Blog

Multi-Layered Web Security Overview

June 16, 2020 · by David Kolbo ·
Categories:

As online security professionals, we are always striving to improve website security. Security threats continue to evolve, requiring an online protection strategy that is robust and flexible. In this blog post, we’ll share an overview of a multi-layered web security approach with Akamai that addresses ever-changing online security challenges.

Edge DNS

Before we review the security protections available from Akamai, let’s discuss how Akamai helps protect the Domain Name System (DNS), the first step in the process of requesting website information. Akamai prevents DNS forgery and manipulation with Domain Name System Security Extensions (DNSSEC). For more information about Edge DNS, go to: https://developer.akamai.com/edge-dns.

Content Caching

Akamai has the most pervasive, highly-distributed content delivery network (CDN) with approximately 288,000 servers in 136 countries and nearly 1,500 networks around the world. With the world’s largest and most trusted cloud delivery platform, Akamai not only improves performance and availability by caching content but also enhances your security with the capacity to absorb the largest distributed denial-of-service (DDoS) attacks.

Reverse Proxy

Once a web request is mapped to the closest Akamai Edge server, Akamai protects your infrastructure as the reverse proxy. A reverse proxy server is located in front of your web servers, also referred to as origin servers when working with a CDN. The security benefits of Akamai as a reverse proxy are highlighted in the following tables.

Transport layer protection

Native Security Feature

Benefits

Offers controlled TCP connection handling

Defends against TCP SYN (synchronize) when the attacker floods the system by exploiting part of the TCP three-way handshake with SYN requests, driving all of the target server's communication ports into a half-open state

Independently establishes a TCP connection from client to Edge, and Edge to origin servers

Defends origin against Slow Read attacks and maintains separate TCP connections for end users

Application layer protection

Native Security Feature

Benefits

Edge servers only allow traffic on ports 80 and 443

Defends against port scanning and can improve the score of any PCI audits

Strictly implements HTTP protocol

Defends against malformed HTTP requests and known vulnerabilities from common Web servers like Apache or Nginx

Edge waits to receive all headers from client before forwarding

Defends origin against Slowloris attacks

 Security Configurations and Policies

In addition to DNS, reverse proxy, and web content caching, Akamai provides a multi-layered online defense with network lists, denial-of-service (DoS) protection, web application firewall (WAF), Bot Management, Client Reputation, and much more at the Edge. 

Let’s review some of the security configurations and policies that Akamai offers. An Akamai security configuration defines what to protect, such as a website or application programming interface (API), and how to protect them. Akamai security policies let you define the response action applied to your protection rules and controls, including any that use shared resources.

The following screen shows match targets and protections in an Akamai Policy — let’s take a closer look at each item in this list. 

match target

IP/GEO Firewall

  • Accepts or blocks a request based on its originating IP address

  • Manages addresses by allowing you to create a network list

  • Checks both the connecting IP address and the X-Forwarded-For (XFF) HTTP header

 DoS Protection

  • Protects against DoS attacks by controlling Layer 3 and Layer 4 data floods, limiting request rates, and halting slow post attacks that can choke traffic

 Custom Rules

  • Handles scenarios not covered by standard rules or to quickly patch new website vulnerabilities

  • Akamai’s custom rule builder lets you set up security rules based on method, path, extension, headers, cookies, query string, POST body variables, and more

 WAF

  • Apply web application firewall (WAF) protections to examine specific requests and determine what, if any actions to take.
  • Provides simple firewall setup and management with Automated Attack Groups that update regularly to address emerging threats, letting you set response actions by attack group

  • Uses the Kona Rule Set as well as Anomaly Scoring to accurately detect threats

 API Request Constraints

  • Helps protect an API from excessively large requests

  • Enforces the request body and resource constraints you set when you registered your API

  • Once you set your protections, Akamai security policies enforce defined constraints

 Client Reputation

  • Stops malicious clients before they attack with Akamai’s unmatched visibility into online traffic based on the prior behavior of individual IP addresses 

  • Client reputation controls check only the connecting IP address — use Akamai prebuilt reputation profiles or create your own for your security policy 

 Bot Management

A bot is a software application running automated tasks over the Internet, making quick work of time-consuming manual tasks. With more than half of web traffic produced by bots, managing helpful and harmful bots to avoid site performance problems is important.

  • Provides transparent bot detection for suspicious user-agent, request anomaly, web scraper, and request rate activity

  • Delivers active bot detection methods including Cookie, Browser, Session, and Workflow validation

  • Performs advanced behavioral detection to spot activities such as credential stuffing by evaluating movement patterns and interaction details unique to humans on specific transactional endpoints (like login or checkout pages), unmasking and stopping harmful bots 

Page Integrity

Modern websites run many services in-browser using scripts that have access to sensitive data for payments, account information, and other forms of personal identifiable information (PII) .

  • Detects and mitigates in real-time suspicious and malicious script behaviors that could result in PII theft. 

  • Identifies and blocks known webpage vulnerabilities from new and existing active webpage scripts.

Site Shield

Site Shield provides an additional layer of protection that prevents attackers from bypassing Akamai and your cloud-based security to attack your origin/web servers directly. It provides a list of Akamai servers as IP addresses that you can access control list (ACL) at your origin, allowing only Akamai servers to connect to your web servers.

workflow

Conclusion

Web security starts at the Edge with Akamai. We reviewed how Akamai can help with a multi-layered security strategy, a defense-in-depth approach that addresses many different attack vectors. Akamai also offers additional security solutions including Enterprise Application Access, Enterprise Threat Protector, Prolexic, and Identity Cloud. Reach out to your Akamai account team to learn more about Akamai security offerings or for guidance on creating a web security strategy that meets your specific use case.