Imperva Web Application Firewall Reviews

Our primary use case is to protect our cloud production environment.

We have a co-location that we do with our QA and Dev and our pre-production environment. We do everything there. We built it for the production environment so we deploy everything in the cloud. We have the web application firewall in the cloud, after the proxy.

It has threat intelligence and we are using Incapsula. With threat intelligence, we can separate HTTP and HTTPS traffic. We can use Incapsula to send all the threat intelligence to the WAF.

The interface is very user-friendly. You get used to it. It's very convenient.

There could be some limitations rom the converged infrastructure perspective: when you want to converge with everything and you want Imperva to get there easily, because it's not a cloud component. For example, when you want to build servers and you're using OneView to manage your software-defined networks, implementing Imperva right away is not that simple. But if you're doing just a simple cloud infrastructure with servers in there, you're good to go.

Also, we are not able, with Imperva, to block by signatures. Imperva by itself needs to be complemented with another service to do URL filtering. That's why you need Incapsula.

No issues with stability. It has never crashed.

Scalability is affordable. There are no issues with the process of scaling.

They have centralized management, in terms of scalability. They have centralized policy control, they have centralized application profile information. On the dashboard they have Signature Update, Monitoring, Reporting. They clearly thought about the large-scale when they made this product.

We use a partner here in Puerto Rico for Imperva. We have a guy in our shop every day, full-time.

We used Fortigate. We switched because it's not a WAF. When you have a WAF, you want that WAF to do all kinds of configurations, to promote the firewall, to work the way you want it. Imperva came with everything, the whole package.

The initial setup was a little bit complex. But a third-party took care of everything. It's not like putting milk on cereal when you are working with these kinds of configurations. The effectiveness of a web application is going to come from the analysis of what your organization needs. If you don't have that information before you go into Imperva, you're going to have a lot to do when you get there. You need to know what you're doing. It's not something you can take out of the box and put in your infrastructure. It's somewhat hardcore to deal with these kinds of solutions. 

Make sure you understand the way that Imperva charges. It's very affordable. However, I would like to see a package with the Virtual Patching included. You get to do patching separately.

We had F5, Akamai, Fortinet, Barracuda. We may have looked at Juniper as well, I don't remember. Not too many companies have a WAF. Not all the firewall companies are WAF makers.

I think it's perfect. It's a very good application. When you do large-scale deployment you want to protect your physical web application with Imperva, trust me. It gives me peace of mind.

These are guys are from Israel and you should see that place. These guys are the best I have ever seen. They do all kinds of stuff and there is nothing that they cannot do. These people are incredible. They can configure and develop anything, customized, if you want it. Everything has a price, but they can do it right now. They don't have a "no."

We use Imperva with Incapsula so we have web security, we have DDoS protection, we have content delivery networking, we have load-balancing. We do everything with Incapsula cloud. For example, if you have an internet threat, that threat is trying to access your web application. Depending on the threat that you are receiving, the activity monitor is going to be triggered. Once that activity monitor gets triggered, the vulnerability management is going to defend you. It doesn't work for everything the same way. It's very intelligent.

Without tuning, it blocked 88 percent of the vulnerabilities, and when we tuned it, it blocked 98 percent. Whatever was not blocked didn't harm us. We use a third-party for tuning. We tell them what to do it and they do it. They get it done fast, sometimes in two to three days. It depends on what you're asking for. If you're asking for more accuracy, they go the distance to solve your problem. For example, the other day I had some keywords, some attack signatures that they were looking at for false-positives and false negatives, which are two different things. One of the main reasons we got Imperva is that we wanted to block attacks while limiting the number of false positives. I wanted the application scanner not to generate false positives by creating violations. I gave them the information, and the next day it was solved.

To put it in a high-level perspective, you are paying to see the things that are important, but you get a lot of noise. I wanted to reduce that noise. They allowed me to do that. 

Make sure you have the right testing methodology for Virtual Patching. If you want to take your patching to under 30 days, this is the product for you. We reduced it to five days. I think we are the only company where the patching is under five days. We are only doing it at the database-level right now. But we took it down to five days. 

There are proper ways to test a WAF, but the main advice I can give you is that you should not just generate attack traffic. The most effective method, for me, would be to generate both attack and legitimate traffic. That kind of approach will give you a way to rate the ability of the WAF to detect malicious traffic and to distinguish malicious traffic from good traffic. Provide real-world testing scenarios, in which the WAF must block attacks and avoid blocking good traffic at the same time. You will be able to measure how many false positives you're getting. That is the best way to test a WAF: Don't only to generate attack traffic.

Another piece of advice, and here I will jump  to the main fears of this environment - SQL injections, cross-site scripting, which I hate, DT's (Directory Traversals) - is that you need to provide another layer here which is IPS. IPS products will all rely on signatures. They are going to be created by the scanner to stop anything, that's just the basics of threat prevention. If these signatures are easy to circumvent, by using comments and encoding at the same time, they will be available for the WAF to stop any kind of session or cookie tampering. What I'm saying is that there should be technical attack protection. You should be thinking not only about WAF but combining WAF and IPS.

You need to find an IPS that works with it. Imperva has something similar to an IPS, it's not an IPS per se. For example, an IPS cannot detect or stop fraud malware. For that, you need to add certain other levels of security and combine it with employee training. If you get the web application, which is called SecureSphere, the WAF, it will protect you against web page fraud because they go by black IPs. So you can help the IPS on that side and the IPS can help you letting you know what to block from the internal network. You should be considering a combination of WAF and IPS.

Another thing to take into consideration for people who are starting, with respect to deploying a WAF, is that they should validate the accuracy of the solution and the ability it has to protect any application and help you with monitoring and management. It's not just technical stuff.

Protects and secures all our web sites.

• Learning mode.
• Custom policies.
• Very intuitive and granular configuration - It does not require much time, or advanced knowledge, for configuration and maintenance.

The reporting is missing some features, such as: only two export formats, and the time period does not include the last day, week, year.

No issues with stability.

No issues with scalability.

10 out of 10 for local support, seven out of 10 for Imperva Professional Services.

Straightforward. Easy to install and config.

F5.

I rate it a 10 out of 10 because of the ability to apply real-time changes or creations, export and import applications learned, and it's very easy to use. It also features system logs or incidents, granular configuration in relation to a SIEM. It is the best product on the market, in my opinion. Cyber security leader.

The most valuable feature is the grouping of multiple targets via the scan policy. It is valuable because of the large number of targets and governmental requirements to conduct periodic scans.

With acquisition of a license to use the product, we received the ability to standardize database scanning and data protection across the enterprise around one product.

Many features are buried under not-straight-forward options and, at times, hard to find screens. Very few import features have clearly defined format requirements. Agent installation for data usage/blocking activities on target boxes requires the involvement of OS admins and DBA’s, which complicates coordination of installation and delays implementation. The discovery feature does not accurately discover the instances and instead identifies auxiliary end points (SQL – 1434) and TCP listeners (Oracle – 1521).

I’ve used and administered Imperva SecureSphere for 2 years.

Periodically, the site stops functioning and the appliance requires a reboot to restore functionality.

Scalability capabilities are well thought through by product development. Installation of additional MX servers and gateways on remote networks ensures coverage of scanning and data usage monitoring/data protection capabilities.

Technical support is probably the biggest drawback. No contact with technical support ever results in an immediate response and the solution is usually preceded with series of emails, going on for up to a week, before a live person gets on the phone. But, even then, their task is to observe the manifestation of the problem and request a collection of additional information (logs, traces, etc.) without any attempt to solve the problem during the call/WebEx session. Their technical support staff has at most two or three engineers that have a good working knowledge of the product, but most of the time, a level one technician is running the case. When support staff finally gets on the phone, their first statement is a disclaimer that they are on the call ONLY to collect information and that the customer should not expect any resolution.

This pattern of providing technical support greatly differs from what IBM offers for their Guardium product (competitor solution).

We attempted to use several previous solutions. One was Tenable SecurityCenter with its custom, XML-like scripting where each check had to be written by the Database Security Specialist (myself). We also attempted to use AppDetectivePRO, though its performance, lack of customization, scalability, and licensing costs prevented us from continuing with it.

The setup is very straightforward considering that it’s either a physical or virtual (OVF template) appliance. The wizard-like initial setup and configuration are somewhat awkward, but can be completed after reviewing the instructional videos available to the customers.

Licensing should be chosen based on the current infrastructure setup and growth plans. Purchasing appliances of different types may lead to unnecessary/unjustified expenditures and ultimately lead to complications in administration.

The product that was evaluated and was chosen as the recommendation was IBM Guardium. Unfortunately, its licensing cost was a lot higher. Therefore, the management decided not to proceed with the purchase.

Be prepared to obtain every piece of documentation that comes with the product. Thoroughly research it to obtain a clear understanding of how to implement the product and ensure you have a dedicated Imperva first-response engineer that can answer your questions without going through a normal support channel. Be patient when encountering a bug or a feature failure, as well as discrepancies between the product interface and/or behavior with the accompanied documentation. Their support is not prepared to jump in and start working on a fix or update the documentation.

In many cases, the documentation remains outdated referring to old releases regardless how long you’ve been asking for an update. Their instructional videos are also out of date, but references to them are consistently sent by their support whenever you may have a question. And finally, thoroughly document your deployment and license-related information, because every email to technical support is responded with an automated reply requesting this information. Not replying to this automated email with correct info will lead to further delays.

• Bad-IP blocking and signature-based blocking for web application security

• Security compliance and temporary remediation of application vulnerabilities

Management of policies and rules can be complicated and the physical setup of the product has implications on HA.

I have used SecureSphere for 3-4 years.

Performance of the smaller boxes can be sluggish depending on the load.

We haven’t had any scalability issues.

We did not have a previous solution.

Initial setup was straightforward, but ongoing management of rules and policies are time-consuming and complicated.

Try to use a cloud-based and/or managed solution instead of managing a WAF internally; that should be the first preference.

Before choosing, we also evaluated F5 ASM.

While implementation is not hard, the process and resources for ongoing management should be thought through and agreed to before implementation.

I really like the profiling section. I mean that signature based policies are ok and they are maybe the most widespread and common kind of security policy in security appliances, but, the profiling policies are custom tailored on a specific web application. I guess it’s the most valuable, and fresh, aspect about SecureSphere.

It has helped a lot with working among, and creating a link between, different teams in my organization, of course I’m referring to security, networking and system application teams. It’s important to find the right collaboration in order to secure the applications from the beginning of the deployment process.

I guess the GUI could be improved a little, as it’s not always simple to get. The most important aspect to me that needs improvement though, is that, by default, if you put activate and protect a server group you created, all the web applications lying on the same group of physical machines, inherit the same policy rule set. This means it’s not so easy to different policies and cut them on a specific application (maybe I’ll ask the vendor support).

It’s been one-and-a-half years.

Not in particular, once I understand the network behavior and the different types of the WAF deployment it was pretty simple and fast.

Not so far. It must be said, though, that It’s a relatively a new installment in our infrastructure, and maybe it’s too soon to say.

It’s an ongoing process day to day, working alongside systems and application engineers to adapt the WAF to better meet the applications characteristics. I guess it depends a lot on the application features and software implementation.

I would say that they are pretty available.

They are reliable and ready to solve your issues.

To be honest, we have been supported by a professional services engineer who showed us the peculiarities during the initial setup, so it was a good experience. I would say that it’s straightforward if you are in good hands.

I would say to focus on the most convenient area for positioning the WAF in order to take the get the best out of it. In my case, we chose a WAF appliance, and it’s crucial where to put it. For instance, we chose to deploy it downstream from the load balancing network infrastructure for various reasons. One of them was to enable the WAF to see the private IP addresses that a vulnerability assessment tool in the private DMZ would see in order to use the WAF as an application firewall and as a virtual patching tool either.

I was involved in the deployment and found that all the features in this product are fantastic, especially the correlated attack validation, threat radar (reputation, fraud), and virtual patching. Those are features that are very useful in day to day operations.

Using WAF in an organization means we can quickly see the attacks that the environment is suffering and take action to mitigate the threat(s). It is possible to view traffic and analyze it to determine if it is legitimate traffic or not, using features such as threat radar and geolocation, helping the security team in the company.

I've been using the WAF component for over a year.

I had no issues with deployment.

I had no issues with stability.

I had no issues with scalability.

I didn't use the customer service, but all the teams in Imperva have a deep knowledge about the product to support customers for any issues they have.

The technical support team at Imperva have a deep knowledge of all their solutions, and they are ready to support any customer with any problem.

The initial setup is different for each environment. You need knowledge of the environment and application, to make a good schedule of activities. Make sure you validate the requirements, and the setup will be simpler to do

I work as a System Engineer and part of my role is to help the partners do deployments for our customers. I participated in some deployments, and I can say the partners I have worked with have good knowledge about deployment and support for all solutions.

All products are good, and I believe narrowing the choice of manufacturer is best done when you do proof of concepts in-house and you can see which of your choices is best matched to your needs.

The solution is being used for communication.

If something goes wrong, there is a quick switch between nodes, wherever there's an attack against a specific area. The security setup is reasonably easy. It's easy to do setups, rules, and integrations. The backend team is also willing to help if there are questions that we cannot answer.

The UI interface needs improvement. 

I have been using Imperva Web Application Firewall for six months. 

The solution is highly stable. I rate the stability a ten out of ten. 

It is a scalable solution. I would rate it a nine out of ten. 

The initial setup is easy. The deployment depends on the customer's solution but does not take more than a few hours. I rate the initial setup an eight out of ten. 

It is a very affordable solution.

I would definitely recommend the solution. I rate the solution an eight out of ten. 

The tool needs to improve CPU and storage memory. 

I have been using the solution for a year. However, my company has been using it for six years. 

Imperva Web Application Firewall is stable. 

The product is scalable, and my company has 20,000 users. One administrator manages the tool. 

Imperva Web Application Firewall is expensive. 

I rate the solution a nine out of ten.