CDN Edge WAF vs On Prem WAF

The web application firewall (WAF) has been around for many years. Some companies like F5 and Fortinet, have added WAF functionality to an existing line of security appliances. Others like Barracuda Networks, have built stand-alone WAFs from the ground up. But make no mistake, the writing is on the wall for the on-premise WAF. It’s possible the on-premise WAF might cease to exist in 3-5 years. Why? Because the CDN Edge WAF is a much better fit for mitigating today’s DDoS attacks. Once the DDoS attack reaches the customer’s origin server, or web servers located in a data center, or HQ, it’s already too late.

Fortunately, the CDNs are best equipped to stop DDoS attacks in the first mile where they originate, through the CDN Edge WAF. Akamai, Incapsula, Cloudflare and Yottaa are the current CDNs that have a WAF offering. Since the WAF is located in the CDN POP at multiple locations, I refer to them as the CDN Edge WAF. If a customer’s web applications are located in a L.A. data center, and the DDoS attack originates in Paris making it to the LA data center, it’s too late. The best possible solution is to stop the attack in the first mile where it originates, in this case being Paris.

CDN WAF Diagram


There are a few WAFs that offer ASIC based performance capable of handling 200Gbps of attack traffic. But when it comes to fighting DDoS attacks, even that is not enough. When a DDoS attack occurs, it usually comes from a dozen different locations that can easily overwhelm any high performance WAF. Even if you have multiple WAFs in a single data center, that is still inadequate because their is a single point of failure. However, CDNs have the infrastructure to fight DDoS attacks from multiple POPs, spreading out the DDoS attack traffic across several POPs, and slowing it down to a point where it is trivial. The business model for WAF is changing, and those that fail to adapt will be left behind. It’s no coincidence that F5 acquired, and Radware developed a DDoS Mitigation platform, as they see what’s coming in the near future. WAFs must become cloud based, and fortunately for the CDN, they are by their very nature a globally distributed cloud.