Radware Cloud WAF Service Reviews

We are a company that specializes in loyalty programs for airlines and retail businesses. Our website allows customers to log in and check their loyalty program points, redeem them for flights or other items, and purchase additional points or life miles. As this is a sensitive website that is subject to many attacks, we implemented Radware Cloud WAF Service to protect it.

The solution is deployed on the cloud. We use AWS, but the web application firewall is on Radware infrastructure.

The Radware Cloud WAF Service is an excellent solution for blocking unknown threats and attacks. We have follow-up meetings with our team every other month, and we receive a summary of all the threats the solution blocked. The metrics are very positive. Without this service, we would certainly be in trouble, as we experience a large number of attacks. The solution is very specific in identifying the region from which the attack originates, as well as the type of attack, such as mail service or SQL injection. It also provides details on how the attack was blocked.

The primary advantage of Radware Cloud WAF Service is that we can be confident that the website will not be vulnerable or that our client's accounts will not be compromised. Therefore, it is highly beneficial for us.

We have very few false positives; it is very rare. In the two and a half years I have been with the organization, there has only been one false positive. This occurred when an authentic IP from Colombia attempted to log into the website and was blocked by the WAF.

The solution definitely freed up our IT teams for other projects, as we no longer have to manage the WAF ourselves. With Radware taking care of the WAF deployment in our Amazon infrastructure, our IT personnel who would have otherwise been working on managing our application firewall can now be assigned to other projects. The solution helped save 30 hours a week.

I particularly appreciate the low administrative burden of this solution, as well as the excellent monitoring tools. I can easily view blocked requests and malicious activity in a summary dashboard without needing to intervene. The solution works well independently.

Radware does not have much online training available to help customers get the most out of this solution. For example, we do not know how to integrate the solution with other tools or take advantage of the analytics that it offers. Radware could improve access to this knowledge by providing short training sessions so that customers can benefit more from their work.

I have been using Radware Cloud WAF Service for two and a half years. 

The solution is highly reliable; we have never experienced any outages.

The scalability is completely transparent for us. For instance, on Black Friday, we experience an increase in traffic on our website, yet we don't notice anything because Radware automatically scales, so we don't need to take any action. Therefore, it is very efficient at scaling.

From a financial perspective, we have definitely reduced fraud. This has been a return on investment, as we are no longer losing money compensating customers for fraud. I cannot provide an estimated amount, but we have a team in the company dedicated to preventing fraud. There has definitely been a return on the investment.

It is slow for us to get a quote, which is something that could be improved by the sales or commercial team. However, I believe the prices are fair. We pay for each application we add to the protection, as well as for each additional website. We currently have three licenses and are satisfied with them.

We always compare Radware Cloud WAF Service to the Amazon web application firewall. We have found that Radware Cloud WAF Service is a better solution for us as it is specialized and managed, so we do not need to spend time configuring or managing the solution.

I give the solution a ten out of ten.

We do not use the solution for integrating with other applications. The only other solution is the Cloud WAF Bot Manager, which is another product from the same company. We can access it from the same account using the same credentials. I can access both dashboards, the WAF and Bot Manager, but we do not integrate them with anything else.

The solution has not been implemented in multiple locations. Most of the traffic comes from Latin America and the United States. I do not have an exact figure for the number of end users that access our website, however, I can estimate that it is in the hundreds of thousands per day.

We have never performed any maintenance from our end.

We need to understand how the solution is priced, as our company has one main website, but sometimes there are other products with different URLs and websites, so we must pay for each one. My advice to customers is to understand how this is priced so they can plan accordingly.

We had adware attack mitigation systems and DDoS appliances in place, but these are primarily designed to handle flood attacks. We found that our frontend pages, including our online banking, were being attacked by bots. Hundreds of these connections created such a high load on our backend web servers that they failed to respond to legitimate requests. 

Our primary use case for Cloud WAF is to stop these malicious bots from continuously calling up web pages. They look legitimate, but they constantly call or refresh the web page.

We haven't integrated much yet. Cloud WAF is protecting our frontend pages, but our banking profile for logging our backend financial transactions sits behind our corporate frontend pages. Cloud WAF is also protecting that piece. Once we've completed protecting our landing pages, we'll start working on our other applications. 

From a financial point of view, we no longer constantly need to appropriate more horsepower to our backend web servers to service these requests because Cloud WAF is preventing malicious bots from accessing our web page. It reduced the load on our backend. 

We don't have all the in-house expertise to investigate a typical HTTPS request to see what's happening. We rely on Radware's emergency response team to provide us with biweekly feedback saying, "This is what we've observed and what we recommend." 

By using Radware Cloud WAF, we don't need to hire web threat specialists. We can rely on Radware's emergency response team to fine-tune our policies. Spinning up a web application firewall on our own is a long and challenging process. It's far easier to outsource that job to Radware.

Using Radware freed up resources, especially on the web side. We would typically require an internal team to look after the web pages, but that has been outsourced to Radware. Now, those employees can shift their focus to other projects, and they need not worry about what Radware's doing because they know that it's in the capable hands of an experienced team. 

Cloud WAF reduced our false positives. That's one feature Radware is known for. We get very few false positives, but when we do, we bring them up during our biweekly meeting with the Radware team. They help refine our policies so we no longer see the same issue. Most Radware products perform exceptionally well at eliminating false positives.

It's hard for us to quantify the reduction of false positives because it's a relatively new product. We'll start collecting these metrics toward the end of 2023. Based on our customer call center's feedback, we haven't received complaints about blocking legitimate traffic. When we adopted Cloud WAF, that was a concern our business units had. Some were worried we would deny a lot of traffic. That hasn't been a problem thus far. 

We now have more accurate statistics about legitimate website visitors because we've eliminated those malicious bots that artificially inflated the number of hits on our website. It was creating a false impression that we had an unusually high number of hits. Traditionally, they were there for web scraping, but we eliminated unwanted traffic pushing up our analytics. Google Analytics gave us the impression that we had a ton of traffic. Those figures have gone down because we've eliminated the baddies.

The most valuable components are the bot manager Radware offers as part of graph services and the WAF component. We haven't begun using the API protection, but we plan to implement that in the latter half of 2023. We're also looking at the content delivery network feature. CDN serves static web pages from the Cloud WAF to speed up processes. 

We recognize the potential value of the CDN function. It's part of Cloud WAF, so it can also be enabled relatively quickly. The CDN function offers specific bolt-on security because the application services are protected, and the CDN function is a click away. It doesn't require changes to our backend applications. We only need to use a TNA, and we will have access to the CDN features.

We're currently getting our money's worth from the WAF, the bot manager, and the DDoS components. We see a lot of value in these three components of Cloud WAF.

Our current web protection relies on a negative security model. In other words, we use signatures for known threats. We will eventually transition to a proactive security model Cloud WAF can accommodate where we deny everything by default and only allow specific things. 

We're currently vulnerable to zero-day attacks because we depend on known signatures. We're looking forward to shifting to a positive security model from the WAF we use in conjunction with the bot manager. Radware's intelligence about known bots is an extreme value add to us. 

The automated analysis of events is intuitive and user-friendly because we're not flooded with thousands and thousands of events. The analytics features provide a summary, so there's no need to look for something line by line. It's aggregated into a nice simplified event with the option to drill down for more details. 

We can investigate if we experience issues from a specific subset of customers. For example, we can search by ISP, URL, or IP address. Cloud WAF adds a lot of value by enabling us to pinpoint where we are experiencing an issue.

Our only complaint is the reporting on the DDoS side. We also use Radware for on-premises DDoS protection and their Vision product. I just want to paint you an example. We face so many Layer 3 and Layer 4 DDoS attacks on Cloud WAF. The reporting on those types of attacks can be improved.

We started a pilot project in April 2022 and purchased Cloud WAF in November 2022.

Cloud WAF has been extremely stable. We only had one service interruption during our proof of concept, but it has been reliable since we went live. We've never needed to make a DNS entry change and redirect that web traffic back to our perimeter. 

In the beginning, we were constantly watching it, but we don't have to check on it now that we know it's working. 

We haven't experienced any scalability issues because we requested all the throughput needed for our necessary applications or services from a bandwidth and billions of transactions per month. 

I rate Radware support a ten out of ten. I'm pleased so far. Everything was new to us in the initial phases. We called or emailed them, and they helped us within five minutes. Now, we follow the standard process where we log a case ticket and get a response in ten minutes. 

Positive

We used on-premises security solutions, but we are moving to cloud-based applications. Radware has done such an excellent job with our perimeter and cloud DDoS services. They were the only ones who correctly identified our issue with these small low-bandwidth usage attacks coming that look legitimate to the existing web solution. We piloted the web and bot manager solutions, and we were astonished by the number of malicious bots accessing our website and how that impacts our KPIs.

The WAF service runs on Radware's cloud. Their infrastructure is in a neutral co-location. Radware is able to offer the same protection for our on-prem equipment because it uses Nginx. Cloud WAF can protect on-prem systems plus AWS and Azure clouds.

The onboarding was quick. We finished within half an hour and moved some services onto the Cloud WAF within an hour. The beauty of the solution is that it requires no major changes on the customer side. You make a DNS entry change to point your website to the Radware hardware.

There is no maintenance on our side. We have a strict SLA with Radware that requires notification far in advance about maintenance on their end. They typically avoid maintenance at the end of the month, which is a busy period because people need to do banking. They also do not do maintenance during a year-end freeze. They only do maintenance on one location at a time, so if they take one down, we can continue working on the other. They have built that availability in South Africa.

We haven't seen a return on investment, but we expect to see that in the third year. If we set this up ourselves, we would need to pay for all the necessary appliances, hardware, VMs, and internal staff. Outsourcing to the Cloud WAF solution saved us capital expenses but increased our operational expenditures. We'll have some stats on the total cost of ownership by the end of the year. The time to spin up our own WAF service would be a lot longer than paying for Cloud WAF to protect our applications. 

A yearly license worked out to be a lot cheaper than what other competitors offered for an on-prem solution. We negotiated with Radware and managed to strike a good deal. The company was accommodating to our particular needs as a financial institution. We had to test things for pre-production and spin-up because they charge per FQDN as a service or an application.

When it came to pre-production testing, they set it up for us with a minimal charge, so our QA and UA teams could do testing. We saw the value added from DDoS protection for Layer 3 and Layer 4 attacks. It includes API protection. We had to pay extra for bot managers, but the pricing is competitive overall.

If you plan to deploy Cloud WAF, keep in mind that the product is priced based on the megabits of traffic that pass through and the number of transactions. You should get your requirements correct up front. The active attackers feed and CDN services cost extra, so you need to negotiate these features up front. 

Another company had a similar service but didn't have a presence in South Africa. Radware has got two locations in the country, and that was a deciding factor. There were other financial institutions and retailers on the cloud, so it was easy to decide that we no longer wanted to do this on-premises. We decided that it was better to let Radware spin up and maintain the hardware.

I rate Radware Cloud WAF a ten out of ten. 

No experts are required from our side, the onboarding is straightforward, maintenance is easy, and Radware's security operations enable us to stay agile. 

We have a couple of AWS customers where we are implementing this solution.

When we are talking about the WAF use case, we just like to save the request. Whatever request you are getting on the WAF side, you can block it according to the filter. If you have any vulnerability inside the request, that will be inspected. If it's not legitimate, then it will be stopped with the help of WAF.

The solution offers good protection. It's for the L7, actually. When you are trying to protect the L7, this is a good product.

There are templates you can try which is useful.

It's easy to implement. 

The solution scales quite well. 

The solution is stable and reliable.

Technical support has been helpful.

The integration part could be better. The visibility part could improve as well. In the market, everyone is moving towards the cloud. However, the patience is not good. When we are trying to find out some information, we are not getting what we need on time. They need to arrange some more use cases for their partners, for their customers to showcase their product and show exactly how it is working, how they're capturing the market, et cetera. Right now, they aren't showcasing what can be done, making it hard to sell. 

I've found it difficult to find good documentation for cloud deployments. 

We've been using the solution over the past year. We've used it for ten months.

The stability is quite good. I would rate it a four out of five in terms of stability. It is reliable. There are no bugs or glitches. 

It is a scalable product. We don't have any issues in that regard. I'd rate it four out of five. 

We have a few customers on the solution. We have one with 15,000 POC employees, and they are using it. There are also a couple of other POCs we are working on now.

Their support has been very good. We are quite pleased with their general capabilities. We tend to also handle issues that are at an L2 or L3. If we cannot handle the client requests, we may reach out to Radware for help. 

Positive

The initial setup is not overly complex. The entire process is easy to manage. 

For deployment, I don't need many people. We do have a team of ten to 15 people who are managing all the security features. I can assign one of them to take care of tasks as necessary. One person who is knowledgeable in WAF can handle the deployment part.

Implementation is a one-time thing. However, the processing of requests is ongoing. Today, a customer has a certain requirement to maintain their compliance, so they can go ahead with the initial set of rules. In the future, if they come across different kinds of compliance, they definitely need to create new rules. Therefore, it's an ongoing process. We cannot say that is a one-time process work for a week, and we've completed it. Basically, the initial implementation can get done in a week. Within a week, we will have to also collect the rule stage information from the customer, including any other requirements. Then, after that, it's ongoing tweaking. 

We tend to perform maintenance for clients. If a customer faces any challenges, they create a case with us, and we deal with it. 

We can handle the initial setup ourselves. 

From my side, there is only one resource deployed on the project. However, there are multiple people required to gather information. From the customer side, it will require them to share what rules should be implemented and we figure out how we will proceed and what requests we will get coming into the application server.

The solution is pretty pricey. It's not a cheap option. I'd rate it a three out of five in terms of affordability.

They do offer different types of licenses, according to your needs. 

I'm a Radware partner. 

We have the latest version implemented right now. 

I'd rate the solution eight out of ten.

I would recommend the solution to people.

We have external facing sites that our clients use, and it's important that those are protected. It's a traditional use case. The end-users are the firm clients trying to come into the firm using firm applications. So, this is the external perimeter, and that's the typical use case.

It gives you more insights into what may be happening in your environment. It doesn't free up people's time, but it helps them add an additional data point so that they can be better informed. In that sense, it improves efficiency. When you are in the security mindset, you want to make sure you have the ability to gain as many insights as possible for a potential attack. The intent is never around freeing up time.

It provides the first level of defense against external threats trying to come into the environment, but it's one of the many toolkits we use. 

I'm the global head of cybersecurity across all business lines with a prime focus on audit risk and compliance. I look at Radware in terms of the ability to do two things. One is being very well aware of what's happening in the industry and the threat landscape, and the relative to that is the right sizing of the product so that the product can identify those emerging threats in time and then block them. That's essentially what I'm expecting Radware to do. The ability to provide some insights into lookback is equally important, which means you found something today but that doesn't mean that it happened today. It could have happened many moons ago. That lookback is equally important. There is a lot more that is expected from Radware's automated analytics for looking at events. There needs to be more context of where protection is required these days.

I have used the API Discovery feature. It's relatively easy to use, but it pales to some of the tools that currently exist in the marketplace. They may be a little more sophisticated than what Radware provides. A lot of work needs to be done out there for the end-to-end API protection offered by the API Discovery feature. It's a good first step, but Radware isn't there yet. Similarly, in terms of integrating with other systems and applications in our environment, a lot more work needs to be done out there.

The visibility of API relative to data flow and contextual understanding of what that is for a business is extremely important, and APIs don't seem to cut it. The majority of the attacks take place in memory, so you need to make sure that there is close alignment around how you view that and draw conclusions based on that data. Right-sizing is based on the industry because some of them have the same set of APIs and the same set of structures from which you can easily draw context and draw conclusions in terms of what's happening.

We've been using it for two years. It came to us with an acquisition.

They've had one odd outage. You can't have an outage in that business. They got to get a little better for enterprise-grade.

They have been collaborative. They were eager to have the firm's business, so we received the kind of support we wanted, and that's fair. We have no complaints, and there is nothing that stands out of the ordinary. I'd rate them a seven out of ten.

Neutral

In an organization of our size, you don't have one single vendor. It's a layered defense model. You don't have one single product that you're heavily reliant on. From that perspective, Radware is a part of the ecosystem.

In terms of blocking unknown threats and attacks, Radware is at par with other firms. There is nothing extraordinary. The protection it provides is comparable. It isn't superior. It's amongst the top three or four, but it's definitely not number one.

It required tuning to meet our requirements, but that's true for all products.

It was implemented in-house. There were four people involved in its implementation.

The value proposition of a product is based on not just one feature set. It's based on the suite of features and the impact. It's no different than the value of a security guard outside the building. It's justified in case you have a major attack and it has been able to thwart that attack, but up until that point, you won't be able to say, "Hey, what is the true value that I'm getting out of this?"

When you're getting this or any other solution, you need to look at three things.

1. Is it fit for purpose? What are you getting it for, or does the solution meet the need?
2. Is it going to add value and be a strategic partner going forward? Do you see it evolving with where the threat landscape is heading and where the market is heading? Do you see a relationship?
3. Do they get it right? Are they aligned or in sync with the industry and with what the regulators are looking at? This one is generally missing in this case.

I've used CDN services offered by Radware in conjunction with Cloud WAF. Radware is in the same ballpark compared to the industry leaders, though some of the industry leaders are a little sophisticated in terms of features and offerings. However, there are certain areas towards which the industry isn't evolving, and Radware can obviously position itself so that it can succeed.

Overall, I'd rate Radware Cloud WAF Service a seven out of ten. There is a lot they can do. They're in a good position. They have their foot in the door. They need to just up their game.