As online security professionals, we are always striving to improve website security. Security threats continue to evolve, requiring an online protection strategy that is robust and flexible. In this blog post, we’ll share an overview of a multi-layered web security approach with Akamai that addresses ever-changing online security challenges.
Before we review the security protections available from Akamai, let’s discuss how Akamai helps protect the Domain Name System (DNS), the first step in the process of requesting website information. Akamai prevents DNS forgery and manipulation with Domain Name System Security Extensions (DNSSEC). For more information about Edge DNS, go to: https://developer.akamai.com/edge-dns.
Akamai has the most pervasive, highly-distributed content delivery network (CDN) with approximately 288,000 servers in 136 countries and nearly 1,500 networks around the world. With the world’s largest and most trusted cloud delivery platform, Akamai not only improves performance and availability by caching content but also enhances your security with the capacity to absorb the largest distributed denial-of-service (DDoS) attacks.
Once a web request is mapped to the closest Akamai Edge server, Akamai protects your infrastructure as the reverse proxy. A reverse proxy server is located in front of your web servers, also referred to as origin servers when working with a CDN. The security benefits of Akamai as a reverse proxy are highlighted in the following tables.
Transport layer protection
Native Security Feature
Offers controlled TCP connection handling
Defends against TCP SYN (synchronize) when the attacker floods the system by exploiting part of the TCP three-way handshake with SYN requests, driving all of the target server's communication ports into a half-open state
Independently establishes a TCP connection from client to Edge, and Edge to origin servers
Defends origin against Slow Read attacks and maintains separate TCP connections for end users
Application layer protection
Native Security Feature
Edge servers only allow traffic on ports 80 and 443
Defends against port scanning and can improve the score of any PCI audits
Strictly implements HTTP protocol
Defends against malformed HTTP requests and known vulnerabilities from common Web servers like Apache or Nginx
Edge waits to receive all headers from client before forwarding
Security Configurations and Policies
In addition to DNS, reverse proxy, and web content caching, Akamai provides a multi-layered online defense with network lists, denial-of-service (DoS) protection, web application firewall (WAF), Bot Management, Client Reputation, and much more at the Edge.
Let’s review some of the security configurations and policies that Akamai offers. An Akamai security configuration defines what to protect, such as a website or application programming interface (API), and how to protect them. Akamai security policies let you define the response action applied to your protection rules and controls, including any that use shared resources.
The following screen shows match targets and protections in an Akamai Policy — let’s take a closer look at each item in this list.
Accepts or blocks a request based on its originating IP address
Manages addresses by allowing you to create a network list
Checks both the connecting IP address and the X-Forwarded-For (XFF) HTTP header
Protects against DoS attacks by controlling Layer 3 and Layer 4 data floods, limiting request rates, and halting slow post attacks that can choke traffic
Handles scenarios not covered by standard rules or to quickly patch new website vulnerabilities
Akamai’s custom rule builder lets you set up security rules based on method, path, extension, headers, cookies, query string, POST body variables, and more
- Apply web application firewall (WAF) protections to examine specific requests and determine what, if any actions to take.
Provides simple firewall setup and management with Automated Attack Groups that update regularly to address emerging threats, letting you set response actions by attack group
Helps protect an API from excessively large requests
Enforces the request body and resource constraints you set when you registered your API
Once you set your protections, Akamai security policies enforce defined constraints
Stops malicious clients before they attack with Akamai’s unmatched visibility into online traffic based on the prior behavior of individual IP addresses
Client reputation controls check only the connecting IP address — use Akamai prebuilt reputation profiles or create your own for your security policy
A bot is a software application running automated tasks over the Internet, making quick work of time-consuming manual tasks. With more than half of web traffic produced by bots, managing helpful and harmful bots to avoid site performance problems is important.
Provides transparent bot detection for suspicious user-agent, request anomaly, web scraper, and request rate activity
Performs advanced behavioral detection to spot activities such as credential stuffing by evaluating movement patterns and interaction details unique to humans on specific transactional endpoints (like login or checkout pages), unmasking and stopping harmful bots
Modern websites run many services in-browser using scripts that have access to sensitive data for payments, account information, and other forms of personal identifiable information (PII) .
Detects and mitigates in real-time suspicious and malicious script behaviors that could result in PII theft.
Identifies and blocks known webpage vulnerabilities from new and existing active webpage scripts.
Site Shield provides an additional layer of protection that prevents attackers from bypassing Akamai and your cloud-based security to attack your origin/web servers directly. It provides a list of Akamai servers as IP addresses that you can access control list (ACL) at your origin, allowing only Akamai servers to connect to your web servers.
Web security starts at the Edge with Akamai. We reviewed how Akamai can help with a multi-layered security strategy, a defense-in-depth approach that addresses many different attack vectors. Akamai also offers additional security solutions including Enterprise Application Access, Enterprise Threat Protector, Prolexic, and Identity Cloud. Reach out to your Akamai account team to learn more about Akamai security offerings or for guidance on creating a web security strategy that meets your specific use case.