cancel
Showing results for 
Search instead for 
Did you mean: 

Meraki MX vs WAF (Imperva, F5, A10)

SOLVED
Here to help

Meraki MX vs WAF (Imperva, F5, A10)

Hello everyone. Could any of you Meraki experts comment on the security benefit (if any), that one of the heathen WAF appliances listed above would add to a DMZ?  The new appliance would be stacked behind my MX-250. We are in the planning process of opening a new Web Application to the internet, and our security consultants are recommending that we purchase one of these appliances(of course they sell them).  

 

My hesitation is that neither the security consultants, nor the heathen vendors have reasonably convinced me that we will get added security benefit when purchasing one of these other appliances.  I have not seen any data that implies Meraki IPS is any less capable of blocking the same attacks as the other vendors. The other WAFs all have amazing performance bells and whistles, like load balancing and great analytics. None of which I see a large benefit in, as this will be a stand alone web server.  

 

I understand that the Meraki MX, and the other WAF appliances are fundamentally designed for two different applications.  My question only revolves around the security benefit of adding one of the other WAFs to my network.

 

Do I gain anything on the security front?

 

 Your input is appreciated! 

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
Kind of a big deal

Re: Meraki MX vs WAF (Imperva, F5, A10)

I probably need more context to answer this properly.

 

Lets assume you are deploying your application over https.  So it's encrypted.  The MX will not be able to see anything inside of those encrypted streams.  It still provides benefits in that it can block access from "bad" IP address ranges.

 

Lets assume you are terminating the SSL session on the WAF (aka SSL offload) and then forwarding it onto a web server behind it (unencrypted).  In this case the WAF can see the full unencrypted stream, and can look for threats inside of those packets, such as SQL injection attacks.

In this case, a WAF woud provide a significant improvement on the security posture on the web app being delivered.

 

 

If it was me, and I had the choice, I would not be putting a web server on premise.  I would put it somewhere like Amazon AWS.  In environments like Amazon AWS all the common tools like this are available.  And it is usually cheaper than doing it in-house.

https://aws.amazon.com/waf/

3 REPLIES 3
Highlighted
Kind of a big deal

Re: Meraki MX vs WAF (Imperva, F5, A10)

I probably need more context to answer this properly.

 

Lets assume you are deploying your application over https.  So it's encrypted.  The MX will not be able to see anything inside of those encrypted streams.  It still provides benefits in that it can block access from "bad" IP address ranges.

 

Lets assume you are terminating the SSL session on the WAF (aka SSL offload) and then forwarding it onto a web server behind it (unencrypted).  In this case the WAF can see the full unencrypted stream, and can look for threats inside of those packets, such as SQL injection attacks.

In this case, a WAF woud provide a significant improvement on the security posture on the web app being delivered.

 

 

If it was me, and I had the choice, I would not be putting a web server on premise.  I would put it somewhere like Amazon AWS.  In environments like Amazon AWS all the common tools like this are available.  And it is usually cheaper than doing it in-house.

https://aws.amazon.com/waf/

Here to help

Re: Meraki MX vs WAF (Imperva, F5, A10)

This absolutely makes sense, I had not considered the fact that 443 would be invisible to the MX.  Thanks for the input! It’s greatly appreciated!

Here to help

Re: Meraki MX vs WAF (Imperva, F5, A10)

Also, on the subject of AWS, I actually proposed that, but it landed on deaf ears.  Maybe the price of one of these WAFs will make them reconsider,  Thanks again!

Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.