Why you should not buy Incapsula DDoS or WAF

Very little has been written publicly about why you should NOT buy into Incapsula DDoS or WAF protection.

Here at ITogether we thought it would be useful for anyone considering buying Incapsula to read an article that explains why this would be a bad idea and a false economy. It is often said that you get what you pay for. Buy cheap buy twice.

Incapsula is a cloud-based Web site protection service launched in 2009 by the vendor Imperva, (using Imperva appliances placed into datacenters) ITogether were one of the first customers in 2009. Our experience was not good. Incapsula combine WAF, CDN and BGP-based DDoS protection capabilities. While not comparable from the perspectives of feature, functionality, or value to the customer, Incapsula markets itself as an equivalent but lower-cost competitor to Akamai or Cloudflare.

Incapsula does not have sufficient scale to protect against the largest DDoS attacks.

The Incapsula platform has 1.25 Tbps of total network capacity (as at July 2015). This is simply not enough to protect against the largest DDoS attacks that can exceed 300 Gbps – an attack of this size, or less, could cause downtime and impact performance not only for the target, but for other customers as well. Akamai has sufficient scale having easily carried over 33 Tbps on the Akamai platform and maintains over 2.3 Tbps of dedicated attack capacity for Prolexic today. (1) In addition, Akamai’s DNS infrastructure typically runs at less than 1% utilisation, meaning Akamai always has spare capacity to absorb any large scale DNS DDoS attacks targeted at Akamai customers.

Incapsula’s WAF has more false positives and false negatives and does not always cover the latest threats.

Incapsula’s WAF has been tested and found that it had lower accuracy than Kona Site Defender, with a higher rate of false positives and false negatives. This is critical as it refers to the number of legitimate requests that are blocked and the number of malicious attempts that are let through. Incapsula claim to have <0.01% false positives on their website, but there is no evidence to back this up. Akamai’s False Positive rates drop to 0.001% when Kona Site Defender is combined with Client reputation. In tests, Incapsula did not fully cover the latest threats, including RFI and LFI attacks.

Incapsula does not have an enterprise-class solution.

Incapsula is primarily a one-size-fits-all solution, with limited customisation. Despite a so-called ‘Enterprise’ option, Incapsula largely have an SMB target market, as indicated by their $299 a month option being their ‘most popular’ option, meaning enterprises should question the effectiveness of their security posture.

“Incapsula provides the same capabilities at a fraction of the price.”

Incapsula provides a lower-cost solution, but you get what you pay for in terms of scale and effectiveness of security capabilities. Akamai provides a platform with much greater scale to defend against the largest DDoS attacks and a more effective WAF with greater threat coverage and fewer false positives and negatives, resulting in higher site conversion rates and lower risk. In addition, ask yourself how much DDoS bandwidth is included – with unlimited DDoS (equivalent to Akamai’s fee protection feature) Incapsula’s price is not far below that of Kona Site Defender.

Let’s compare Akamai for a moment.

A global platform. 250,000 servers. 1700 networks. 3900 locations. 137 countries.

Accelerated daily traffic of 40 million hits per second. 2+ trillion deliveries per day. 50+ terabits per second.

Trusted by the world’s leading brands. All top 50 global carriers. Over 400 banks worldwide. 9 of the top 10 global auto manufacturers. 9 of the top 10 global computer hardware manufacturers.

0 Comments

Submit a Comment