Gold: Citrix NetScaler AppFirewall, Citrix Systems Inc.
The three winners in the Web application firewall category had such a tight finish, it is hard to separate the distinguishing characteristics of each product based on our polling. Citrix Systems' NetScaler AppFirewall eked out the gold, winning high marks for it application-layer, protocol and HTTP controls; ability to block intrusions, attacks and unauthorized network traffic; and ease of installing, configuring and administering the product.
Readers' comments ranged from "our VAR recommends" to "good" to "we started testing but found it was unsuitable for our requirements."
As with most WAFs, NetScaler is designed to help organizations secure Web applications and meet PCI-DSS compliance requirements. It analyzes bidirectional traffic including SSL-encrypted data using a hybrid security model that enforces both positive and negative application behavior. A distributed WAF, it is available as an optional module or a standalone product on Citrix NetScaler MPX appliances.
Expert market reflection on category dynamics:
"WAFs are often the simplest solution to addressing web software security deficiencies; having to write an application from the ground up is a costly endeavor. WAFs provide enterprises and their customers the ability to conduct their Web business securely, and we've seen WAF adoption rates increase over the past few years."
-- Jason Pappalexis, research analyst, NSS Labs
Silver winner: FortiWeb-400C, Fortinet, Inc.
The gold winner in 2012, Fortinet's FortiWeb-400C maintained its high ranking again this year, earning the highest score in the WAF category for its ability to block intrusions, attacks and unauthorized network traffic. FortiWeb-400C also got high marks from readers for its application layer, protocol and HTTP controls as well as the ease of installing, configuring and administering the product. Fortinet's WAF is targeted at medium-sized enterprises and designed to protect Web applications and databases from cross-site scripting, SQL injection, buffer overflows, file inclusion, denial of service and other security threats. According to Fortinet, it supports the OWASP top ten threats and PCI-DSS 6.6 requirements.
Bronze winner: F5 Networks BIG-IP Application Security Manager, F5 Networks
Ranked in the top three in 2012, F5 Networks BIG-IP Application Security Manager (ASM) continues to receive top scores from Information Security magazine readers in 2013. F5 Networks Big-IP ASM received the highest marks in the category in application layer, protocol and HTTP controls; ability to block intrusions, attacks and unauthorized network traffic; and integration with other network defense and management tools.
A WAF appliance, F5 Networks Big-IP ASM offers policy-based Web application security, integrates with a range of vulnerability scanners and provides application-specific XML filtering and validation. It provides granular details about violations (user and session data) and block attacks based on reputation and geolocation data.
F5 Networks Big-IP ASM got high marks for vendor service and support, but one reader described the WAF appliance as a "very complex tool. If it wasn't for the (expensive) support, we would have to get rid of it."