A couple of customers recently asked if we can help reduce the costs of application security in the cloud. These organisations already understand that even though cloud providers like AWS provide pretty good protection against generic network level attacks, Internet-accessible applications hosted on cloud platforms remain completely vulnerable to more targeted exploits that masquerade as legitimate application traffic. It is, therefore, essential to provision a Web Application Firewall in front of these apps to intelligently detect and block all malicious traffic.
My customers had standardised on Imperva as their WAF of choice, so I undertook the following analysis to determine how much we could save them by using NetScaler VPX instead. Here are my findings.
Is it safe to replace a pure-play WAF product like Imperva with NetScaler, an ADC with a powerful WAF engine as one of its many features?
To answer this one, I deferred to NSS Labs who recently undertook a study of the various market leading WAF options. NSS confirmed that NetScaler is an effective WAF platform and awarded it a “Recommended” rating (Imperva received a “Neutral” rating).
NetScaler is up to 50% less expensive than Imperva on AWS!
For the commercial analysis, I compared the cost of running Imperva & NetScaler straight out of the AWS Marketplace over 6 and 12 months for a range of different traffic loads. The results consistently show NetScaler is much more cost-effective than Imperva, and the savings escalate over time.
Graphing the total cost per Mbps of Application Firewall protection makes it crystal clear that NetScaler delivers the best price for performance for any throughput.
BYO Licence delivers even greater savings over 10 months or more.
As a rule of thumb, if you’re planning to run your VPX in AWS for 10 months or more, you’re probably better off buying a perpetual VPX licence from Citrix and using the “BYO licence” option in AWS. 10-11 months is roughly the crossover point where the hourly AWS cost reaches the list price of the perpetual licence. Existing Citrix customers may be entitled to further discounts on the perpetual licences, which could bring the crossover point forward to 6 months or even sooner.
For more information, check out the following resources:
- Official NetScaler Application Firewall Page
- NetScaler Application Firewall Online Demo
- Deployment Practices for NetScaler in AWS