April 26, 2015
Application Delivery Controllers (ADCs) provide load balancing, acceleration, traffic shaping and other services that improve the performance, availability and security of web applications. ADCs have traditionally come in the form of appliances, however a new type of service, known as the Application Delivery cloud is now emerging.
Why Application Delivery Belongs in the Cloud
This service provides an integrated, scalable, and cost-effective solution for traditional enterprises, such as banks, healthcare and government organizations that operate their own data centers, as well as enterprises using cloud infrastructures. The Application Delivery cloud scales efficiently to meet peaks in bandwidth, while enabling enterprise IT teams that often lack security expertise to offload security management to the cloud, saving both time and resources.
Among the trendsetters leading this transformation are next generation Content Delivery Network (CDN) providers like CloudFlare and Incapsula. These companies have augmented basic CDN technology – traditionally used for content caching and acceleration – with advanced security capabilities that protect websites and applications from web threats and DDoS attacks.
For enterprises looking to consolidate multiple appliances and services into a single cloud solution, the question is how the technologies of these upstart companies stack up against Internet giant Akamai – the industry benchmark when it comes to cloud-based Application Delivery solutions. Let’s look at the relative strengths and weaknesses of the three platforms in the key functional areas of DDoS protection, application security, content delivery, and load balancing, as well as the relative costs of each service.
Industry surveys clearly demonstrate that any organization with a web presence requires dedicated DDoS protection to prevent downtime, financial losses and reputation damage. With the average cost of a DDoS attack measured at $40,000 per hour, investing in strong DDoS protection has become a business imperative.
DDoS attacks come in a variety of flavors – from network floods to targeted attacks against DNS servers and assaults against email and FTP services – which means that a range of sophisticated detection and mitigation capabilities are required to secure networks against these types of attacks.
Mitigating Network (Layers 3-4) Attacks:
Today’s network DDoS attacks, often exceeding 100-200 Gbps, can only be countered by a strong infrastructure capacity. This is one reason why cloud-based platforms with large resource pools are rapidly becoming the industry standard for DDoS mitigation.
Based on the world’s largest web content delivery network, the Akamai web security cloud provides the mass scale required to easily absorb and defuse even the largest DDoS attacks. Incapsula, for its part, has bolstered its DDoS mitigation capacity to over 1 Terabit by equipping its data centers with high-powered scrubbing hardware (aka Behemoth) offering a maximum capacity of 170Gbps per machine.
All three solutions provide customers with bandwidth over-provisioning that scales to absorb and filter DDoS traffic on demand. This means you can protect your website or application against massive DDoS attacks, without having to pay up front for bandwidth you don’t need on a regular basis.
Safeguarding DNS servers is also critical for website availability. CloudFlare, Akamai and Incapsula all offer DDoS protection services for DNS servers that automatically identify and block attacks seeking to target DNS servers, while also accelerating DNS response.
Mitigating Application (Layer 7) Attacks:
Incapsula, CloudFlare and Akamai utilize different security approaches when it comes to mitigating Layer 7 DDoS attacks that are executed by DDoS botnets. These types of stealthy attacks are difficult to detect, since they are often designed to mimic human behavior. They are much leaner than network layer attacks, since even 50-100 requests per second to a resource-heavy asset are enough to overload the typical mid-sized application server.
Here, Incapsula’s solution relies on proprietary classification algorithms that inspect signatures, capabilities and behavior patterns to distinguish between legitimate and malicious traffic. This client classification technology results in a sub-1% false positive ratio and is mostly transparent to regular users.
In contrast, CloudFlare offers an effective but less user-friendly solution that relies on splash screens and CAPTCHA pages, which are presented to visitors during the attack. With attacks lasting for days or even weeks at a time, this can become annoying and drive away legitimate users.
Akamai’s acquisition of Prolexic in February 2014 was most likely intended to address its limitations in mitigating Layer 7 DDoS attacks. However, the implementation and integration of the acquired technology across Akamai’s expansive network is still underway. In addition, the Prolexic DDoS solution identifies Layer7 attacks using static parameter comparisons, which often results in false positives that impair the user experience.
Protecting Other Critical Network Infrastructure Assets
Today’s sophisticated attackers do not stop at web/application and DNS servers. Any network infrastructure asset with an IP address is a potential target. This includes servers used for gaming, FTP, email, VoIP, etc.
To combat this threat, Akamai and Incapsula offer an additional layer of security, beyond website protection, designed to safeguard critical network infrastructures across entire subnet ranges from volumetric and protocol-based DDoS attacks. Enabled by Border Gateway Protocol (BGP) routing and GRE tunneling, this versatile protection is compatible with all types of services (e.g., UDP/TCP, SMTP, FTP, SSH, VoIP). This is particularly suitable for large organizations with multiple IP ranges. CloudFlare does not offer this type of service.
Time-to-mitigation is how long it takes to start blocking a DDoS attack once it has been identified. Given the potential damage, any duration longer than a few seconds could place your organization in serious jeopardy. Manually activated solutions are flawed and perpetrators know it – which is why they often attack during major holidays, the middle of the night, or weekends when IT staff may not be available.
Incapsula’s response to this problem is an always-on solution that automatically detects and triggers immediate mitigation of all types of DDoS attacks, as well as collecting and displaying traffic data in real-time.
With CloudFlare, time-to-mitigation depends on the type of attack. Volumetric network attacks are automatically mitigated. However, it is up to the customer to identify stealthy Layer 7 attacks and then manually click the “I’m under attack” button. This approach is obviously less reliable and can result in performance degradation and even potential downtime.
While Akamai offers “always on” DDoS protection backed by 24×7 NOC monitoring, its massive network is inherently prone to delay, which means users only become aware of an attack several minutes after it has begun, losing critical mitigation time.
Today’s websites are under a constant barrage of attacks. If hackers uncover a crack in your defenses, they can steal your application data, defraud your users, and take down your website. Application security is vital for safeguarding your websites and applications from any web attack, so you can avoid costly data breaches and downtime.
Web Application Firewall (WAF):
Incapsula combines a crowdsourced security model that aggregates attack data from over 100,000 active domains worldwide with a massive (and constantly updated) IP reputation database. Together with its use of Imperva’s best-in-class WAF technology, Incapsula is a recognized leader in this area. Its WAF has also excelled in comparative penetration tests with CloudFlare.
In addition to its WAF, Incapsula offers several advanced security features not supported by Akamai or CloudFlare, including backdoor shell detection, an IP reputation system, and an integrated Two-Factor-Authentication system for access to online assets.
Akamai offers a dependable WAF option, which uses a variation of the open source ModSecurity platform and is effective against most common web threats. However, it should be noted that in comparison to Incapsula’s proprietary solution, ModSecurity is prone to false-positives and slow to react to new threats. Of greater concern is the fact that ModSecurity’s source code is exposed to potential adversaries who can use this knowledge to develop evasion techniques.
CloudFlare also uses a variation of the open source ModSecurity platform, usually with adequate results. Nevertheless, it did have issues with certain types of common application attacks (e.g., SQL injection, Remote File Inclusion) in “pen-testing.”
When it comes to ensuring a good user experience, minimizing false-positives is a crucial capability. Incapsula’s client classification technology identifies legitimate users and distinguishes between “good” and “bad” bots – which is essential for eliminating false positives. CloudFlare’s WAF does not differentiate between clients. It presents a CAPTCHA challenge to every visitor to a site, whether bot or human, resulting in a high rate of false positives that impairs the user experience.
Flexible Security Rules:
Both Akamai and Incapsula offer custom security rule engines, which allow their users to implement additional security policies and build their own security solution. For large enterprises with specific needs and security practices, this is very important.
Incapsula’s flexible custom rule engine (a.k.a. IncapRules) enables fast creation of security rules tailored to your enterprise’s security policy and use cases. While Incapsula users can implement rule changes at will and on the fly, rule implementation on Akamai could take days to weeks to complete. This is due to the time required to populate rules in over 1000 POPs, as well as the fact that custom rule generation goes through their support team, further lengthening the process.
In addition to its default rule sets, CloudFlare offers an option of turning on/off pre-defined rules in accordance with security policies.
Online merchants who handle consumer credit card information are bound by law to deploy a web application firewall in front of their website. Both CloudFlare and Incapsula offer PCI-certified WAFs that fully comply with PCI 6.6 type 1 reporting requirements.
Akamai approaches this issue from a different angle with Edge Tokenization. This workaround allows its clients to offload the payment processing to an Akamai-owned platform. While effective, this solution may not be compatible with the practices of some enterprise organizations.
Designed more than a decade ago when network connectivity issues were common, Akamai’s network comprises approximately 1000 POPs (Points of Presence), with coverage in every region of the world. As relatively new players in the CDN market, CloudFlare and Incapsula have taken a different approach in building their networks. Each company offers a much smaller number of higher capacity POPs (currently 30 for CloudFlare and 20 for Incapsula) – a design which reflects today’s high-speed Internet environment, in which geographical distance carries much less significance in terms of its impact on performance.
Obviously, Akamai’s most notable advantage is its network size, the impact of which varies depending largely on the visitor’s location. Its network coverage offers an advantage in countries and regions where CloudFlare and Incapsula have no physical presence.
Acceleration and Caching:
When it comes to website acceleration and optimizing the user experience, all three CDNs are very efficient in caching static content. This type of caching is a strength of Akamai’s CDN, which is designed to cache very large static files such as video.
Ten years ago network speeds were the key factor in determining page load times. Today, the key factor affecting the user experience is the time it takes the web server to render requests for dynamic HTML files commonly used in web applications, e-stores and database-reliant websites. The need to render dynamic resources for each request increases the load on the server and, most likely, the database as well.
Incapsula would seem to offer an advantage when it comes to caching dynamically generated objects. Using its proprietary, patent-pending profiling algorithms, Incapsula is able to identify cacheable dynamic content by the way it’s being accessed by users. This capability is very important for speeding delivery of dynamically rendered applications.
Akamai’s DSA feature ostensibly provides a similar solution for dynamic content, although it’s not clear exactly how this technology operates.
Rather than caching dynamic web pages, CloudFlare uses its Railgun™ technology, which is installed on each web server, to further compress web content. Although it does not actually cache dynamically generated objects, Railgun accelerates delivery speed by comparing the content from the server to the content that is already cached. If the content is the same, it delivers it from the cache. This approach reduces the bandwidth required between the web server and the POP, but it does not reduce web server loads since pages still must be rendered each time they are accessed.
CloudFlare’s Network Map:
Incapsula’s Network Map:
Enterprises depend on the availability of their business-critical applications. Load balancers remove single points of failure and ensure application availability by monitoring the “health” of application servers, and only sending requests to servers and applications that can respond in a timely manner.
Local Load Balancing:
All three vendors perform load balancing in the cloud and do not rely on hardware appliances, which can be a single point of failure.
With respect to server load balancing in a single data center, Incapsula and Akamai provide similar Layer 7 load balancing capabilities, enabling them to distribute incoming requests based on the actual load of traffic on each server. Both providers give clients several choices of load balancing algorithms as well as rapid and accurate response for local server failover. Incapsula’s real time view options give it an advantage in terms of management capabilities by allowing users to instantly respond to unwanted scenarios.
CloudFlare, on the other hand, uses the Anycast routing scheme to choose the most preferential route for traffic requests (i.e., the shortest path from the sender to the recipient). At the data center, if a server is down or overloaded, traffic is sent randomly to the next available server.
Global Traffic Management:
Akamai and Incapsula also offer Global Server Load Balancing (GSLB) to support geo-load balancing across multiple data centers. Due to its reliance on DNS, Akamai’s GSLB is slower to react to routing changes, which can result in service disruption.
Incapsula’s Layer 7-based GSLB implements new directives literally “on the fly”. In addition, it supports the routing of traffic to specific data centers, based on the visitor’s geo-location, with an option to redirect to another data center in case of failover.
Incapsula complements its high availability solutions with a live monitoring option that enables tracking of web server and data center activity in real-time. This useful feature lets you detect issues ahead of time and re-route traffic to a viable server to eliminate lags or outages.
While Akamai claims to offer real-time monitoring, there is typically at least a 15 minute delay due to network size and topology.
In the event of a data center meltdown, a fast response is critical for maintaining availability.
While CloudFlare doesn’t currently provide an automated site failover option, Anycast routing can be used to redirect traffic to a standby server, pending its manual activation by the network’s operator.
Incapsula’s service supports automatic failover between primary and secondary sites based on periodic health checks of all servers on service. As soon as the platform detects that the primary server has gone down, Incapsula automatically kick-starts the pre-configured standby server to help keep your website and web apps available.
This level of response is not possible using Akamai’s DNS-based routing. Regardless of outage detection, the routing changes won’t kick in until the start of the next TTL cycle. In many cases, this can prolong the downtime for up to several hours, depending on the length of the cycle, which varies based on the ISP’s cache.
Akamai’s standard Application Delivery “bundle” for enterprises, including Web Application security services, DDoS Protection and availability features, starts at over $13K/month. This also includes roughly 5Mbps worth of monthly CDN usage, with overage fees ranging around 0.4$/GB.
Both Incapsula and CloudFlare offer a premium Enterprise CDN, with 24×7 support and enterprise-grade uptime SLAs at prices substantially less than Akamai. Both offer the option to purchase WAF, DDoS protection and load balancing features separately or to bundle them together into a complete Application Delivery solution. Incapsula’s Enterprise offering, with a full set of features comparable to that of Akamai, costs $4K/month, with additional bandwidth at a third of the cost charged by Akamai. The average cost of CloudFlare’s Enterprise plan is $5K/month.
Akamai’s offers its customers insurance against surges in traffic generated by DDoS attacks. These optional “DDoS Fees” tack on an additional $5K to its monthly retainer costs. For many customers this payment is worthwhile, because paying for bandwidth overages would exceed the $5K flat fee. Neither CloudFlare nor Incapsula applies additional charges for bandwidth or overage as a result of DDoS attacks.
Akamai offers a CDN-only service at $1700 for 5Mbps/month. For only $500, Incapsula offers the same amount of bandwidth and provides full access to all of it. At no extra cost, this option also includes local load balancing and application security features, backed by premium support and an uptime SLA. CloudFlare offers a CDN-only option as part of its Business plan at a cost of $200/month per website. It should be noted, however, that this offering does not cover SLA or 24×7 support which is crucial for most enterprises.
High quality ADC solutions are no longer just for those with deep pockets. Innovative and disruptive cloud providers like CloudFlare and Incapsula are driving the ADC space forward. These companies offer excellent cloud-based Application Delivery services that serve as cost-effective replacements to enterprise-grade appliances.
A recognized leader in the CDN space, Akamai’s network capacity is second to none for enterprises looking for an acceleration-focused service. Its recent acquisition of Prolexic has also provided it with an effective DDoS protection solution.
Nevertheless, given their low price points and full-service offerings, Incapsula and CloudFlare seem to offer a better value for money than Akamai. Granted, when acquiring a service, one should always consider the provider’s track record and reputation. However, with five years and thousands of clients under their belts, Incapsula and CloudFlare offer proven and cost-effective Application Delivery alternatives to Akamai. With respect to load balancing and Layer 7 DDoS protection, Incapsula offers a more robust and complete solution than CloudFlare.
Author’s Note: Some of the information in this review, including the pricing information, was based on previous reports and industry reviews, such as Zero Science Lab’s comparative penetration testing analysis, IT Central Station and husdal.com.
Did you like this article?
Get more delivered to your inbox just like it!