Security vulnerabilities, targeted attacks, accelerated delivery or volatile latency – whatever your reason for searching out an ADC (Application Delivery Controller), the goal is the same: workdays and weekends without worry, site performance that will never embarrass you, and victory over challenges to your company website’s happy functioning. So choosing the right ADC might not make for a good war story, but why not let your ADC service play the hero when it comes to keeping your site running securely and efficiently?
High quality solutions are no longer just for those willing to spend big or settle for solutions with less robust features. Incapsula, an up-and-coming company, pushes the envelope of cloud-based CDN technology and presents a challenge to industry leader, Akamai.
But can Incapsula’s technology really compete? To answer this we compare both platforms, feature to feature, looking at such aspects as acceleration capabilities, web application security, DDoS protection, availability services, and – of course – cost of service.
Akamai vs Incapsula – Comparative Table (April 2014)
|Acceleration||Network Resources||Wide-spread with
|Content Optimization||Compression and minification||Compression and minification||Draw|
|Connection Optimization||TCP pre-pooling||TCP pre-pooling||Draw|
|Caching Capabilities||Regular and dynamic content||Regular and dynamic content||Draw|
|Web Application Firewall||Mod_security variant||Proprietary tech. with
|PCI Compliancy||Workaround with “Edge Tokenization”||Full PCI DSS compliancy||Incapsula|
|Custom Security Rules||Robust engine,
Long deployment cycle
|Two factor authentication||None||Proprietary solution||Incapsula|
|DDoS Protection||Layer 3-4 Attacks||Sufficient capacity,
|Layer 7 Attack||Few Basic Options||Robust Proprietary Solution||Incapsula|
|Availability||Local Failover and Load Balancing||Wide selection of algorithms.||Wide selection of algorithms.
Real time monitoring.
|Global Failover and Load Balancing||DNS-based solution
results in prolonged delays
|Cloud-based solution allows instant recovery||Incapsula|
|Price||Full ADC Package||$13,000 – $18,000/mo||$4,000/mo||Incapsula|
When you talk about maximizing application performance, it’s a combination or network resources, content and connection optimization features that will do the job.
Obviously the most important factor that impacts acceleration is the CDN’s caching capabilities. However, other factors – like network site and proxy deployment – should also be taken into an account. With that in mind, let’s have a look at how network resources, content optimization, connection optimization and caching capabilities impact acceleration.
Akamai’s and Incapsula’s different approaches to network resources reflect the problems addressed by each of the companies at their respective times of inception.
Akamai’s Network Resources
- Reflects the system of the late 1990s and early 2000s, which was built around a large number of smaller and closely-spaced POPs in order to compensate for communication latencies prevalent in the networks of that era.
- Has ~1000 Points-of-Presence (POPs).
Incapsula’s Network Resources
- Structures itself around a much smaller number of bigger POPs – a design which reflects today’s high-speed Internet environment, in which geographical distance carries much less significance in terms of its impact on performance.
- Offers a smaller network of 16 POPs, with more server power at the end of each node.
Akamai’s most notable advantage is its network size. However, the impact of network size varies depending largely on the visitor’s location. And while the differences are fairly negligible, Akamai’s network offers an advantage in countries and regions where Incapsula has no physical presence, such as Latin America and Eastern Europe.
Content & Connection Optimization
Static content caching is a strength of both companies, though their approach varies slightly.
Incapsula’s advantage lies in its advanced caching capabilities and proprietary caching technologies. These capabilities allow for intelligent and optimized caching of both static and dynamically generated objects. This is very important for dynamically rendered sites, including e-stores and other database-reliant websites.
While the company never fully explains just how this technology operates, Akamai’s DSA feature provides a similar solution for dynamic content.
To main factors threaten the security of enterprise websites and applications: applicative web-based attacks and DDoS attacks. Both Akamai and Incapsula offer impressive defenses, but vary in their approach. Let’s look at four key features: web application firewall, PCI compliancy, custom security rules, and two factor authentication.
Web Application Firewall
Akamai and Incapsula both offer their clients Web Application Firewall (WAF) capabilities.
Akamai’s solution is a variation of the open source (mod_security) firewall and Incapsula’s WAF utilizes proprietary technology. Consequently, Incapsula offers more in terms of functionality, flexibility and compliance. And because it is a proprietary solution, Incapsula’s WAF is far more resilient against hackers’ counter-intelligence, while the core of Akamai’s security build is widely available to potential adversaries.
Regulatory compliance is an important requirement for business-oriented security solutions. Incapsula’s WAF supports automatic compliance with PCI DSS 6.6 directives, which call for a WAF that meets a rigid functional specification. However, its WAF go beyond the requirements with its proprietary solutions, which provide more security than the widely-criticized requirements demand.
Akamai approaches this issue from a different angle with edge tokenization. This workaround allows its clients to offload the payment processing to an Akamai-owned platform. While effective, this solution doesn’t necessarily reduce risks, it simply transfers the risks to a third party and maintains the status quo of compliance rather than improving security.
Custom Security Rules
Both Akamai and Incapsula offer custom security rules engines, which allow their users to implement additional security policies and build their own security solution. For large enterprises with specific needs and security practices, this is invaluable to business.
Robust enough to accommodate most security scenarios, both Akamai and Incapsula have adequate custom rule engines. But when you need rapid rule implementation, Incapsula’s concentrated CDN structure has the advantage.
Not only does Akamai have a larger CDN structure, which could cause delays, custom rule generation goes through their own support team, further lengthening the process. Incapsula, on the other hand, uses IncapRules, which has its own intuitive dedicated GUI that allows users to generate and test instantly, implementing new rules at will and on-the-fly.
The difference is significant. Users can implement rule changes on Incapsula instantaneously, while on Akamai it could take from a couple days to several weeks to complete. It should go without saying that, when dealing with security event, the speed of implementation is absolutely crucial as the new rules are often meant to counter and on-going attack and in these scenarios waiting days of weeks for the counter measures to go live is not an option.
Incapsula’s real time dashboard, which can give live feedback on new rules, is another way to increase protection. With swift implementation and instant feedback, it’s no problem to have an agile response to non-generic threats, which is proven to help Application Layer DDoS mitigation.
Incapsula also offers many supplement security options that Akamai doesn’t. For example, Incapsula’s WAF includes case-specific security features, such as Anti-RFI reputation-based system. Incapsula also offers an integrated Two-Factor-Authentication system, which can be easily deployed on any of the website’s URL.
DDoS protection is outstanding with both Akamai and Incapsula and includes:
- Cloud-based instant onboarding and integrated CDN capabilities which allow for an “always-on” DDoS solution.
- Network capabilities on both are impressive, Akamai’s is well known. But Incapsula presents a formidable challenge with its +550Gbps network capacity, recently blocking a 100Gbps DDoS attack on world’s largest Bitcoin exchange and 180Gbps NTP DDoS on an undisclosed target. These attack were one of the largest recorded to date.
- Both Incapsula and Akamai support origin IP cloaking.
- Both companies provide premium 24X7 support from a dedicated NOC.
When it comes to Application Layer (Layer 7) DDoS mitigation, Incapsula has the upper hand mainly due to its proprietary bot filtering capabilities. The company takes pride in the fact that it was able, on several well-documented occasions, mitigate evasive application attacks without any effect on user experience and with the industry’s lowest false positive rate.
It is worth noting that Akamai’s recent acquisition of Prolexic was most likely intended to address this gap, by improving its Layer 7 anti-DDoS measures. However, the implementation and integration of the acquired technology, especially on such a grand scale, will require time and even when in place Prolexic’s owned solution may not be enough to completely close the gap.
For further comparison between DDoS Protection services I recommend reviewing an industry comparison between top 10 leading DDoS Protection Providers that was done recently by TopTenReviews.
Enterprises require solutions for local server load balancing and failover, global server load balancing and disaster recovery in the event of a catastrophic data center failure. This is where Incapsula comes out a clear winner.
Local Server Failover & Load Balancing
Incapsula and Akamai provide nearly identical local server load balancing capabilities and use
very similar cloud-based solutions. Both providers give clients several choices of load balancing algorithms as well as rapid and accurate response for local server failover. Both offer the most popular load balancing algorithm, “least pending request” option and the very basic “round robin” method.
But with real time view options, Incapsula has an advantage in terms of management capabilities by giving users the ability to instantly respond to unwanted scenarios.
Global Server Load Balancing & Disaster Recovery
When it comes to GSLB, Incapsula’s approach is also stronger because of its ability for fast response. Akamai bases its global availability on DNS protocol and therefore are subject to TTL-related delays and uneven performance (due to TTL cache related issues).
Surprisingly, this means that when you need a fast response, like in the event of a data center disaster, Akamai’s DNS-based changes won’t kick in until the start of the next TTL cycle. In many cases, this can prolong the downtime for up to several hours, depending on the length of the cycle, which varies based on the ISP’s cache.
Speed of implementation is another of Akamai’s weaknesses with their GSLB, risking an unpredictable and fairly long delay factor on each load balancing action. From lags to severe network saturation, this can result in significant disruption in service.
Incapsula’s cloud-based load balancing is a proven success where DNS based alternatives have failed. Relying on its own global network and routing mechanisms for all failover and load balancing functions, Incapsula delivers rapid and consistent performance for enterprises that manage multiple data centers in different geo-locations. Again, Incapsula’s ability to make quick changes has another benefit – the failover delay factor drops to just minutes and even seconds as users can implement new directives on the fly.
Full Application Delivery Package
The price for standard Akamai Application Delivery “bundle”, that include Web Application security services, DDoS Protection and availability features, starts at over $13K/month. This also includes roughly 5Mbps worth of monthly CDN usage, with price of overage ranging around 0.4$/GB. A comparable enterprise offering from Incapsula costs only $4K/month, with almost third of the cost for any additional bandwidth.
Akamai’s also offers an optional “DDoS Fees”, which will add an additional $5K to its monthly retainer costs. These fees are a form of “insurance”, which prevents one from paying for all the extra traffic generated by DDoS attacks.
For many Akamai clients this payment makes a lot of sense, because paying for bandwidth overages would be far above the $5K flat fee. With Incapsula, the price of extra DDoS traffic is included at no additional charge in the full ADC package.
At $1700 for 5Mbps/month, Akamai’s CDN-only option doesn’t come cheap. For only $500, Incapsula offers the same amount of bandwidth and provides full access to all of it. Incapsula also includes local load balancing and application security features, which come as extra bonuses with its enterprise plans.
Application delivery services from both Akamai and Incapsula are excellent. For those looking for robust security features, there’s no doubt that Incapsula offers more, particularly with its proprietary technologies in load balancing and security. That said, for enterprises with more of a focus on acceleration and less on security, Akamai is more than adequate, even if somewhat more costly, option.
While Akamai is the incumbent giant in this marketplace, Imperva, Incapsula’s parent company, has put its full backing behind Incapsula. With its low price point and impressive array of services, Incapsula offers a serious and compelling alternative to Akamai. Incapsula has a treasure of features at just a fraction of the cost of Akamai and is well worth considering in your search for the right ADC.