12 Top Web Application Firewalls Compared
November 29, 2018
Mo Moin (1276 articles)

12 Top Web Application Firewalls Compared

As web applications mature and become more popular, organizations need to focus more on maintaining a positive security footprint around them. Traditionally, web application security was handled using a combination of the corporate firewall, authentication to an LDAP directory, and a hardened web server in the DMZ network. In a modern infrastructure, where attacks are more sophisticated and cloud-based resources are commonplace, these security measures are often still in place, but can be further enhanced by a web application firewall (WAF).

What is a web application firewall?

Web application firewalls provide protection between end users and your web application, potentially at multiple layers of the Open Systems Interconnection (OSI) model. Most WAFs offer rule-based protection against application-level attacks such as SQL injection or cross-site scripting, but several of the options on this list also offer features as far down as the IP layer such as DDoS protection and load balancing.

Top web application firewalls

We break down the top 12 web application firewalls, presented in alphabetical order, to help you determine which WAF suites and services best suit your organization’s needs, along with peer review ratings from Gartner PeerInsights.

1. Akamai Kona Site Defender

Akamai touts Kona Site Defender as a comprehensive WAF that enables customized protection at multiple layers, providing an optimized solution for the specific needs of your application. Kona Site Defender offers support for DevOps environments, giving you the ability to manage your security controls programmatically, enabling efficient updates that fit into your existing application development workflow.

Performance is another reason to consider Akamai Kona Site Defender. Akamai’s cloud-based infrastructure includes more than 200,000 servers worldwide, allowing traffic destined for your web application to be run through their filters whether it resides in your corporate datacenter or in the cloud. Akamai can also provide performance enhancements and high availability in addition to protecting your web application from DDoS and application-level attacks.

  • Gartner PeerInsights rating: 4.4 stars
  • Target audience: Akamai targets applications requiring extensive customization and tuning with Kona Site Defender.
  • Notable features: A focus on DevOps workflows and an established corporate history of optimal performance make Akamai a smart option for your critical web apps.
  • Pricing: Akamai does not make pricing details for Kona Site Defender available, but pricing is based on protected traffic.


Amazon Web Services (AWS) is a solid top-tier cloud service provider by anyone’s standard, which should make its WAF awfully tempting for both existing customers and those without an AWS presence. AWS WAF by itself does not offer the same sort of features you could expect from other solutions on this list, but coupled with other AWS solutions (Amazon CloudFront, AWS Shield, Amazon CloudWatch, etc.) AWS WAF becomes as flexible as any competing solution.

Existing AWS customers will see the most value in selecting AWS WaF due to the architecture benefits of staying with a single vendor. Familiarity with AWS management practices, APIs, and even documentation will also bring value. Smaller businesses looking for an easy way to secure their apps may need to engage a consultant or look elsewhere, as the AWS learning curve can be steep for the uninitiated.

  • Gartner PeerInsights rating: 4.5 stars
  • Target audience: Customers of all sizes who are able and willing to make the AWS components into an optimal solution.
  • Notable features: Integration with other AWS solutions such as Amazon CloudFront and Amazon CloudWatch is a killer feature.
  • Pricing: $5 per web access control list (ACL) and $1 per rule per web ACL per month. Charges for related services (such as Amazon CloudFront or Application Load Balancer) are additional.

3. Barracuda Web Application Firewall

Barracuda offers a full set of WAF architectures and features starting with support for physical and virtual appliances, public cloud-based implementations (AWS, Azure and Google Cloud), as well as managed service provider and SaaS offerings from Barracuda. Each architecture comes with its own set of pros and cons, varying from the simplicity of the SaaS option to the fine-grained control over configuration and deployment with the appliance-based offerings.

Barracuda’s various configurations offer very similar functionality, though there are some differences here and there. Server cloaking limits the amount of intel a potential attacker can gain on your configuration by hiding server banners, errors, identifying HTTP headers, return codes, and debug information. Server cloaking is available on all versions of the web application firewall, as is DDoS protection. URL encryption however is limited to certain models. Application authentication using SAML, client certificates, Active Directory Federation Services (ADFS), and various other standards are also supported across the board.

  • Gartner PeerInsights rating: 4.4 stars
  • Target audience: Medium to large organizations that manage their own network infrastructure
  • Notable features: Wide range of architecture choices and integrated application authentication features
  • Pricing: Hardware appliances start at $5,249, with virtual appliances coming in at $2,579. WAF-as-a-service is billed based on bandwidth and application count, starting at $400 monthly for 25 Mbps of bandwidth plus $23.90 per application.

Source: CSO Online

Read More