Whew, those are expensive!
The Barracuda product is a good WAF; if you're going the hardware route you probably couldn't do better from a price-for-value standpoint. But there's an alternative to a web app firewall: the XyberShield web app security service. Software-as-a-Service, and its got a low monthly price. A free trial is here:
Few things to be aware of regarding XyberShield:
Because XyberShield is software-as-a-service, it's very unobtrusive. No hardware, obviously, but no real "agent" in the traditional sense
-- all you have to add a single line of code to each web page. Similar to adding Google Analytics to a website. Install the code and go. In contrast, setting up a hardware WAF requires you to use someone with technical expertise to redesign your network architecture.
Ongoing maintenance is just as easy. You never have to worry about installing patches or updates. Improvements we make to the defense modules, called XyberFrames, are delivered instantly to all users.
The XyberShield user interface runs in your browser, and is actually pretty fun. Guy who built it is a big James Bond fan, so the dashboard looks like something an ambitious genius would use to rule the world, but an average movie fan would understand most of its functions.
The "behavior-based" aspect of the service is different than anything else you'll see for some time in the web app protection market. This allows XyberShield to protect against types of attacks that a WAF most likely wouldn=92t even see -- business logic attacks, navigational abuse attacks, session fixation, and format string attacks.