12 top web application firewalls compared

As web applications mature and become more popular, organizations need to focus more on maintaining a positive security footprint around them. Traditionally, web application security was handled using a combination of the corporate firewall, authentication to an LDAP directory, and a hardened web server in the DMZ network. In a modern infrastructure, where attacks are more sophisticated and cloud-based resources are commonplace, these security measures are often still in place, but can be further enhanced by a web application firewall (WAF).

Web application firewall (WAF) definition

A WAF is a critical component of an enterprise security infrastructure, providing protection between end users and your web application, potentially at multiple layers of the Open Systems Interconnection (OSI) model. Most WAFs offer rule-based protection against application-level attacks such as SQL injection or cross-site scripting, but several of the options on this list also offer features as far down as the IP layer such as DDoS protection and load balancing.

Top web application firewalls

We break down the top 12 web application firewalls, presented in alphabetical order, to help you determine which WAF suites and services best suit your organization’s needs, along with peer review ratings from Gartner PeerInsights.

1. Akamai Kona Site Defender

Akamai touts Kona Site Defender as a comprehensive WAF that enables customized protection at multiple layers, providing an optimized solution for the specific needs of your application. Kona Site Defender offers support for DevOps environments, giving you the ability to manage your security controls programmatically, enabling efficient updates that fit into your existing application development workflow.

Performance is another reason to consider Akamai Kona Site Defender. Akamai’s cloud-based infrastructure includes more than 200,000 servers worldwide, allowing traffic destined for your web application to be run through their filters whether it resides in your corporate datacenter or in the cloud. Akamai can also provide performance enhancements and high availability in addition to protecting your web application from DDoS and application-level attacks.

• Gartner PeerInsights rating: 4.4 stars
• Target audience: Akamai targets applications requiring extensive customization and tuning with Kona Site Defender.
• Notable features: A focus on DevOps workflows and an established corporate history of optimal performance make Akamai a smart option for your critical web apps.
• Pricing: Akamai does not make pricing details for Kona Site Defender available, but pricing is based on protected traffic.

2. AWS WAF

Amazon Web Services (AWS) is a solid top-tier cloud service provider by anyone’s standard, which should make its WAF awfully tempting for both existing customers and those without an AWS presence. AWS WAF by itself does not offer the same sort of features you could expect from other solutions on this list, but coupled with other AWS solutions (Amazon CloudFront, AWS Shield, Amazon CloudWatch, etc.) AWS WAF becomes as flexible as any competing solution.

Existing AWS customers will see the most value in selecting AWS WaF due to the architecture benefits of staying with a single vendor. Familiarity with AWS management practices, APIs, and even documentation will also bring value. Smaller businesses looking for an easy way to secure their apps may need to engage a consultant or look elsewhere, as the AWS learning curve can be steep for the uninitiated.

• Gartner PeerInsights rating: 4.5 stars
• Target audience: Customers of all sizes who are able and willing to make the AWS components into an optimal solution.
• Notable features: Integration with other AWS solutions such as Amazon CloudFront and Amazon CloudWatch is a killer feature.
• Pricing: $5 per web access control list (ACL) and $1 per rule per web ACL per month. Charges for related services (such as Amazon CloudFront or Application Load Balancer) are additional.

3. Barracuda Web Application Firewall

Barracuda offers a full set of WAF architectures and features starting with support for physical and virtual appliances, public cloud-based implementations (AWS, Azure and Google Cloud), as well as managed service provider and SaaS offerings from Barracuda. Each architecture comes with its own set of pros and cons, varying from the simplicity of the SaaS option to the fine-grained control over configuration and deployment with the appliance-based offerings.

Barracuda’s various configurations offer very similar functionality, though there are some differences here and there. Server cloaking limits the amount of intel a potential attacker can gain on your configuration by hiding server banners, errors, identifying HTTP headers, return codes, and debug information. Server cloaking is available on all versions of the web application firewall, as is DDoS protection. URL encryption however is limited to certain models. Application authentication using SAML, client certificates, Active Directory Federation Services (ADFS), and various other standards are also supported across the board.

• Gartner PeerInsights rating: 4.4 stars
• Target audience: Medium to large organizations that manage their own network infrastructure
• Notable features: Wide range of architecture choices and integrated application authentication features
• Pricing: Hardware appliances start at $5,249, with virtual appliances coming in at $2,579. WAF-as-a-service is billed based on bandwidth and application count, starting at $400 monthly for 25 Mbps of bandwidth plus $23.90 per application.

4. Citrix Web App Firewall

Citrix has been in the business of providing secure remote access to applications as long as anyone, so it’s no surprise it offers a WAF. Citrix Web App Firewall (formerly NetScaler AppFirewall) is a cloud-based application firewall that covers the basics in web application protection, though on its own it doesn’t have the same protections against DDoS as other solutions on this list. Citrix does, however, claim the title of the highest performing web application firewall.

Citrix Web App Firewall is available as a standalone appliance or as a component of the Citrix ADC (Application Delivery Controller) family of products, which offer layer 4-7 load balancing and application performance tools.

• Gartner PeerInsights rating: 4.3 stars
• Target audience: Medium to large businesses, managed service providers, or cloud service providers
• Notable features: Industry-best performance limits overhead to your web application.
• Pricing: Citrix Web App Firewall is licensed based on throughput, starting at $30,000 for 1Gbps, though most customers opt for the more comprehensive Citrix ADC.

5. CloudFlare Cloud Web Application Firewall

CloudFlare is a respected name in the web performance arena, particularly in the content delivery segment, and offers a suite of complementary tools (DDoS protection, load balancing, rate limiting and Captcha, and IP-based rules) which compare favorably to the high end of the web application firewall market.

One potential knock against CloudFlare Cloud Web Application Firewall is that it’s solely cloud-based. No on-premises solution is available in the form of a hardware or virtual appliance-based option. Of course, CloudFlare can protect on-premises workloads as easily as your cloud-based apps, but if your business requires a WAF as part of your corporate-owned infrastructure CloudFlare isn’t for you.

• Gartner PeerInsights rating: 4.5 stars
• Target audience: Small to medium businesses, ideal for blogs and business information sites rather than complex web applications
• Notable features: Easy to get started, and tight integration with other CloudFlare services
• Pricing: CloudFlare includes its WAF in their Pro plan, which begins at $20 monthly per domain. The business tier gives you 25 custom rule sets, but comes in at $200 monthly for a single domain.

6. DenyAll rWeb

DenyAll’s rWeb WAF solution offers a number of architecture options to best meet your business requirements: hardware or virtual appliances, cloud-based offerings in AWS, Microsoft Azure, OpenStack platforms, or as a service. Configurations such as pooling, multi-DMZ (a layered approach with an instance in the DMZ and one within the primary LAN segment), or node synchronization for high availability are also supported.

The flexibility rWeb offers extends to its protection capabilities. Requests are evaluated and given a security score, bounced against known vulnerabilities, user behavior is tracked, and both white and black lists employed in order to best secure your applications. DenyAll even allows you to create custom script-based firewall directives to fine tune your protection.

• Gartner PeerInsights rating: 4.7 stars
• Target audience: Medium to large enterprise environments, or large/complex web applications
• Notable features: Extremely flexible architecture and configuration capabilities
• Pricing: DenyAll rWeb pricing depends largely on how it’s deployed. Physical or virtual appliance can be activated using a perpetual license and require an annual maintenance and support cost. Azure and AWS-based cloud options can be licensed as part of the service or you can bring an existing license.

7. Ergon Informatik Airlock WAF

Airlock WAF from Ergon Informatik is a full featured web application firewall, offering methods to secure your APIs from unauthorized or malformed requests, reverse proxy functionality, and content filtering. Airlock WAF can be implemented using either a hardware or virtual appliance depending on your corporate needs.

Airlock WAF can also leverage Airlock IAM and/or Airlock Login to incorporate authentication into the WAF security layer. Airlock Login supports authentication to an existing directory or RADIUS server (including support for RSA SecurID or various other 2-factor methods), while Airlock IAM is geared toward more complex situations such as multiple domains, user self-service, or the authentication needs to be integrated back into the application using web services.

• Gartner PeerInsights rating: 4.6 stars
• Target audience: Large businesses, with most customers coming from the financial sector.
• Notable features: Integration with Airlock IAM provides tight integration between your existing identity providers and applications, facilitating increased user security and self-service.
• Pricing: Pricing for Airlock WAF is handled based on the number of instances and protected applications. If integrated with Airlock IAM the user count is also taken into account for licensing purposes.

8. F5 Advanced Web Application Firewall

F5 is one of the more well respected names in the network performance world, with some serious offerings in the high availability/load balancing space. F5 Advanced WAF has all the features you would expect from F5, in particular DoS and bot protection. F5 considers its DataSafe application-layer encryption a key feature as it contributes to preventing identity-based attacks, which it says makes up 75 percent of data breaches. DataSafe injects JavaScript-based tools to encrypt and obfuscate HTML form data as it’s being populated by a user, protecting it from malicious browser plugins or man in the middle attacks.

F5 Advanced WAF is available as a hardware or virtual appliance, as a pay-as-you-go service in the AWS or Azure Marketplaces, or as one part of F5’s cloud-based Silverline application services platform, which also offers DDoS protection from the network layer all the way up to the application.

• Gartner PeerInsights rating: 4.5 stars
• Target audience: F5’s customer base includes many of the largest corporations in the world, though they maintain that their solutions are within reach (from both a cost and management standpoint) of smaller customers
• Notable features: DataSafe enables F5 Advanced WAF to protect data while still in the browser, even before that data is submitted to the web application.
• Pricing: F5 Advanced WAF starts at $1.33 per hour for pay-as-you-go licensing on AWS, or $7,495 for a virtual edition perpetual license.

9. Fortinet FortiWeb

Fortinet’s FortiWeb WAF is available as a hardware appliance, virtual machine, on public cloud services (AWS, Azure, Google Cloud and Oracle Cloud), hosted by Fortinet, or even as a Docker container application. Further, Fortinet’s hardware appliances come in a wide range of sizes to meet the needs of web applications large and small.

Fortinet maintains a suite of complementary services that enhance FortiWeb’s capabilities in a number of ways, including an IP reputation and botnet listing, identifying attempts to use stolen credentials, and the cloud-based FortiSandbox service, which performs advanced threat detection which automates the process of hardening FortiWeb against zero-day attacks.

• Gartner PeerInsights rating: 4.5 stars
• Target audience: Small to large businesses, with support for both on-premises or cloud-based workloads.
• Notable features: Available in a wide range of architectures, with services capable of further securing your web applications.
• Pricing: Hardware appliances retail from around $5,000 on the low end with the baseline virtual appliance (with a single CPU core) setting you back $3,669.75 retail. Hosting FortiWeb in AWS with a pay-as-you-go license has an annual cost of $5,374 using Fortinet’s recommended C3 Large VM.

10. Imperva Incapsula

Like several other offerings on this list, Imperva is in the content delivery business, and as such is well positioned to provide additional security for your web applications. Imperva’s Incapsula WAF is one piece of a suite of tools that offer load balancing, high availability, and (bad) bot and DDoS protection. Incapsula also offers some add-ons, including Log-in Protect, which leverages the WAF to provide two-factor authentication for URLs you specify through the use of e-mail, SMS, or Google Authenticator.

Incapsula WAF provides protection against cross-site scripting, SQL injection, and remote file inclusion, supports custom rule sets and both white and black lists. From an architecture standpoint, Imperva Incapsula is strictly cloud-based, which won’t bother most customers.

• Gartner PeerInsights rating: 4.5 stars
• Target audience: Imperva serves customers and web applications of all sizes.
• Notable features: As with the other large-scale content delivery providers, Incapsula’s proliferation may be its biggest asset. Having the ability to analyze large amounts of traffic in real time and respond accordingly is the best way to identify bad actors and zero-day attacks in order to protect your web application.
• Pricing: Imperva includes WAF in all its Incapsula pricing tiers, from the $59 a month pro tier to the high-end enterprise level service, which includes comprehensive DDoS protection, load-balancing and failover.

11. Radware AppWall

Radware AppWall is available as a standalone product in the form of a physical or virtual appliance, or as a managed service. On its own AppWall can protect against common web application attacks, including API attacks, brute-force credential attacks, and application-layer DDoS attacks. When coupled with Radware’s DefensePro network firewall, Appwall can integrate with the edge device in order to block attacks at the network perimeter, rather than allowing it to reach the WAF.

• Gartner PeerInsights rating: 4.7 stars
• Target audience: Medium to large enterprise, managed service providers, or cloud service providers
• Notable features: Radware offers a comprehensive set of devices for securing your corporate network, and the integration between their application firewall and perimeter defense products is ideal for critical workloads.
• Pricing: Radware AppWall as a managed service begins at $200 monthly, while on-premises deployments retail in the $20,000 neighborhood (not including discounts, maintenance subscriptions, or add-ons).

12. Sucuri Website Application Firewall

Sucuri Website Application Firewall is a cloud-based WAF that does DDoS mitigation, performance handling (smart caching, compression, etc.) and load balancing. Sucuri Website Application Firewall is positioned as an entry-level website security platform, as it’s easy to set up and get running.

Sucuri also offers a comprehensive white-glove website security solution that not only includes the WAF but monitors your site for known vulnerabilities, tracks and remediates blacklist listings, and features SLA-backed response times.

• Gartner PeerInsights rating: 4.6 stars
• Target audience: Small to medium companies
• Notable features: Sucuri Website Application Firewall offers a robust feature set, including content-delivery and performance features) for smaller websites.
• Pricing: Sucuri Website Firewall is available starting from $9.99 a month for the basic tier, which is targeted at blogger sites. The pro and business tiers add layer 3 and 4 DDoS mitigation for $19.98 and $69.93 a month, respectively, and are geared toward e-commerce or business sites.