I am the CTO for a large multi-specialty private hospital.
We are currently researching WAF solutions. Which WAF solution would you recommend with no heritage for subscription charges? We are a hospital with many web apps that need to be published soon and quickly. We have decent internet access. There could be 100 to 125 concurrent sessions.
Thanks! I appreciate your help.
Cloudflare - since deployment it's super fast and supports Terraform for automation.
Give Reblaze a try. You won't be disappointed.
If you only need a WAF service for a few websites, I recommend Cloudflare.
If you need a balancer and WAF and you are thinking of a hybrid solution I recommend Citrix NetScaler - hybrid and multi-cloud GLB solution.
If you need WAF for a lot websites and many IP addresses, I recommend Imperva Incapsule.
Check Cloudflare is more than WAF and very easy to setup
CromiWAF's WAF solution provides a smooth service for 100 to 125 simultaneous sessions, but we need two additional information to define the most appropriate "package", number of URL's and throughput.
I myself used Cloudflare as the easiest and quicker solution to implement. But if you are concerned on budget you may try AWS WAF as well. It costs minimal and as per usage instead of fixed monthly expense.
Both are super reliable solutions.
We have been having great success with FortiWeb appliances. They offer various sizes to meet your bandwidth needs. I don't know what "with no heritage for subscription charges" means but any good vendor will have some sort of subscription (whether it is signature updates, general support, firmware updates, etc.). WAFs need to be kept up to date just like all security products.
I would always recommend F5 WAF, it is probably the best one on the market, aside from Imperva. However both solutions are very expensive, Imperva even more and both might not be suitable if your IT personnel is junior when it comes to this kind of technology - this product requires "engineer attention" and offers even more in return. If you want to avoid opex, i.e. subscriptions, than you need to go for appliance on-prem version and you can use it for years before having replacement. all cloud solutions probably come with subscriptions. Check it out on https://www.f5.com/products/security/advanced-waf, they have roi calculator as well.
Imperva Clod WAF is the best option. Not only can you protect your IPs, DNS, Apps, you can also mitigate DDoS attack on your network or apps. Imperva has the best and biggest capacity to handle DDoS.
It is fast to deploy, easy to use and a very friendly user interface. Need I say more? You pay only for what yo need.
I'd highly recommend using the Snapt ADC.
The ADC is a full suite..You get one of the world's finest Load Balancers with included functionality of a WAF, Web Accelerator & a GSLB. All of the Snapt support is done in house as well which gives you a direct line to the people who built the solution.
If you are looking for an effective WAF solution, I would recommend Radware Appwall, it provides a complete web application security that you are looking for. Radware Appwall WAF comes with a hybrid solution in which you can deploy an on-prem device or via a cloud. Since you don’t want any subscription charges, for now, you can just deploy the on-prem device which will blocks attacks at the perimeter and ensures fast, reliable and secure delivery of mission-critical web applications.
I may not be able to size-up the exact model for you since there are a lot of things to consider like the number of applications, the number of CEC/CPS/HTTP TPS need to pass through the WAF, etc.but I do recommend to contact your local Radware vendor which can assist you on sizing up the Radware WAF solution.
It depends if you want to apply positive security or negative security.
For positive security, I strongly recommend F5 due to its large number of features that the software has, but bear in mind that when applying positive security, your applications have to go through a learning process which will map all the parameters and URLs that the application uses. This process can take time depending on how they test the application.
Another point to consider is that after passing your applications to production, you almost always have a few parameters that did not go through the QA tests and can generate a Waf ID which then must be excepted.
If your strategy is based more on the speed of deployment of applications in the shortest possible time, I recommend that you use negative security.
Negative security solutions, I recommend using Cloudflare in this case, so you deploy DNS, WAF, Analysis in one place. Adding to that you should not buy equipment for the solution. Of course, most negative security solutions are only based on signatures. So if you don't have the updated signatures, you could be compromised with a zero-day attack.
That simply can give you my experience in the field.
First, we should keep in mind the subscription in security devices is mandatory for keeping the certifications and database updated for known threats and If the device supports UTM and zero-day attack vector which is required for most the well-known organization then the subscription is required, Mostly vendors keep the package worth 1, 3, 5 support including all updates & Technical support as per the SLA purchased. For WAF I would suggest FortiGate appliance or SOPHOS with the UTM bundle. Both vendors also offer cloud-based subscription and Integrated Threat management if further security footprint is required within the organisation.
Generally, and without knowing your specifics, you cannot go wrong with any of the following:
The Snapt Nova ADC, and included WAF, solution would be a great fit here and for Kingsway Hospitals.
Nova's WAF features:
- Powerful centrally managed WAF.
- Automatic mitigation of Denial of Service attacks, with flexible and
ML-driven dynamic reactions to traffic.
- Full OWASP Top 10 protection suite, ensuring protection from threats and compliance is met.
- Blacklists, whitelists, rulesets, rate limits control across all your ADCs from one location.
The Nova ADC provides load balancing, acceleration and application security at a massive scale. Whether you have one device – or one million – Nova is built for DevOps, micro-services, and cloud-native. More details on the WAF here: https://nova.snapt.net/platform/waf
As there is no history or heritage for subscription charges, out flexible pricing, and business support offering is ideal:
https://nova.snapt.net/pricing. In terms of the 100 to 125 concurrent sessions and many web apps that need to be published soon and quickly, Snapt also assists with support and setup.
Here is my suggestion:
I am familiar with F5. So, I suggest choosing F5 Big-IP 2000s. You can find more about F5 via https://www.f5.com/pdf/products/big-ip-platforms-datasheet.pdf. Hope you have the best selection.
If you want granularity, flexibility, simplicity of administration and powerful WAF I would advise you to go for RSCS. In addition you will have good pricing.
You may use Citrix NetScaler or F5 BigIP, Kemp is okay as well, FortiGate is fine if you are looking for a budget ADC with humble performance.