Imperva Application Security Platform Reviews

The most valuable feature is the grouping of multiple targets via the scan policy. It is valuable because of the large number of targets and governmental requirements to conduct periodic scans.

With acquisition of a license to use the product, we received the ability to standardize database scanning and data protection across the enterprise around one product.

Many features are buried under not-straight-forward options and, at times, hard to find screens. Very few import features have clearly defined format requirements. Agent installation for data usage/blocking activities on target boxes requires the involvement of OS admins and DBA’s, which complicates coordination of installation and delays implementation. The discovery feature does not accurately discover the instances and instead identifies auxiliary end points (SQL – 1434) and TCP listeners (Oracle – 1521).

I’ve used and administered Imperva SecureSphere for 2 years.

Periodically, the site stops functioning and the appliance requires a reboot to restore functionality.

Scalability capabilities are well thought through by product development. Installation of additional MX servers and gateways on remote networks ensures coverage of scanning and data usage monitoring/data protection capabilities.

Technical support is probably the biggest drawback. No contact with technical support ever results in an immediate response and the solution is usually preceded with series of emails, going on for up to a week, before a live person gets on the phone. But, even then, their task is to observe the manifestation of the problem and request a collection of additional information (logs, traces, etc.) without any attempt to solve the problem during the call/WebEx session. Their technical support staff has at most two or three engineers that have a good working knowledge of the product, but most of the time, a level one technician is running the case. When support staff finally gets on the phone, their first statement is a disclaimer that they are on the call ONLY to collect information and that the customer should not expect any resolution.

This pattern of providing technical support greatly differs from what IBM offers for their Guardium product (competitor solution).

We attempted to use several previous solutions. One was Tenable SecurityCenter with its custom, XML-like scripting where each check had to be written by the Database Security Specialist (myself). We also attempted to use AppDetectivePRO, though its performance, lack of customization, scalability, and licensing costs prevented us from continuing with it.

The setup is very straightforward considering that it’s either a physical or virtual (OVF template) appliance. The wizard-like initial setup and configuration are somewhat awkward, but can be completed after reviewing the instructional videos available to the customers.

Licensing should be chosen based on the current infrastructure setup and growth plans. Purchasing appliances of different types may lead to unnecessary/unjustified expenditures and ultimately lead to complications in administration.

The product that was evaluated and was chosen as the recommendation was IBM Guardium. Unfortunately, its licensing cost was a lot higher. Therefore, the management decided not to proceed with the purchase.

Be prepared to obtain every piece of documentation that comes with the product. Thoroughly research it to obtain a clear understanding of how to implement the product and ensure you have a dedicated Imperva first-response engineer that can answer your questions without going through a normal support channel. Be patient when encountering a bug or a feature failure, as well as discrepancies between the product interface and/or behavior with the accompanied documentation. Their support is not prepared to jump in and start working on a fix or update the documentation.

In many cases, the documentation remains outdated referring to old releases regardless how long you’ve been asking for an update. Their instructional videos are also out of date, but references to them are consistently sent by their support whenever you may have a question. And finally, thoroughly document your deployment and license-related information, because every email to technical support is responded with an automated reply requesting this information. Not replying to this automated email with correct info will lead to further delays.

• Very easy to configure, which quickly allows us to add significant security to our websites.
• Nice dashboard, which shows us details about traffic, security, performance, real-time utilization and an activity log.
• Easy to configure caching, content optimization and other advanced settings, which allows us to improve the customer experience if necessary, or keep the defaults if any change is unnecessary.

With our IT infrastructure more secure, our customers receive a great website experience without encountering website defacements and other fallout from attacks on our web servers. Our IT department is not spending the time we used to on website remediation after attacks.

An Incapsula website configuration instance can be in a "Pending DNS changes" state, where further work is needing to be done by the customer, while website access is otherwise fully functional. While in this state, the PCI Compliance Report for the website in question, which I have set to email me monthly, doesn't get generated and sent. Imperva should decouple the "Pending DNS changes" state from the process that periodically emails the PCI Compliance Report. Until that happens, the workaround is to manually generate the report monthly.

Since May 2014.

We haven’t had any stability issues. I get emails about internal Incapsula technical issues that they’re working on. However, they haven’t ever impacted me as an administrator and I’m unaware of any customers experiencing issues getting to our websites.

Incapsula scales nicely.

Technical support is excellent.

Prior to Incapsula, we only used inline IPS, anti-virus, etc. Incapsula is our first web application firewall.

Initial setup was very easy. The default configuration usually has done the trick for us. We simply haven’t needed to deviate much from default. Online documentation is good and if we still had questions, we contacted support who helped us make configuration changes to address our needs.

Gain an understanding of pricing for the various advanced features and figure out what features you need to meet your objectives. We have done very well with the first tier feature package to address the needs at our two data centers and our cloud environments.

We got a feel for pricing and capabilities of other competing systems. However, Incapsula came highly recommended by our trusted security VAR as they had many customers who experienced great results with it. With that ringing endorsement, and the reasonable cost, we tried it out, loved it, and have been using it ever since.

Do a proof-of-concept. It’s quick and easy to set up, and you’ll have Incapsula support to help you if needed. Embrace the ease-of-use of the administrative interface and marvel “can a WAF really be this easy?!”. Monitor the dashboard and enjoy the results. The ease of testing Incapsula and then implementing it into production is one of the most remarkable product experiences in my IT career. It’s clear that Incapsula engineers are busy behind the scenes, which is in contrast to my appreciation of what I would otherwise be doing tuning other WAF options.

• Easy-to-set-up CDN with PCI-level IDS/IPS

We offer Incapsula for every customer project we host, as a default.

The default service is great!

I have used it for two years.

Sometimes, the SSL setup can be a bit slow/inconsistent.

There was only one minor incident with service availability, if I remember correctly.

Nope; we have not encountered any scalability issues.

Some tickets seem to hang for some reason and some of the more-technical tickets seem to go through lot of different people before they get solved, but generally the customer service has been good.

General documentation is good enough that we haven't needed technical support that much, but the answers have been good once you go through the "Off-the-shelf" answers.

We did try CloudFlare, but the pricing didn't suit our use case too well.

The initial setup is fairly straightforward for a technical person.

An in-house team implemented it all the way.

ROI is ~90%.

Pricing is a good match for the features we use.

Before choosing this product, we also evaluated CloudFlare because it appeared first in Google.

Basic setup is simple but, as with any caching/WAF setup, there are tricks you need to learn. But it works really nice out of the box!

• Bad-IP blocking and signature-based blocking for web application security

• Security compliance and temporary remediation of application vulnerabilities

Management of policies and rules can be complicated and the physical setup of the product has implications on HA.

I have used SecureSphere for 3-4 years.

Performance of the smaller boxes can be sluggish depending on the load.

We haven’t had any scalability issues.

We did not have a previous solution.

Initial setup was straightforward, but ongoing management of rules and policies are time-consuming and complicated.

Try to use a cloud-based and/or managed solution instead of managing a WAF internally; that should be the first preference.

Before choosing, we also evaluated F5 ASM.

While implementation is not hard, the process and resources for ongoing management should be thought through and agreed to before implementation.

• Extensive cache control like cache purging and cache rule propagation
• Availability features
• Cross-datacenter solution (active and passive environments)
• CDN and DDoS protection with 24/7 support

Automatic failover between primary and secondary sites enables high availability and accelerates disaster recovery. As soon as it detects that the primary site has gone down, it automatically kick-starts our standby data center.

The dashboard is not accessible on occasion. This is probably due to a high load. However, the sites’ protection seems intact.

We have been using this solution for four years.

There are no stability issues as of now.

There are no scalability issues, but the custom SSL has a terrible price point that puts it out of range for our clients. If they need custom or EV SSL, they are paying significantly more than their overall hosting.

The technical support is impressive.

We used Akamai previously, but due to full PCI DSS compliance, we needed a proprietary solution for two-factor authentication. We then switched to Incapsula.

The setup was so straightforward. It didn’t require to us to make any major changes.

If you don't have custom SSL, get it!

We switched to Incapsula from Akamai.

Imperva has a very impressive core feature set. Imperva has made security analysts scratch their heads. We allow them in from the inside so they can actually hit something worthwhile.

We are very confident in the reports we get from Imperva. Its bot identification has allowed us to plan bandwidth appropriately.

Identification for good bots (people who hit our site using automation, but for good business reasons) has allowed us to work with our customers who use our services in new ways.

Infrastructure protection (anti-DDoS): Imperva anti-DDoS protection has the well-known value of having lots of distributed nodes around the world, making it the best value for DDoS protection. They also include protection against almost all known DDoS attack methods.

The product has given us DDoS protection.

The management interface needs improving. Even with a recent version of the interface, you cannot do all the changes that you would like. As an example, if you want to change one of your protected public IP addresses, you need to request this from support, and it takes a long time.

I have used it for 10 months.

There were stability issues. One node went down and we completely lost the connectivity of our public IP addresses.

We have not encountered any scalability issues.

We rate technical support as really bad. It took one month to solve an issue with one node and give us an alternative solution. Apart from the management interface, support service has to improve their response times (based on our experience with them).

We did not previously use any other solutions.

Initial setup was simple, except for the GRE tunnel issues and MTU tuning.

We think that this product is fairly priced considering other products.

We evaluated Arbor Networks.

Check the SLAs carefully.

WAF configuration is the most valuable feature.

• Reduced spammers during competitions
• Bot reduction

Improve reporting interface and filtering.

I have used it for two years.

We have not encountered any deployment issues.

Mostly, we have not encountered any stability issues, except the occasional leak from the HK pod.

We have not encountered any scalability issues.

Customer service is good.

Technical support is good.

We previously used Fortinet.

Our ROI is about 45% since deployment on reduction of our cloud bill.

Pricing and licensing is extremely competitive.

Incapsula:

• Strength of DDoS and WAF
• Simple dashboard
• Analytics
• SSL

CloudFlare:

• Ease of use
• Simple dashboard
• DNS management
• CDN
• SSL

Incapsula:

It has provided heightened visibility and awareness at management level on the actual threat landscape; it paves the way for easier approval for security-related implementations/projects.

CloudFlare:

It provides free SSL certs that can be used on website domains that I did not purchase SSL certs for.

Some protection and CDN caching realized, even though I’m on the free tier.

Incapsula:

• Allow easier scripting of firewall rules.
• Enable more custom actions to trigger turning on/off Incapsula settings (current actions are quite limited).
• Allow setting up of user groups to manage different groups of sites with viewer/operations/admin levels of privileges. This is quite a typical requirement for enterprise clients who will have multiple teams taking care of different sites, plus an overall IT security team who oversees everything.

CloudFlare:

• Improve the strength of WAF/DDoS.
• Reduce the rate of false positives.

I have used Incapsula for about a year.

I have used CloudFlare for almost a year.

Incapsula: The dashboard occasionally is not accessible (probably due to high load) but the sites protected seem intact.

CloudFlare: I have not used it enough to provide useful information.

Incapsula: The only issue so far is with the dashboard.

CloudFlare: I have not used it enough to provide useful information.

Incapsula: Technical support provides fast response via email tickets, and fairly responsive local technical/account reps.

CloudFlare: I have hardly utilized their technical support so far.

I did not previously use a different solution.

For both Incapsula and CloudFlare, initial setup was very easy.

Incapsula:

Pricing is described on their website, but for enterprise agreements, clarify with local reps, as there might be a need for customized needs/pricing. Be clear on how they handle domains and subdomains.

CloudFlare:

Pricing and licensing is very clearly described on their website; 1 site = 1 domain. Clarify how to support subdomains.

We evaluated Incapsula and CloudFlare.

Incapsula:

You need to understand how DNS works (e.g., A records vs CNAME, TXTs etc.), how SSL works and how to set it up, and how web servers work with domains and proxy servers. It is not for the layman, as the dashboard assumes some level of understanding in these topics. Some settings can break your site, so do perform some tests on a development site before turning features on/off in the dashboard. The good thing is that most settings are reversible and take effect quite quickly, so if things do go wrong, it will not stay broken for too long.

Also, use extra caution when dealing with TLDs, as the product does not handle your DNS, so for onboarding of domains using A records, you may need to ask Incapsula support for advice and assistance as it requires assigning the A record to a CNAME or IP address (network folks might understand the problem here).

CloudFlare:

You need to understand how DNS works (e.g., A records vs CNAME, TXTs etc.), how SSL works and how to set it up, and how web servers work with domains and proxy servers. It is not for the layman, as the dashboard assumes some level of understanding in these topics. Some settings can break your site, so do perform some tests on a development site before turning features on/off in the dashboard. The good thing is that most settings are reversible and take effect quite quickly, so if things do go wrong, it will not stay broken for too long.