Review: Incapsula Brings Load Balancing and Failover to the Cloud
Redwood Shores, CA-based Incapsula aims to change the way enterprises deal with applications delivered over the web, with a hosted application delivery controller that brings an impressive feature set to enterprises looking to eschew in-house, hardware-based application delivery controllers (ADCs).
Cloud-based load balancing, failover, and more
The Incapsula Enterprise services suite offers several standard capabilities that make application delivery reliable and secure for businesses both large and small. Sold as a service plan, Incapsula Enterprise includes:
- DDoS Protection: Always-on protection that secures websites against all types of DDoS attacks, including network-, protocol-, and application-level attacks.
- Load balancing and failover: Incapsula can balance trafﬁc across multiple web servers and across data centers directly from the cloud, without requiring a local physical or virtual load balancing appliance. Built-in monitoring and failover capabilities help ensure high availability.
- Enterprise-grade SLA: A high level of service availability is backed by an expansive uptime and support SLA that guarantees website security and performance.
- Customizable security rules/policies: Adopters can create custom triggers and rules to automate actions that need to be taken to keep applications secure and operational.
- API for provisioning, management and events: The included API streamlines integration with third-party provisioning and account management systems, including SIEM systems and report generation services.
- Flexible setup: Customizable setup scenarios allow organizations to control customer-facing content and protect brand identity, while incorporating the original application/website look and feel.
Beyond these basic capabilities, Incapsula Enterprise offers much more. A significant amount of technology under the hood of the service makes advanced functionality very simple to deploy, manage and scale as needed.
What’s more, the cloud-based backend of the product, which is distributed across multiple data centers, incorporates sophisticated algorithms and is managed by security experts that are constantly looking to prevent the next threat to a customer’s application.
Hands-on with Incapsula Enterprise
Understanding the value of Incapsula Enterprise requires a deeper dive into the technology. Perhaps one of the best examples of Incapsula Enterprise’s value proposition is the ease with which the service can be deployed. Moving a website and its associated applications over to the company’s service takes little more than following the instructions given by a three-step setup wizard, which basically consists of adding an existing website to the service by entering the URL. Once the URL is entered, Incapsula automatically scans the site for any needed host, DNS and IP information. After scanning completes, the product offers instructions on how to change DNS records to activate the service. It takes all of 3 minutes to add a new website to Incapsula Enterprise, and once DNS changes are made, the service kicks in automatically to protect the website. Since DNS changes can take some time to deploy, transition to the protected service can take anywhere from a few minutes to a few hours.
Wizard-based setup automates most of the configuration process and speeds deployment.
There is much more to Incapsula Enterprise than just redirecting traffic flow via DNS changes, though. That is just the first step to accessing all of the security and failover features the service offers, a features list that proves to be comprehensive and includes:
- Bot protection: The service prevents automated malware from botnets from compromising systems and offers reputation-based security, which keeps administrators notified of potential attacks and incorporates CAPTCHA checks to prevent comment spam and false validations.
- Access control: Clients, countries, ISPs, and IP addresses can be blacklisted to prevent known attackers from accessing the system, all without interfering with search engine requests.
- Login protection: Adds layers of protection to the login process and can validate using email, SMS and Google Authenticator.
- Web application firewall: Incorporates a NGFW that can protect from numerous attacks, including SQL injection, backdoor intrusions, XSS, and remote file injection, and is fully configurable using security policies.
- SSL support: Includes the capabilities to enforce SSL encryption and allows the use of custom certificates.
- CDN: Global Content Delivery Network (CDN) capabilities help to place resources as close as possible to users, helping to balance loads while reducing latency.
- Performance enhancements: The service combines technologies such as dynamic content caching, dynamic content compression, pre-pooling, and progressive image rendering to deliver the highest levels of performance.
- DDoS protection: Incapsula incorporates automatically triggered network-level and application-level protection from Distributed Denial of Service attacks and also protects DNS from the same attacks.
- Load balancing and failover: Layer 7 load balancing provides session persistence and can be configured to work across multiple ISPs, allowing loads to be balanced dynamically across multiple resources, including global servers and failover to standby capabilities.
- Real-time and automated monitoring: Incapsula Enterprise provides dashboard-based monitoring of resources in real time and also offers e-mail alerts, report triggers, history reports and extensive resources to measure performance and report on incidents.
Accessing those features is straightforward thanks to a browser-based dashboard that incorporates wizards and context sensitive help. The design of the management console makes it very easy to navigate features and perform changes.
The primary dashboard allows quick navigation to service settings and controls.
The primary dashboard offers a real-time view into performance of the configured service, showing the amount of traffic and where access is occurring. All of the elements on the dashboard can be further investigated using menu selections that offer the ability to drill down further into the collected data. That's an important capability for those looking to validate load balancing as well as investigate traffic traversing the load-balanced network. The information can be used to tweak settings and redefine rules, allowing administrators to further enhance performance and leverage the value offered by the service.
What’s more, extensive security reporting provides insight into incidents, giving the necessary information to delve deeper into investigations into attacks.
The report information proves handy for several reasons, not the least of which has to do with scripting rules. Incapsula offers its IncapRules proprietary scripting language, which allows administrators to create custom security and access control rules. Learning the scripting language and defining rules comes with a steep learning curve, but a rules editor offers a shortcut into rules definition by providing pulldowns for conditions and Boolean logic controls to define what rules should accomplish. The end result is the ability to leverage granular control over application security, something rarely offered by hosted application security services.
From a performance perspective, Incapusla offers many different options and controls, all of which are easy to deploy. The management console uses simple dialog boxes to control the caching modes with just a mouse click. The overall caching policy choices include static caching, dynamic caching, aggressive caching and no caching at all. Rules and policies can also be defined to control content caching. Other performance options include content optimization, which controls image compression, content minification, TCP pre-pooling and a few other capabilities.
Naturally, performance is a key concern for those making resources available via the cloud. But the importance of performance pales in comparison to the importance of security, and when it comes to security controls, Incapsula does not disappoint. The product offers a comprehensive threat dashboard which makes it quite easy to deploy security policies. The centralized control structure contains both automated protection schemes and manual controls. Administrators can define whitelists and blacklists, block IPs, control the aggressiveness of security services, and, most importantly, set the rules for protecting web applications.
Load balancing, failover, and application security grow easier for enterprises in the cloud
Incapsula Enterprise is a comprehensive choice for those looking to move load balancing and application security over to the cloud. As a service, it offers quick and easy setup and a growing list of features that can be implemented on the fly. The product is available under different service models, which each contain a subset of features. The "Personal" package starts at $19 per month per site and offers a basic set of options, the "Business" and "Business+" packages add progressively more capabilities, and the "Enterprise" package provides the whole kit and caboodle. Pricing for the Enterprise level of service requires a call to the company to determine, however the "Business+" package is available for $299 per site per month, but lacks key features such as load balancing, failover and monitoring.
Header photo courtesy of Shutterstock.