F5 vs Cloudflare – In this series of articles, we will start picking apart these two solutions and help you decide which best secure web applications in your organization. Specifically, we’ll be focused on http web app & API security, comparing the WAAP (Web Application and API Protection) functionality between Cloudflare’s WAF offering and F5’s Distributed Cloud (F5 XCS) WAAP offering. You can also consider this the Cloudflare WAF vs F5 WAF while securing APIs article 😉. Both solutions are SaaS-based, ie proxied from F5’s & CF’s cloud & data center presences. We’ll also highlight other ways you can & can’t run the solutions. We will answer the questions: Can F5 or Cloudflare run as a virtual appliance in AWS, Azure, or GCP? What about as a hardware solution for big honkin’ traffic situations? We’ll cover all that and more, plus help you decide which solution is right for you. Let’s start with a brief overview and background of both companies.
Cloudflare Overview
Many folks are familiar with Cloudflare from the context of their CDN and DDoS mitigation abilities for web applications. We are now starting to see Cloudflare position security offerings around WAAP as an addon to those services. This can be a good addition for folks consuming CDN and hosting simple “business card” websites from Cloudflare. However, we’ll discuss some notable limitations when using Cloudflare for more advanced web apps & API protection. Cloudflare makes the “checkbox WAF” easy for simple websites like a WordPress blog but falls short on features and capabilities to secure more complex enterprise applications. One of their biggest limiting factors is that everything has to be delivered, ie “proxied,” from the Cloudflare SaaS platform with no solutions to sit right next to the app in one of the major clouds as a virtual appliance or on-premise as hardware, and a virtual appliance. Cloudflare was born from the traditional VC-funded model and went live in 2010. While Cloudflare is growing, they have yet to become profitable – following GAAP in 2022, they had a $45.9 million loss and a $77.5 million loss in 2021.
F5 Overview
F5 is the leader in secure application delivery, offering robust solutions around high application availability. Since F5’s founding in 1996, it has long been known for its load-balancing features, but nowadays, that’s a small part of the modern F5 product portfolio. F5 is now a leader in the security space and one of only seven companies with over $1 billion in security revenue. They have products & services spanning most of the application stack, from Network Firewall Capabilities, Highly Advanced WAAP with the leading bot protection solution to Infrastructure security products. Even with all this next-level technology, F5 was a slow mover into the cloud Saas model. It was mainly because BIG-IP & NGINX have long been available as virtual appliances in all the popular clouds. Technically those are “cloud solutions,” but they slacked on the “central dashboard” approach – all that has changed in the last few years. Now, most features in their existing products are available SaaS-delivered and include ML/AI-driven security services. F5’s biggest advantage with their cloud offering is the maturity of their core products, the ability to mitigate very complex attacks, and the ability to run non-proxied if needed while still using the central dashboard. They still embrace their Hardware/Software stack for running on-prim & in the clouds, and within high-security air-gapped networks. Regarding finances and company health – F5 has long been profitable, with 700+m in the bank, over 2bn in revenue, and a net income of about $330m in 2021 & 2022.
Cloudflare WAAP
Cloudflare’s free and entry-level tiers for their WAAP offerings have allowed them to pick up a lot of low-end market share. Many folks use this free offering to front hobby sites, such as your average WordPress Blog. Historically they’ve had a lower barrier to entry in this space with lower cost/tier services offered for personal use & smaller organizations – but costs do rise for enterprise pricing. While this gives Cloudflare a relatively large customer base, it’s not as Enterprise oriented as one may expect. It’s also more predicated on volume, which, while not something a company should be demonized over, does influence how a product works, what it targets, and its goals for efficacy.
The Cloudflare WAF Engine Background
I always like to look at a product based on how it works and where its origins come from to get a good understanding of its strengths and weaknesses. This starts with looking at the core of the early Cloudflare stack, NGINX. This reliance on NGINX started with custom modules but was quickly replaced by LUA, leading to Cloudflare being a major sponsor of the OpenResty project for several years. This is important to understand as Cloudflares WAF Engine is loosely based on open-source ModSecurity (also historically common in the NGINX space). Still, it has been rewritten and optimized to run in LUA. While this is an exciting feat from a performance perspective due to ModSec not being known as very performant, it has also led to some historical issues with WAF bypass vulnerabilities due to how LUA in NGINX works.
There is far more to Cloudflare’s LUA story: we will dive into why they use LUA and their contributions to the NGINX/LUA space in a future article. The critical thing to note is that LUA enables the shared platform and distributed scale that Cloudflare aimed to achieve. This origin of scale, volume, and shared platform gives a good insight into what Cloudflare is focused on and how their particular engine might be optimized.
F5 Distributed Cloud WAAP
The origins of F5’s WAAP offering contrast greatly with Cloudflare’s. F5’s origin as a niche player in application delivery and security hardware appliances historically meant they provided their technology primarily to large enterprises, service providers, and government customers. You know – the sorts of folks that can justify a 6-figure+ purchase of physical hardware to provide the best application security services in their environments. While F5 is still powering the large majority of those folks, the new SaaS offerings bring that tech to more orgs. F5 has taken the cornerstone WAF engine that protects some of the largest organizations in the world, bolted on machine learning & artificial intelligence from the billion-dollar SHAPE acquisition, and built a much easier-to-manage & more intelligent Cloud WAF – that can also leverage virtual appliances to cut down on latency. F5 now offers much more affordable entry price points and even free, individual, & team tiers.
The F5 WAF Engine Background
F5’s WAF engine is not based on an open-source WAF and is arguably the most advanced & mature WAF on the market. Their engine started from the TrafficSafe security acquisition early in their journey and was quickly integrated into their BIG-IP Platform as the ASM module. The ASM has constantly evolved since then, dubbed the F5 Advanced WAF (AWAF) today. While the historically high cost of entry typically meant the F5 engine was targeted at applications used by high-value targets—i.e. large enterprises etc.—it also means F5 has been developing their WAF to mitigate some of the most sophisticated attacks that come with protecting high-value targets. For example, It’s the only WAF that goes above and beyond typical signature-based protections and employs more intelligent mitigations like behavioral DoS for advanced layer 7 DoS attacks.
As F5 evolves its WAF engine in its Distributed Cloud Platform, they continue to enhance it with new capabilities while lowering the barrier to entry of its leading security tech. F5’s roots in 1st class enterprise security have continued to influence how its engine works and its goals for efficacy. While F5 can handle scale, it focuses on efficacy & tight security vs picking up as much market share as possible.
Comparison Time
Below you’ll find a table that outlines the key features of each platform, how they stack up against each other, and our thoughts on each. Future articles in this series will dive deep into these specific capabilities.
| Capability | F5 | Cloudflare | Our Thoughts |
|---|---|---|---|
| Signature Bot Detection | Yes | Yes | Signature Based Bot Detection has become a standard feature for all WAAP products in the space. Both platforms do a solid job around basic BOT mitigation. |
| AI-enhanced Bot Detection | Yes (with XC Bot Defense Standard & above). Formally known as Shape. | Yes | F5’s acquisition of Shape allows them to detect the most advanced threat actors as they are in front of major airlines, financial institutions, and many government agencies. Many customers have less success mitigating complicated BOT attacks with Cloudflare on sensitive endpoints. |
| API Discovery | Yes | Yes | While both platforms appear to do a good job making API Discovery over time, F5’s platform does it much faster. |
| Positive security by the import of open API spec files | Yes | Yes | This is an expected feature of any modern WAAP platform, and both support it. |
| Suppression of False Positives via AI/ML (Signature Tuning) | Yes, via AI/ML. F5 automatic attack signature tuning determines if a signature-identified attack is a threat, helping reduce false positives | No – Cloudflare relies on ”Managed Signature Sets” | This separates F5 Distributed Cloud in tuning, which is especially important for Enterprise applications that don’t always use off-the-shelf frameworks. When dealing with internally developed, one-off applications, managed signature sets aren’t always enough to provide complete protection. |
| Malicious User Detection (this is client/device related, not user identity) via AI/ML | Yes, via the advanced behavioral WAF engine that examines client interactions on how a specific client compares to others. | No | This has differentiated F5 Distributed Cloud from even F5’s own on-prem WAF offerings. We’ve noticed that the behavioral engine shuts down bad actors that would otherwise not be caught with signature sets alone. |
| L7 DoS – Application Layer | Yes | Yes | Both platforms do a good job of mitigating DDOS attacks. |
| L3-L4 DDoS Protection – Network Layer | Yes, via XC global network | Yes | This is a staple of all SaaS-based mitigation services. Both platforms do a good job of mitigating DDOS attacks. |
| Professional Services Available | Yes, via F5 or Partners | Limited via Partners | Cloudflare seems to be more oriented toward set-it-and-forget-it customers in mass. However, if you have a more complicated setup and require PS, you might not be able to get it without finding a solid partner. |
| Managed Services Available | Yes, via Silverline or Partners | Limited (Appears to be very limited to larger Enterprise customers or via Partners) | F5’s been offering Managed Services via the Silverline product line for about 10 years. Professional Services partners, like WorldTech IT, also provide managed services. We suspect the managed Silverline offering will soon transition to F5 XCS. Cloudflare is a newer player in the space and, as previously mentioned, is more targeted at scale. Their approach is more of an “off the shelf” offering, whereas F5 has long operated in a more bespoke fashion. |
| WAF Deployment flexibility to enforce WAF security policies at the SaaS edge or the customer’s edge, whether its in the public or private cloud. | Yes – F5 can extend Distributed Cloud via Customer Edge deployments to run the platform on-premises, public cloud deployments, and private clouds. Additionally, F5 maintains its class-leading hardware appliances and software options, such as BIG-IP VE and NGINX. | No – they can only enforce at the Cloudflare edge. | F5 has a long history of being in the enterprise space where on-prim security was the norm. Moving into the SaaS space, they’ve understood that many clients will still need some on-prem or private infrastructure that extends the SaaS platform into their environment. They’re also still supporting and innovating on their traditional Hardware/Software offerings for situations where you have an air-gapped network or a SaaS-delivered platform is not feasible. On the other hand, Cloudflare only operates its WAAP services on its edge. Hence, even internal-only applications must be routed through the Cloudflare public edge if internal protection is required. This can potentially open unwanted access if the configuration is not optimal. |
In Conclusion
I hope this article has shed some light on how F5 & Cloudflare have targeted their WAAP strategy in the Application Security space. Contact us today to help you decide which platform is best to protect your critical web applications.
Editorial: Austin Geraci
We used cloudflare for caching with no issues, we tried the WAF but had to move off because of known bypass issues and other difficulties. We tried Brocade WAF but was also a nightmare and finally moved to F5 AWAF. We all wish we would of went to the F5 WAF first, but then again probably would have wondered how the others were :/ I think because of the history with load balancing everything else F5 proxies just works better. We have not used the cloud WAF yet but have heard good things from friends in other companies – in particular less violation reviews 🙂 looking forward to kicking the tires this summer when we have time for a poc.