This morning, Verizon announced a new cloud-based web application firewall (WAF) service as part of their Verizon Digital Media Services Defend product suite, which includes built-in protection against network-layer distributed denial of service attacks and origin-cloaking capabilities via Origin Shield. Verizon has launched the offering as a beta product for the next few months, with plans to have it go gold in Q4. Verizon has long been in the business of remotely managing security devices for their customers through their Verizon Security division, with thousands of customers. Some of these security technologies belong on-premise – such as network firewalls and intrusion protection systems, whereas other areas of security, such as those applied to websites and web applications, may be better done in the cloud. This fact has not been lost on Verizon and they are making a big entrance into the market with anti-DDoS, origin protection, and web application firewall solutions built into their recently acquired EdgeCast CDN platform.
For those new to web application firewalls, or WAF’s, they are primarily used to protect websites and web applications by inspecting HTTP/S traffic to ensure the HTTP/S requests are not being used to attack. While WAF’s have traditionally been deployed on-premise – now the trend is to move this service to the cloud for all the standard benefits of cost savings, on-demand scalability, always-on capabilities and faster time to market. While Verizon is not the first to the market with security offerings, we all know Akamai’s been in the security space for a while, Verizon says there are some key differences in how their platform operates. While most WAFs share a similar core approach in that they are inspecting HTTP/S traffic (requests) for attacks, Verizon says their WAF is delivering a set of capabilities previously unseen in the cloud-based WAF market by taking advantage of their existing EdgeCast content delivery network (CDN) for both scale and automation.
For example, the Verizon WAF enables rule updates and WAF instances (rules are procedures that control access to websites) to be pushed out to all their CDN points of presence worldwide in less than 5 minutes. This means that once a new type of vulnerability is identified, new rules can be applied almost instantaneously thereby minimizing the exposure. And given that their WAF is tightly integrated into their CDN platform, customers are able to control (on a per domain or multiple domain basis) exactly what traffic types (e.g. HTML) and/or object types (e.g. json, jpg, etc.) they want to process through the WAF, minimizing both their expense and the amount of incremental performance overhead added to their traffic. Verizon is focusing a lot of the fact that they have a whole lot more rules available in their first version of their WAF product than other vendors do.
By implementing both the OWASP ModSecurity core rule set and the ModSecurity commercial rule set from Trustwave, their customers are provided with the broadest set of rules available on the market. Include the EdgeCast security rules within their HTTP/S caching engine that can be applied to their HTTP/S traffic, and you really do have very deep and broad set of tools to that enable a higher degree of general protection. I think the Trustwave partnership is important to mention as it brings a ton of “black hat” credibility to the table for EdgeCast as a vendor as Trustwave’s technology is considered top notch. The WAF also provides thousands of rules that are custom-built for specific applications like Microsoft SharePoint or Apache servers which makes sense for enterprise customers looking for quick out of the box implementations. From what EdgeCast tells me, they plan on leveraging their Verizon Security division as part of their ongoing roadmap as the Verizon Security folks have a ton of threat intelligence domain experience and can help the EdgeCast team enhance their WAF capabilities even further.
While version 1.0 of Verizon’s WAF hits all the basics and also offers some nice differentiators, it is not without some shortcomings. These include more complete protection against certain types of application layer DDoS attacks, bot mitigation technology, additional reporting, SIEM integration, and the advanced learning features found on some of the higher-end WAF appliances. Verizon EdgeCast has shown me that they have all of these on their roadmap and will be rolling out these capabilities over the next 12 months. They have a pretty good track record adding new capabilities quickly so I’m pretty confident that they will address these deficiencies soon.
The projected market growth for WAFs is anywhere from 18-30% in 2013 with an overall market value of over $250M per year, (Source: Gartner said 30% growth in 2013 and greater than $337M revenue in 2013, TechNavio said 18% growth) and the complementary market for anti-DDoS services is over $500M per year (2014 estimates, IDC) and growing at close to 20% 2012-2017 (source: Infonetics). Hardware-based deployments are dominated by companies such as Imperva, Check Point Software, and Trustwave. Verizon’s WAF will be competing with cloud-based WAF vendors including Akamai, Incapsula (Imperva), CloudFlare, and Qualys – which is also in beta test with their offering.
Some Akamai customers I have spoken to have voiced discontent with the high setup fees and high ongoing monthly recurring costs, along with the lack of control associated with their WAF offering. To date, the only viable alternative to their WAF has been on-premise appliances. That is about to change, and given Verizon’s prior experience re-selling Akamai’s solutions, I think they are better prepared than anyone to compete head to head. EdgeCast says in the case of any customer using Akamai’s stand-alone WAF or Kona bundle, the Verizon WAF supports a much more extensive set of WAF rules without the need for expensive professional services. It also provides the ability to selectively control what traffic and objects are processed through the WAF; deep visibility into what the WAF is actually seeing; a much higher degree of usability and configurability; and less exposure to the risk of attack from new threats given what EdgeCast says is the ability to push out rules updates more than 900% faster than what is offered by other WAF solutions in the market today. Pricing I’ve seen from both vendors indicated that the EdgeCast WAF service will come in very far below what Akamai is charging – both lower set up fees and lower recurring monthly fees. We’ll know more once we see deal flow in the market.
Verizon’s WAF is well suited for mid-sized and enterprise class organizations and provides many reasons to choose it over competing offerings. In combination with other existing Verizon offerings, such as the Verizon anti-DDoS, threat management, and managed security services, Verizon is able to offer a web site security portfolio that few others can deliver. To date, Akamai’s not had much in the way of cloud-based competitors since Qualys’s cloud-based WAF is focused just on Amazon EC2 or VMware’s vCenter. And the other cloud-based WAFs such as Incapsula and Cloudflare are focused almost entirely on the SMB marketplace. Verizon’s WAF is specifically targeting the same enterprise class customers Akamai is, so we’ll have to keep an eye on what kind of traction Verizon can get with their offering and if Verizon has any impact on driving down pricing for these services industry wide.