private keys/certificates. A new key pair must be provisioned on the Akamai platform and it is securely held in a key management interface. There are many financial institutions (including US, Canada, European, Swiss, Dutch, Japanese, Singaporean, Australian institutions) as well as US government organisations doing this today. More recently, for the heartbleed SSL vulnerability announced on April 7th 2014, Akamai’s customers were not exposed. The GHost node manages its encryption memory heap in a secure space which was not vulnerable, so SSL keys were not exposed and they didn’t need to be revoked or reissued. For customers going to the cloud, Akamai is a perfect solution as it doesn’t care where your servers are and you can scale up and down your cloud using Akamai’s datacenter load balancing using TCP rather than DNS. Akamai Site Shield is a whitelist of Akamai addresses that can be imported into the firewalls, a customer can block all access to the site from the internet, except from Akamai’s site shield. This essentially extends their security boundary to the Akamai GHost nodes at the client’s end, thus creating a DMZ-0. Akamai Kona also reduces load on the ASM and other datacenter infrastructure. My banking customer gets 96% BW reduction to the origin datacenter and 70% reduction in server CPU/RAM/DISK IO while delivering faster internet banking to the client. In summary, I strongly believe that F5’s technologies rock and I am big fan. Kona is highly complimentary and increases your web security posture, make application security easier to manage (or even outsource to Akamai it with Managed Kona) and increase web performance.
  • I plan to use them both. In my case I run ASM and LTM on the same BigIP engine, so I only unencrypt, decrypt one to do both cookie based persistence, uri based pool decisions, and now the ability to do WAF. We also use Akamai for performance enhancement, and are looking into whether it is the right idea economically to purchase their WAF services as well. I don't see these as competing products, more complementary. If you have Akamai hosting your web layer, then its certainly reasonable to think about using their WAF also at that layer, but if you aren't using Akamai for all your websites, then you would need ASM to protect those that aren't "Akamaized" Even for those that are "Akamaized" you could consider their WAF to be the wider mesh net, just catching the big, obvious fish, and do more granular protection with your local ASM

     

    • tinman_40165's avatar
      tinman_40165
      Icon for Nimbostratus rankNimbostratus
      I can give you good insight into both as i used to work for F5 as a presales engineer and i am now the security presales specialist at Akamai. I can tell you that F5's ASM is a feature rich product and you can fix any vulnerability under the sun (as long as you can configure it and write irules). The challenge is managing the ASM. Application security is 10 to 20 x harder to manage than network security. So you will want to ensure you have the device setup correctly and have in-depth knowledge of all the inputs, forms, parameters, cookies, paths etc of your application. To be a good WAF engineer, you will need the skills of a penetration tester who understand the networking as well as the application. Most likely the people who contribute to DevCentral are some of the brightest engineers on the planet can handle the ASM. Kona WAF is a highly distributed reverse proxy and WAF platform. It uses anomaly scoring and Big Data to ensure that the changing nature of attacks on the Internet are caught and there are minimal false positives. Akamai delivers about 30% of the BW used on the Internet on any given day, so they see a lot of good traffic as well as bad. All day every day the Kona platform is being attacked with application and DDoS attacks. So the guys at Akamai can keep their policy up to date blocking a lot of 0-day attacks using automated tools to provide the highest level of security. Kona Rule Set provides the functionality similar to the old email antispam engines for web traffic, the more spam emails you see, the better the spam engine becomes to block spam emails. You can never block 100% of application layer attacks. If any one that tells you they can, you should be very wary. One must be able to consider how many false positives and how much clean traffic must pass. With better intelligence, Kona WAF can increase the identification of True Positives (real attacks) & True Negatives (clean traffic) while reducing False Positives (clean traffic which was blocked) and False Negatives (attacks which were not picked up). Blocking 100% of the application layer attacks could be like taking your network cable out, you cant just do that. You have to block traffic that has been unmistakable identified as bad while ensuring no good traffic has been accidently blocked. Ultimately many Kona customers do exactly what you have proposed, to use F5 LTM/ASM at the datacenter and use a first layer of WAF defense with Akamai Kona. Akamai provides a really high level of blocking of attacks, mitigation of DDOS and acceleration of the content. F5 will be able to tie in things like XML gateway, ICAP AV scanning and other rich features. The 2 technologies work well with each other to provide a very high level of security. The Akamai platform is sort of like putting many F5's around the world in key locations. The functionality is very similar (except the APM). In terms of SSL Certificates, Akamai is PCI DSS level 1 compliant and you don’t need to share your private keys/certificates. A new key pair must be provisioned on the Akamai platform and it is securely held in a key management interface. There are many financial institutions (including US, Canada, European, Swiss, Dutch, Japanese, Singaporean, Australian institutions) as well as US government organisations doing this today. More recently, for the heartbleed SSL vulnerability announced on April 7th 2014, Akamai’s customers were not exposed. The GHost node manages its encryption memory heap in a secure space which was not vulnerable, so SSL keys were not exposed and they didn’t need to be revoked or reissued. For customers going to the cloud, Akamai is a perfect solution as it doesn’t care where your servers are and you can scale up and down your cloud using Akamai’s datacenter load balancing using TCP rather than DNS. Akamai Site Shield is a whitelist of Akamai addresses that can be imported into the firewalls, a customer can block all access to the site from the internet, except from Akamai’s site shield. This essentially extends their security boundary to the Akamai GHost nodes at the client’s end, thus creating a DMZ-0. Akamai Kona also reduces load on the ASM and other datacenter infrastructure. My banking customer gets 96% BW reduction to the origin datacenter and 70% reduction in server CPU/RAM/DISK IO while delivering faster internet banking to the client. In summary, I strongly believe that F5’s technologies rock and I am big fan. Kona is highly complimentary and increases your web security posture, make application security easier to manage (or even outsource to Akamai it with Managed Kona) and increase web performance.
  • Shat_173824's avatar
    Shat_173824
    Historic F5 Account

    Additionally, F5 Networks offers Silverline which is a cloud-based WAF solution built atop ASM.