Presented by Gcore
Web security and content distribution networks (CDNs) emerged about twenty years to solve very different problems. Now innovators like Gcore are finding new ways to combine them to improve security and website performance.
Web application firewalls (WAF) focus on protecting against vulnerabilities in how applications are built and managed. Early WAFs focused on protecting against threats like SQL injection and cross-site scripting. Today, enterprises must also guard against various new threats, such as distributed denial of service (DDoS) attacks, unwanted bots, and web scraping.
It turns out that CDN infrastructure can help address these new threats. The classic CDN architecture focused on staging large media assets closer to users to reduce latency in the time it takes to request and receive a file. This same CDN infrastructure is increasingly being augmented to stage security processes closer to the user as well.
This reduces the latency for legitimate users and helps scale up security processes for different threats. The result is that users have a better overall experience, and enterprises can improve their ability to detect and respond to DDoS attacks, bots and web scraping efforts.
The need for speed and safety
Early web applications essentially bolted existing databases and programming languages onto web servers. This sped application development using the tools available at the time. But the legacy databases and programming languages were not designed to fail securely. Hackers discovered numerous ways to exploit these weaknesses. For example, a carefully crafted SQL request called an SQL injection could unlock a database to hackers.
In the late 1990s, security experts started developing WAFs to sit between the web server and the user to detect and block malicious requests. These were essentially standalone boxes that only looked at the traffic to a few centralized web servers. Over time, the security industry codified the most common Web threats into the Open Web Application Security Project’s (OWASP) Top 10 List. This helped security vendors improve protection for the most exploited web vulnerabilities.
Around the same time, enterprises were struggling with congestion caused by spikes in popularity. The Internet was designed for point-to-point communication, not broadcasting. Important news or popular new memes would create traffic jams when large crowds tried to download the same video or visit the same image-heavy web pages. So, a team out of MIT figured out a way to coordinate the distribution of these larger files with a centralized website.
Akamai commercialized this tech in 1998. Other CDN providers later followed suit, such as Fastly and Cloudinary. Later, the cloud vendors started rolling out CDNs that worked on top of their cloud platforms. For example, Amazon rolled out CloudFront in 2008.
Hackers eventually discovered ways to take control over a larger number of computers and other connected devices, like set-top boxes and surveillance cameras, to launch devastating denial of service (DDoS) attacks that flooded websites with gigabits per second of traffic. Cloudflare was the first company to realize that CDNs could also be used to protect against these new kinds of attacks. They launched the first combined CDN service and DDoS protection service in 2010.
Keeping pace with new threats
Over the intervening years, WAFs have evolved to support new rules, and the OWASP Top 10 List has also changed to reflect these changing threats. However, hackers are growing more sophisticated in their strategies and techniques. Rather than just trying to go in through the front door, they may distribute attacks across different servers. For example, bad actors increasingly use bots to buy up scarce items or tickets ahead of legitimate consumers.
Now, companies like Gcore are exploring ways to combine CDNs, advanced firewalls, and bot mitigation techniques to improve both website performance and security. A key aspect lies in analyzing more information about website visitors and the types of requests to distinguish users from bad actors.
“You really need to analyze a lot of data to be effective against different kinds of attacks, such as DDoS, bots, or anything else,” said Dmitriy Akulov, director of Edge Network stream at Gcore.
Another benefit of Gcore’s approach is combining web servers, CDN and security services which can reduce overall costs and improve security posture. Gcore now has over 140 locations, with multiple servers, redundancies, and layers of protection that run on 3rd Generation Intel® Xeon® Scalable processors.
This allows security tools to observe the signs directly without resorting to intermediaries like packet sniffers, disparate WAFs, and other techniques. Security tools can take advantage of detection algorithms that leverage transport layer security (TLS), HTML communication, and browser agents.
“You have many more tools to protect services and detect attacks,” explained Akulov. “And there is no hardware you need to install. You simply change your DNS setting and send the traffic through the CDN.”
This approach also allows enterprises to screen traffic as close to the source as possible. This speeds up security detection algorithms compared to centralized tools. And when bad actors launch a DDoS attack, each local node just removes the bad traffic from the flow closer to the source to reduce the load on enterprise servers.
Andrew Slastenov, head of Web security at Gcore, said, “We can distribute the attack among a lot of CDN nodes, so we have almost unlimited filtering capacity because of that.”
Enterprises need to balance these kinds of advanced security analytics with new privacy regulations like GDPR. Some of the most helpful information, such as the IP address used to access services, is now governed by these regulations. Consequently, this analysis must be done within the user’s location to ensure GDPR compliance.
Companies like Gcore, based in Europe, are in a better position to address these concerns from the beginning than competitors based in the U.S. or Asia that need to add privacy compliance after the fact.
“As a European company, we ensure the data stays within Europe,” Akulov said. “It is covered by GDPR law, which means we can’t abuse it, sell it or reuse it for marketing purposes. We cannot do pretty much anything with it other than analyze it for security purposes and then purge it from our systems.”
At the end of the day, web security is a continuous game of catchup as researchers and hackers continuously discover new threats. Enterprises need to be ready to evolve their security tools to detect and block the latest threats. An integrated yet decentralized approach to hosting and protecting content can ease this process.
Sponsored articles are content produced by a company that is either paying for the post or has a business relationship with VentureBeat, and they’re always clearly marked. For more information, contact firstname.lastname@example.org.