Is your origin protected?
When it comes to website security, protecting your web server is crucial. Failing to do so could leave you exposed to mass-traffic DDoS attacks, or HTTP-level attacks directly against your web applications.
A content delivery network (CDN) is one of the most effective ways to help ensure security for your website. A CDN provides remote caching of your most frequently used content: When a user requests that content, it is retrieved from a remote CDN edge server close to the user’s location. This both improves website performance and also greatly reduces the load on your origin.
Moreover, using a CDN has many inherent security advantages. Advanced CDNs, such as Verizon’s, provide another layer of defense with built-in protection against Layers 3 & 4 DDoS attacks. The reverse-proxy architecture used by many CDNs provides a layer of separation between your servers and the rest of the Internet, and port-blocking prevents unauthorized traffic from ever reaching your websites. These advantages, and some of the techniques used by Verizon, were highlighted in our previous blog post on DDoS protection.
However, it should be noted that there are instances and circumstances in which a CDN cannot protect you when acting on its own. This is where additional security tools come into play.
Typically, general HTTP requests are based on DNS and therefore can be redirected to your CDN. The CDN then inspects the traffic and sends only necessary requests to your origin web server. However, some DDoS attacks can be designed to directly target your web server using its IP address. Such attacks are able to bypass the CDN and the layers of protection offered by it. These attacks are known as direct-to-origin attacks.
Stopping direct-to-origin attacks, therefore, requires specific countermeasures to offset the specific characteristics of these attacks.
One of the best ways to defend against these growing threats is to make your web server “invisible” to outside attackers. This way, even if an attacker is specifically targeting your web server, they will simply not be able to find it, or will be automatically redirected to other security countermeasures specifically designed to block direct-to-origin attacks. This defense, called Origin Cloaking, comprises a number of techniques, which can be used individually or all together. As a result of origin cloaking, any bad actors trying to reach your server, even directly by its IP address, will be blocked.
Verizon provides customers with a list of the IP addresses on the CDN’s edge servers. Customers can then whitelist these IP addresses in their firewalls and block all other traffic. This ensures that only legitimate traffic from approved Verizon sources reaches your website. The list of Verizon’s public IPs is freely available to all customers.
Once IP whitelisting is in place, there are additional measures that can be taken to help ensure the security and performance of your server. Verizon provides Request Caching and Dynamic Gateway Functionality to improve performance and user experience by reducing the load on your origin servers.
Multi-Tiered Request Caching: This is done by placing a designated gateway between your origin web server and CDN edge servers. The origin will communicate solely with this gateway, which will then pass traffic on to the edge. Not only does this provide another layer of insulation and protection against direct-to-origin attacks, but it also consolidates and aggregates requests to your server. This lowers the load on the origin by reducing traffic, improves performance via a two-tiered caching footprint, and increases reliability. This functionality is available on Verizon’s HTTP Large and HTTP Small platforms via our DEFEND suite of products.
Dynamic Gateway Functionality: Today’s acceleration platforms use a dynamic gateway to apply TCP optimizations and persistent connections to websites with a lot of dynamic content. This provides similar functionality as request caching, and is built-in to Verizon’s ACCELERATE and TRANSACT platforms.
Taken together, IP whitelisting, request caching and dynamic gateway functionality (where applicable) help ensure the security and performance of your server.
Origin Cloaking is a small, yet crucial, aspect of your overall web security program to help ensure your origin is protected and always available to serve customer requests.
Eyal Arazi, Product Marketing Manager
For more posts in Verizon’s security series please read:
1. Can Your Website be Found?
2. Is Your Website Available?
3. Are Your Web Applications Secured?
4. Is Your Content Secure?
5. Is Your Origin Protected?