SlideShare a Scribd company logo

Akamai waf

Download as PPTX, PDF
A
Aysegul Ekinci

Akamai Web Application Firewall

Technology
1 of 21
Akamai is the global leader in Content Delivery Network (CDN) services, making the Internet fast, reliable and secure for its customers. The company's advanced web performance, mobile performance, cloud security and media delivery solutions are revolutionizing how businesses optimize consumer, enterprise and entertainment experiences for any device, anywhere. • Akamai delivers daily web traffic reaching more than 30 Terabits per second • Akamai delivers nearly 3 trillion internet interactions each day • Akamai has the most pervasive content delivery network(CDN) – more than 240.000 servers in over 130 countries and more than 1.600 networks around the world. About Akamai
How the Akamai Intelligent Platform Works
Akamai Configuration Segment
Origin Server and DNS - www.sony.co.uk IN CNAME [Akamai edge] - origin.sony.co.uk IN A [Origin server IP]
SSL Certificate Two types of certificate in Akamai • Client to Akamai (①) • Akamai to Origin (②, ③)
Redirection / Modify Path There are two types of URL redirection methodologies in Akamai. One is general 301/302 redirection and the other one is to change origin forwarding. 1) 301/302 Redirection 1) Redirection from a certain path to a different path 2) Redirection from a certain path to a different host 3) Redirection from a certain path to a different host and a different path 4) Relative path redirection 2) Modify path Akamai modify path can forward a previously defined URL to a different origin server which is not main origin. www.sony.co.uk/electronics/*  GWT origin server www.sony.co.uk/mysony/*  Region origin server
TTL – Time to Live / Cache rule Two methodologies in Akamai 1) setting cache control by certain path /mysony/* no-cache, /campaign/* 30 min 2) setting cache control by certain extension .css 4hours, .js 30min
Failover When and how to show “Sorry page” When edge servers receives 500/503 error code from origin servers, Akamai will switch to “Sorry page”. Note: “Sorry page” will not be cached in Akamai server. Instead of caching “Sorry page”, Akamai edge remembers the exact Client IP for 30 seconds and during this moment Akamai keep showing “Sorry page” to the same client. Since “Sorry page” is never be cached, there is no need to do a cache clear during whole activity.
NetStorage NetStorage is a storage service that provided by Akamai platform. Sample of a NetStorage content link: www.sony.co.uk/test/eu/sample.jpg
Security Solution
Security Solution Overview
Security Solution Function List # Function name Description Target of threat 1 Rate control Restrict requests from specific IP addresses temporarily when it detected to be exceeded threshold by number of accesses in a short period of time by same IP DDoS 2 NW list management Apply Whitelist and Blacklist to block access to Akamai edge unauthorized access and Attacker IPs 3 WAF Based on OWASP mod-security rule set, Akamai WAF inspect HTTP request body to protect against attacks such as SQL Injection & Cross-Site Scripting Site penetration, SQL injection, XSS etc. 4 Edge Servers Block other than HTTP and HTTPS protocols. Mitigates DDoS attacks by distributed processing on over 100,000 servers DDoS 5 Site Shield Allow accesses to origin servers via Akamai network only by registering typical Akamai server IP to the Firewall DDoS, unauthorized access
Rate Control To protect origin server from the much requests during short time period like DDoS, there is a security option service called Rate Control. Rate Control has several rules. Each rules has 2 types of threshold based on actual access analysis. If an IP exceeds with the threshold, Akamai blocks the request coming from the specific IP. After 15 minutes, Akamai will allows the access again unless it exceeding thresholds again. Operation team analyzes Akamai access log periodically and redefine the thresholds.
DDoS mitigation A Reverse Proxy & Load Balancer Only accepts application layer traffic via ports 80 (HTTP) & 443 (HTTPS) Network attacks dropped at Edge UDP Fragments, ICMP Floods, SYN Floods, ACK Floods, RESET Floods, UDP Floods Massive scalability Average traffic volume of 6Tbps spiking in excess of 9Tbps, Defend one network hop from request – keep away from Origin Natively in path No rerouting, no added latency, no single point of failure
Network List Management To protect non-prod environments from accesses of public internet, there is a security option service called Network list management. • Allow or restrict requests from specific IP addresses • Implement IP Blacklists & Whitelists • Geography-based blocking • 10,000 CIDR entries supported Named lists – e.g. Tor exit nodes
WAF Application-layer controls inspect HTTP request body to protect against attacks such as SQL Injection & Cross-Site Scripting Akamai WAF is provided based on OWASP Mod-Security. By distributing processing on the large number of Akamai servers, it does not affect to the performance even it received a large number of malicious requests. OWASP ModSecurity Core Rule Set • Protocol Violations • Protocol Anomalies • Request Limits • HTTP Policy • Generic Attacks • Trojans • Outbound (Leakage)
WAF Akamai WAF checks the request whether to match the rules one by one of more than 200. Because each rules are defined based on anomaly score, Akamai checks that whether total of anomaly score by the request exceed threshold. Each threshold for each Risk group such as XSS/SQL injection are defined based on Best Practices by Akamai. Custom Rules Create policy-based rules that are enforced before or after execution of the application layer controls
WAF : Scoring samples
Site Shield To protect origin server from public internet, there is a security option service called Site Shield. With this service a list of Akamai edge server IPs is provided to Sony. Origin Servers in Sony network need to whitelist those IPs in Firewall and also need to limit access only to those IPs. Restricted access is aiming for protecting origin servers from various Internet security threats comes to origin directly. Notes: This IP list is updated regularly due to Akamai regular server maintenance. Sony needs to update whitelist in each firewall that shielding origin servers.
Q & A

Recommended

Kona Web Application Firewall Overview - Akamai at RSA Conference 2013
Kona Web Application Firewall Overview - Akamai at RSA Conference 2013Kona Web Application Firewall Overview - Akamai at RSA Conference 2013
Kona Web Application Firewall Overview - Akamai at RSA Conference 2013Akamai Technologies
 
The Akamai Security Portfolio
The Akamai Security PortfolioThe Akamai Security Portfolio
The Akamai Security PortfolioElisabeth Bitsch-Christensen
 
Radware - WAF (Web Application Firewall)
Radware - WAF (Web Application Firewall)Radware - WAF (Web Application Firewall)
Radware - WAF (Web Application Firewall)Deivid Toledo
 
End to End Security With Palo Alto Networks (Onur Kasap, engineer Palo Alto N...
End to End Security With Palo Alto Networks (Onur Kasap, engineer Palo Alto N...End to End Security With Palo Alto Networks (Onur Kasap, engineer Palo Alto N...
End to End Security With Palo Alto Networks (Onur Kasap, engineer Palo Alto N...BAKOTECH
 
FortiWeb
FortiWebFortiWeb
FortiWebAlireza Akrami
 
Palo alto networks next generation firewalls
Palo alto networks next generation firewallsPalo alto networks next generation firewalls
Palo alto networks next generation firewallsCastleforce
 
Palo Alto Networks 28.5.2013
Palo Alto Networks 28.5.2013Palo Alto Networks 28.5.2013
Palo Alto Networks 28.5.2013Belsoft
 
Cloud Computing Risk Management (IIA Webinar)
Cloud Computing Risk Management (IIA Webinar)Cloud Computing Risk Management (IIA Webinar)
Cloud Computing Risk Management (IIA Webinar)Brian K. Dickard
 

Recommended

Kona Web Application Firewall Overview - Akamai at RSA Conference 2013
Kona Web Application Firewall Overview - Akamai at RSA Conference 2013Kona Web Application Firewall Overview - Akamai at RSA Conference 2013
Kona Web Application Firewall Overview - Akamai at RSA Conference 2013Akamai Technologies
 
The Akamai Security Portfolio
The Akamai Security PortfolioThe Akamai Security Portfolio
The Akamai Security PortfolioElisabeth Bitsch-Christensen
 
Radware - WAF (Web Application Firewall)
Radware - WAF (Web Application Firewall)Radware - WAF (Web Application Firewall)
Radware - WAF (Web Application Firewall)Deivid Toledo
 
End to End Security With Palo Alto Networks (Onur Kasap, engineer Palo Alto N...
End to End Security With Palo Alto Networks (Onur Kasap, engineer Palo Alto N...End to End Security With Palo Alto Networks (Onur Kasap, engineer Palo Alto N...
End to End Security With Palo Alto Networks (Onur Kasap, engineer Palo Alto N...BAKOTECH
 
FortiWeb
FortiWebFortiWeb
FortiWebAlireza Akrami
 
Palo alto networks next generation firewalls
Palo alto networks next generation firewallsPalo alto networks next generation firewalls
Palo alto networks next generation firewallsCastleforce
 
Palo Alto Networks 28.5.2013
Palo Alto Networks 28.5.2013Palo Alto Networks 28.5.2013
Palo Alto Networks 28.5.2013Belsoft
 
Cloud Computing Risk Management (IIA Webinar)
Cloud Computing Risk Management (IIA Webinar)Cloud Computing Risk Management (IIA Webinar)
Cloud Computing Risk Management (IIA Webinar)Brian K. Dickard
 
AWS WAF - A Web App Firewall
AWS WAF - A Web App FirewallAWS WAF - A Web App Firewall
AWS WAF - A Web App FirewallAmazon Web Services
 
Identity and Access Management Introduction
Identity and Access Management IntroductionIdentity and Access Management Introduction
Identity and Access Management IntroductionAidy Tificate
 
Why a Multi-cloud Strategy is Essential
Why a Multi-cloud Strategy is EssentialWhy a Multi-cloud Strategy is Essential
Why a Multi-cloud Strategy is EssentialAlibaba Cloud
 
Understanding SASE
Understanding SASE Understanding SASE
Understanding SASE Haris Chughtai
 
Succeeding with Secure Access Service Edge (SASE)
Succeeding with Secure Access Service Edge (SASE)Succeeding with Secure Access Service Edge (SASE)
Succeeding with Secure Access Service Edge (SASE)Cloudflare
 
Presentation f5 – beyond load balancer
Presentation f5 – beyond load balancerPresentation f5 – beyond load balancer
Presentation f5 – beyond load balancerxKinAnx
 
40 - IDNOG03 - Bob Lau (Akamai) - BGP and Traffic Engineering
40 - IDNOG03 - Bob Lau (Akamai) - BGP and Traffic Engineering40 - IDNOG03 - Bob Lau (Akamai) - BGP and Traffic Engineering
40 - IDNOG03 - Bob Lau (Akamai) - BGP and Traffic EngineeringIndonesia Network Operators Group
 
Cloud security Presentation
Cloud security PresentationCloud security Presentation
Cloud security PresentationAjay p
 
Security operation center (SOC)
Security operation center (SOC)Security operation center (SOC)
Security operation center (SOC)Ahmed Ayman
 
AWS WAF
AWS WAFAWS WAF
AWS WAFAmazon Web Services
 
Akamai Intelligent Edge Security
Akamai Intelligent Edge SecurityAkamai Intelligent Edge Security
Akamai Intelligent Edge SecurityAkamai Technologies
 
The Zero Trust Model of Information Security
The Zero Trust Model of Information Security The Zero Trust Model of Information Security
The Zero Trust Model of Information Security Tripwire
 
Security architecture
Security architectureSecurity architecture
Security architectureDuncan Unwin
 
Zero Trust Model Presentation
Zero Trust Model PresentationZero Trust Model Presentation
Zero Trust Model PresentationGowdhaman Jothilingam
 
Getting the most out of the aruba policy enforcement firewall
Getting the most out of the aruba policy enforcement firewallGetting the most out of the aruba policy enforcement firewall
Getting the most out of the aruba policy enforcement firewallAruba, a Hewlett Packard Enterprise company
 
Benefits of Web Application Firewall
Benefits of Web Application FirewallBenefits of Web Application Firewall
Benefits of Web Application Firewalldavidjohnrace
 
Identity and Access Management
Identity and Access ManagementIdentity and Access Management
Identity and Access ManagementPrashanth BS
 
Architect proper segmentation for PCI DSS workloads on AWS - GRC306 - AWS re:...
Architect proper segmentation for PCI DSS workloads on AWS - GRC306 - AWS re:...Architect proper segmentation for PCI DSS workloads on AWS - GRC306 - AWS re:...
Architect proper segmentation for PCI DSS workloads on AWS - GRC306 - AWS re:...Amazon Web Services
 
End-to-Eend security with Palo Alto Networks (Onur Kasap, Palo Alto Networks)
End-to-Eend security with Palo Alto Networks (Onur Kasap, Palo Alto Networks)End-to-Eend security with Palo Alto Networks (Onur Kasap, Palo Alto Networks)
End-to-Eend security with Palo Alto Networks (Onur Kasap, Palo Alto Networks)BAKOTECH
 
Identity Access Management 101
Identity Access Management 101Identity Access Management 101
Identity Access Management 101OneLogin
 
CIRCUIT 2015 - Akamai: Caching and Beyond
CIRCUIT 2015 - Akamai: Caching and BeyondCIRCUIT 2015 - Akamai: Caching and Beyond
CIRCUIT 2015 - Akamai: Caching and BeyondICF CIRCUIT
 
Content Growth by Kams Yueng
Content Growth by Kams YuengContent Growth by Kams Yueng
Content Growth by Kams YuengMyNOG
 

More Related Content

What's hot

Identity and Access Management Introduction
Identity and Access Management IntroductionIdentity and Access Management Introduction
Identity and Access Management IntroductionAidy Tificate
 
Why a Multi-cloud Strategy is Essential
Why a Multi-cloud Strategy is EssentialWhy a Multi-cloud Strategy is Essential
Why a Multi-cloud Strategy is EssentialAlibaba Cloud
 
Succeeding with Secure Access Service Edge (SASE)
Succeeding with Secure Access Service Edge (SASE)Succeeding with Secure Access Service Edge (SASE)
Succeeding with Secure Access Service Edge (SASE)Cloudflare
 
Presentation f5 – beyond load balancer
Presentation f5 – beyond load balancerPresentation f5 – beyond load balancer
Presentation f5 – beyond load balancerxKinAnx
 
40 - IDNOG03 - Bob Lau (Akamai) - BGP and Traffic Engineering
40 - IDNOG03 - Bob Lau (Akamai) - BGP and Traffic Engineering40 - IDNOG03 - Bob Lau (Akamai) - BGP and Traffic Engineering
40 - IDNOG03 - Bob Lau (Akamai) - BGP and Traffic EngineeringIndonesia Network Operators Group
 
Cloud security Presentation
Cloud security PresentationCloud security Presentation
Cloud security PresentationAjay p
 
Security operation center (SOC)
Security operation center (SOC)Security operation center (SOC)
Security operation center (SOC)Ahmed Ayman
 
Akamai Intelligent Edge Security
Akamai Intelligent Edge SecurityAkamai Intelligent Edge Security
Akamai Intelligent Edge SecurityAkamai Technologies
 
The Zero Trust Model of Information Security
The Zero Trust Model of Information Security The Zero Trust Model of Information Security
The Zero Trust Model of Information Security Tripwire
 
Security architecture
Security architectureSecurity architecture
Security architectureDuncan Unwin
 
Benefits of Web Application Firewall
Benefits of Web Application FirewallBenefits of Web Application Firewall
Benefits of Web Application Firewalldavidjohnrace
 
Identity and Access Management
Identity and Access ManagementIdentity and Access Management
Identity and Access ManagementPrashanth BS
 
Architect proper segmentation for PCI DSS workloads on AWS - GRC306 - AWS re:...
Architect proper segmentation for PCI DSS workloads on AWS - GRC306 - AWS re:...Architect proper segmentation for PCI DSS workloads on AWS - GRC306 - AWS re:...
Architect proper segmentation for PCI DSS workloads on AWS - GRC306 - AWS re:...Amazon Web Services
 
End-to-Eend security with Palo Alto Networks (Onur Kasap, Palo Alto Networks)
End-to-Eend security with Palo Alto Networks (Onur Kasap, Palo Alto Networks)End-to-Eend security with Palo Alto Networks (Onur Kasap, Palo Alto Networks)
End-to-Eend security with Palo Alto Networks (Onur Kasap, Palo Alto Networks)BAKOTECH
 
Identity Access Management 101
Identity Access Management 101Identity Access Management 101
Identity Access Management 101OneLogin
 

What's hot (20)

AWS WAF - A Web App Firewall
AWS WAF - A Web App FirewallAWS WAF - A Web App Firewall
AWS WAF - A Web App Firewall
 
Identity and Access Management Introduction
Identity and Access Management IntroductionIdentity and Access Management Introduction
Identity and Access Management Introduction
 
Why a Multi-cloud Strategy is Essential
Why a Multi-cloud Strategy is EssentialWhy a Multi-cloud Strategy is Essential
Why a Multi-cloud Strategy is Essential
 
Understanding SASE
Understanding SASE Understanding SASE
Understanding SASE
 
Succeeding with Secure Access Service Edge (SASE)
Succeeding with Secure Access Service Edge (SASE)Succeeding with Secure Access Service Edge (SASE)
Succeeding with Secure Access Service Edge (SASE)
 
Presentation f5 – beyond load balancer
Presentation f5 – beyond load balancerPresentation f5 – beyond load balancer
Presentation f5 – beyond load balancer
 
40 - IDNOG03 - Bob Lau (Akamai) - BGP and Traffic Engineering
40 - IDNOG03 - Bob Lau (Akamai) - BGP and Traffic Engineering40 - IDNOG03 - Bob Lau (Akamai) - BGP and Traffic Engineering
40 - IDNOG03 - Bob Lau (Akamai) - BGP and Traffic Engineering
 
Cloud security Presentation
Cloud security PresentationCloud security Presentation
Cloud security Presentation
 
Security operation center (SOC)
Security operation center (SOC)Security operation center (SOC)
Security operation center (SOC)
 
AWS WAF
AWS WAFAWS WAF
AWS WAF
 
Akamai Intelligent Edge Security
Akamai Intelligent Edge SecurityAkamai Intelligent Edge Security
Akamai Intelligent Edge Security
 
The Zero Trust Model of Information Security
The Zero Trust Model of Information Security The Zero Trust Model of Information Security
The Zero Trust Model of Information Security
 
Security architecture
Security architectureSecurity architecture
Security architecture
 
Zero Trust Model Presentation
Zero Trust Model PresentationZero Trust Model Presentation
Zero Trust Model Presentation
 
Getting the most out of the aruba policy enforcement firewall
Getting the most out of the aruba policy enforcement firewallGetting the most out of the aruba policy enforcement firewall
Getting the most out of the aruba policy enforcement firewall
 
Benefits of Web Application Firewall
Benefits of Web Application FirewallBenefits of Web Application Firewall
Benefits of Web Application Firewall
 
Identity and Access Management
Identity and Access ManagementIdentity and Access Management
Identity and Access Management
 
Architect proper segmentation for PCI DSS workloads on AWS - GRC306 - AWS re:...
Architect proper segmentation for PCI DSS workloads on AWS - GRC306 - AWS re:...Architect proper segmentation for PCI DSS workloads on AWS - GRC306 - AWS re:...
Architect proper segmentation for PCI DSS workloads on AWS - GRC306 - AWS re:...
 
End-to-Eend security with Palo Alto Networks (Onur Kasap, Palo Alto Networks)
End-to-Eend security with Palo Alto Networks (Onur Kasap, Palo Alto Networks)End-to-Eend security with Palo Alto Networks (Onur Kasap, Palo Alto Networks)
End-to-Eend security with Palo Alto Networks (Onur Kasap, Palo Alto Networks)
 
Identity Access Management 101
Identity Access Management 101Identity Access Management 101
Identity Access Management 101
 

Similar to Akamai waf

CIRCUIT 2015 - Akamai: Caching and Beyond
CIRCUIT 2015 - Akamai: Caching and BeyondCIRCUIT 2015 - Akamai: Caching and Beyond
CIRCUIT 2015 - Akamai: Caching and BeyondICF CIRCUIT
 
Content Growth by Kams Yueng
Content Growth by Kams YuengContent Growth by Kams Yueng
Content Growth by Kams YuengMyNOG
 
Clone your Network with OpenNebula
Clone your Network with OpenNebulaClone your Network with OpenNebula
Clone your Network with OpenNebulaNETWAYS
 
OpenNebulaConf 2013 - Keynote: Clone your Network with OpenNebula by Thomas H...
OpenNebulaConf 2013 - Keynote: Clone your Network with OpenNebula by Thomas H...OpenNebulaConf 2013 - Keynote: Clone your Network with OpenNebula by Thomas H...
OpenNebulaConf 2013 - Keynote: Clone your Network with OpenNebula by Thomas H...OpenNebula Project
 
Akamai company profile
Akamai company profileAkamai company profile
Akamai company profilerahulp9999
 
BGP and Traffic Engineering with Akamai
BGP and Traffic Engineering with AkamaiBGP and Traffic Engineering with Akamai
BGP and Traffic Engineering with AkamaiInternet Society
 
UI5 with Akamai - Introduction to the Content Delivery Network
UI5 with Akamai - Introduction to the Content Delivery NetworkUI5 with Akamai - Introduction to the Content Delivery Network
UI5 with Akamai - Introduction to the Content Delivery NetworkGokul Anand E, PMP®
 
10+апреля+лучшие+практики+и+инновации+вадим+береговский+akamai
10+апреля+лучшие+практики+и+инновации+вадим+береговский+akamai10+апреля+лучшие+практики+и+инновации+вадим+береговский+akamai
10+апреля+лучшие+практики+и+инновации+вадим+береговский+akamaielenae00
 
10+апреля+лучшие+практики+и+инновации+вадим+береговский+akamai
10+апреля+лучшие+практики+и+инновации+вадим+береговский+akamai10+апреля+лучшие+практики+и+инновации+вадим+береговский+akamai
10+апреля+лучшие+практики+и+инновации+вадим+береговский+akamaielenae00
 
Cyberoam security on amazon web services
Cyberoam security on amazon web servicesCyberoam security on amazon web services
Cyberoam security on amazon web servicesCyberoamAcademy
 
Kona Web Application Firewall Product Brief - Application-layer defense to pr...
Kona Web Application Firewall Product Brief - Application-layer defense to pr...Kona Web Application Firewall Product Brief - Application-layer defense to pr...
Kona Web Application Firewall Product Brief - Application-layer defense to pr...Akamai Technologies
 
Deployment of cisco_iron_portweb_security_appliance
Deployment of cisco_iron_portweb_security_applianceDeployment of cisco_iron_portweb_security_appliance
Deployment of cisco_iron_portweb_security_applianceAlfredo Boiero Sanders
 
Atmosphere 2014: Helping the Internet to scale since 1998 - Paweł Kuśmierski
Atmosphere 2014: Helping the Internet to scale since 1998 - Paweł KuśmierskiAtmosphere 2014: Helping the Internet to scale since 1998 - Paweł Kuśmierski
Atmosphere 2014: Helping the Internet to scale since 1998 - Paweł KuśmierskiPROIDEA
 
AWS Summit Sydney 2014 | Understanding AWS Security
AWS Summit Sydney 2014 | Understanding AWS SecurityAWS Summit Sydney 2014 | Understanding AWS Security
AWS Summit Sydney 2014 | Understanding AWS SecurityAmazon Web Services
 
AWS re:Invent 2016: Amazon CloudFront Flash Talks: Best Practices on Configur...
AWS re:Invent 2016: Amazon CloudFront Flash Talks: Best Practices on Configur...AWS re:Invent 2016: Amazon CloudFront Flash Talks: Best Practices on Configur...
AWS re:Invent 2016: Amazon CloudFront Flash Talks: Best Practices on Configur...Amazon Web Services
 
EDNS0 Client-Subnet for DNS based CDNs by Matt Jansen
EDNS0 Client-Subnet for DNS based CDNs by Matt JansenEDNS0 Client-Subnet for DNS based CDNs by Matt Jansen
EDNS0 Client-Subnet for DNS based CDNs by Matt JansenMyNOG
 
Hackproof Your Cloud – Responding to 2016 Threats
Hackproof Your Cloud – Responding to 2016 ThreatsHackproof Your Cloud – Responding to 2016 Threats
Hackproof Your Cloud – Responding to 2016 ThreatsAmazon Web Services
 
Brocade vADC Portfolio Overview 2016
Brocade vADC Portfolio Overview 2016Brocade vADC Portfolio Overview 2016
Brocade vADC Portfolio Overview 2016Scott Sims
 
Hackproof Your Cloud: Responding to 2016 Threats
Hackproof Your Cloud: Responding to 2016 Threats Hackproof Your Cloud: Responding to 2016 Threats
Hackproof Your Cloud: Responding to 2016 Threats CloudCheckr
 
Hackproof Your Gov Cloud: Mitigating Risks for 2017 and Beyond | AWS Public S...
Hackproof Your Gov Cloud: Mitigating Risks for 2017 and Beyond | AWS Public S...Hackproof Your Gov Cloud: Mitigating Risks for 2017 and Beyond | AWS Public S...
Hackproof Your Gov Cloud: Mitigating Risks for 2017 and Beyond | AWS Public S...Amazon Web Services
 

Similar to Akamai waf (20)

CIRCUIT 2015 - Akamai: Caching and Beyond
CIRCUIT 2015 - Akamai: Caching and BeyondCIRCUIT 2015 - Akamai: Caching and Beyond
CIRCUIT 2015 - Akamai: Caching and Beyond
 
Content Growth by Kams Yueng
Content Growth by Kams YuengContent Growth by Kams Yueng
Content Growth by Kams Yueng
 
Clone your Network with OpenNebula
Clone your Network with OpenNebulaClone your Network with OpenNebula
Clone your Network with OpenNebula
 
OpenNebulaConf 2013 - Keynote: Clone your Network with OpenNebula by Thomas H...
OpenNebulaConf 2013 - Keynote: Clone your Network with OpenNebula by Thomas H...OpenNebulaConf 2013 - Keynote: Clone your Network with OpenNebula by Thomas H...
OpenNebulaConf 2013 - Keynote: Clone your Network with OpenNebula by Thomas H...
 
Akamai company profile
Akamai company profileAkamai company profile
Akamai company profile
 
BGP and Traffic Engineering with Akamai
BGP and Traffic Engineering with AkamaiBGP and Traffic Engineering with Akamai
BGP and Traffic Engineering with Akamai
 
UI5 with Akamai - Introduction to the Content Delivery Network
UI5 with Akamai - Introduction to the Content Delivery NetworkUI5 with Akamai - Introduction to the Content Delivery Network
UI5 with Akamai - Introduction to the Content Delivery Network
 
10+апреля+лучшие+практики+и+инновации+вадим+береговский+akamai
10+апреля+лучшие+практики+и+инновации+вадим+береговский+akamai10+апреля+лучшие+практики+и+инновации+вадим+береговский+akamai
10+апреля+лучшие+практики+и+инновации+вадим+береговский+akamai
 
10+апреля+лучшие+практики+и+инновации+вадим+береговский+akamai
10+апреля+лучшие+практики+и+инновации+вадим+береговский+akamai10+апреля+лучшие+практики+и+инновации+вадим+береговский+akamai
10+апреля+лучшие+практики+и+инновации+вадим+береговский+akamai
 
Cyberoam security on amazon web services
Cyberoam security on amazon web servicesCyberoam security on amazon web services
Cyberoam security on amazon web services
 
Kona Web Application Firewall Product Brief - Application-layer defense to pr...
Kona Web Application Firewall Product Brief - Application-layer defense to pr...Kona Web Application Firewall Product Brief - Application-layer defense to pr...
Kona Web Application Firewall Product Brief - Application-layer defense to pr...
 
Deployment of cisco_iron_portweb_security_appliance
Deployment of cisco_iron_portweb_security_applianceDeployment of cisco_iron_portweb_security_appliance
Deployment of cisco_iron_portweb_security_appliance
 
Atmosphere 2014: Helping the Internet to scale since 1998 - Paweł Kuśmierski
Atmosphere 2014: Helping the Internet to scale since 1998 - Paweł KuśmierskiAtmosphere 2014: Helping the Internet to scale since 1998 - Paweł Kuśmierski
Atmosphere 2014: Helping the Internet to scale since 1998 - Paweł Kuśmierski
 
AWS Summit Sydney 2014 | Understanding AWS Security
AWS Summit Sydney 2014 | Understanding AWS SecurityAWS Summit Sydney 2014 | Understanding AWS Security
AWS Summit Sydney 2014 | Understanding AWS Security
 
AWS re:Invent 2016: Amazon CloudFront Flash Talks: Best Practices on Configur...
AWS re:Invent 2016: Amazon CloudFront Flash Talks: Best Practices on Configur...AWS re:Invent 2016: Amazon CloudFront Flash Talks: Best Practices on Configur...
AWS re:Invent 2016: Amazon CloudFront Flash Talks: Best Practices on Configur...
 
EDNS0 Client-Subnet for DNS based CDNs by Matt Jansen
EDNS0 Client-Subnet for DNS based CDNs by Matt JansenEDNS0 Client-Subnet for DNS based CDNs by Matt Jansen
EDNS0 Client-Subnet for DNS based CDNs by Matt Jansen
 
Hackproof Your Cloud – Responding to 2016 Threats
Hackproof Your Cloud – Responding to 2016 ThreatsHackproof Your Cloud – Responding to 2016 Threats
Hackproof Your Cloud – Responding to 2016 Threats
 
Brocade vADC Portfolio Overview 2016
Brocade vADC Portfolio Overview 2016Brocade vADC Portfolio Overview 2016
Brocade vADC Portfolio Overview 2016
 
Hackproof Your Cloud: Responding to 2016 Threats
Hackproof Your Cloud: Responding to 2016 Threats Hackproof Your Cloud: Responding to 2016 Threats
Hackproof Your Cloud: Responding to 2016 Threats
 
Hackproof Your Gov Cloud: Mitigating Risks for 2017 and Beyond | AWS Public S...
Hackproof Your Gov Cloud: Mitigating Risks for 2017 and Beyond | AWS Public S...Hackproof Your Gov Cloud: Mitigating Risks for 2017 and Beyond | AWS Public S...
Hackproof Your Gov Cloud: Mitigating Risks for 2017 and Beyond | AWS Public S...
 

Recently uploaded

"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Wonjun Hwang
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):comworks
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitecturePixlogix Infotech
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek SchlawackFwdays
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024Lorenzo Miniero
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyAlfredo García Lavilla
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 3652toLead Limited
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfAlex Barbosa Coqueiro
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clashcharlottematthew16
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationSafe Software
 

Recently uploaded (20)

"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptxE-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easy
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clash
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
 
DMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special EditionDMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special Edition
 

Akamai waf

  • 1.
  • 2. Akamai is the global leader in Content Delivery Network (CDN) services, making the Internet fast, reliable and secure for its customers. The company's advanced web performance, mobile performance, cloud security and media delivery solutions are revolutionizing how businesses optimize consumer, enterprise and entertainment experiences for any device, anywhere. • Akamai delivers daily web traffic reaching more than 30 Terabits per second • Akamai delivers nearly 3 trillion internet interactions each day • Akamai has the most pervasive content delivery network(CDN) – more than 240.000 servers in over 130 countries and more than 1.600 networks around the world. About Akamai
  • 3. How the Akamai Intelligent Platform Works
  • 5. Origin Server and DNS - www.sony.co.uk IN CNAME [Akamai edge] - origin.sony.co.uk IN A [Origin server IP]
  • 6. SSL Certificate Two types of certificate in Akamai • Client to Akamai (①) • Akamai to Origin (②, ③)
  • 7. Redirection / Modify Path There are two types of URL redirection methodologies in Akamai. One is general 301/302 redirection and the other one is to change origin forwarding. 1) 301/302 Redirection 1) Redirection from a certain path to a different path 2) Redirection from a certain path to a different host 3) Redirection from a certain path to a different host and a different path 4) Relative path redirection 2) Modify path Akamai modify path can forward a previously defined URL to a different origin server which is not main origin. www.sony.co.uk/electronics/*  GWT origin server www.sony.co.uk/mysony/*  Region origin server
  • 8. TTL – Time to Live / Cache rule Two methodologies in Akamai 1) setting cache control by certain path /mysony/* no-cache, /campaign/* 30 min 2) setting cache control by certain extension .css 4hours, .js 30min
  • 9. Failover When and how to show “Sorry page” When edge servers receives 500/503 error code from origin servers, Akamai will switch to “Sorry page”. Note: “Sorry page” will not be cached in Akamai server. Instead of caching “Sorry page”, Akamai edge remembers the exact Client IP for 30 seconds and during this moment Akamai keep showing “Sorry page” to the same client. Since “Sorry page” is never be cached, there is no need to do a cache clear during whole activity.
  • 10. NetStorage NetStorage is a storage service that provided by Akamai platform. Sample of a NetStorage content link: www.sony.co.uk/test/eu/sample.jpg
  • 13. Security Solution Function List # Function name Description Target of threat 1 Rate control Restrict requests from specific IP addresses temporarily when it detected to be exceeded threshold by number of accesses in a short period of time by same IP DDoS 2 NW list management Apply Whitelist and Blacklist to block access to Akamai edge unauthorized access and Attacker IPs 3 WAF Based on OWASP mod-security rule set, Akamai WAF inspect HTTP request body to protect against attacks such as SQL Injection & Cross-Site Scripting Site penetration, SQL injection, XSS etc. 4 Edge Servers Block other than HTTP and HTTPS protocols. Mitigates DDoS attacks by distributed processing on over 100,000 servers DDoS 5 Site Shield Allow accesses to origin servers via Akamai network only by registering typical Akamai server IP to the Firewall DDoS, unauthorized access
  • 14. Rate Control To protect origin server from the much requests during short time period like DDoS, there is a security option service called Rate Control. Rate Control has several rules. Each rules has 2 types of threshold based on actual access analysis. If an IP exceeds with the threshold, Akamai blocks the request coming from the specific IP. After 15 minutes, Akamai will allows the access again unless it exceeding thresholds again. Operation team analyzes Akamai access log periodically and redefine the thresholds.
  • 15. DDoS mitigation A Reverse Proxy & Load Balancer Only accepts application layer traffic via ports 80 (HTTP) & 443 (HTTPS) Network attacks dropped at Edge UDP Fragments, ICMP Floods, SYN Floods, ACK Floods, RESET Floods, UDP Floods Massive scalability Average traffic volume of 6Tbps spiking in excess of 9Tbps, Defend one network hop from request – keep away from Origin Natively in path No rerouting, no added latency, no single point of failure
  • 16. Network List Management To protect non-prod environments from accesses of public internet, there is a security option service called Network list management. • Allow or restrict requests from specific IP addresses • Implement IP Blacklists & Whitelists • Geography-based blocking • 10,000 CIDR entries supported Named lists – e.g. Tor exit nodes
  • 17. WAF Application-layer controls inspect HTTP request body to protect against attacks such as SQL Injection & Cross-Site Scripting Akamai WAF is provided based on OWASP Mod-Security. By distributing processing on the large number of Akamai servers, it does not affect to the performance even it received a large number of malicious requests. OWASP ModSecurity Core Rule Set • Protocol Violations • Protocol Anomalies • Request Limits • HTTP Policy • Generic Attacks • Trojans • Outbound (Leakage)
  • 18. WAF Akamai WAF checks the request whether to match the rules one by one of more than 200. Because each rules are defined based on anomaly score, Akamai checks that whether total of anomaly score by the request exceed threshold. Each threshold for each Risk group such as XSS/SQL injection are defined based on Best Practices by Akamai. Custom Rules Create policy-based rules that are enforced before or after execution of the application layer controls
  • 19. WAF : Scoring samples
  • 20. Site Shield To protect origin server from public internet, there is a security option service called Site Shield. With this service a list of Akamai edge server IPs is provided to Sony. Origin Servers in Sony network need to whitelist those IPs in Firewall and also need to limit access only to those IPs. Restricted access is aiming for protecting origin servers from various Internet security threats comes to origin directly. Notes: This IP list is updated regularly due to Akamai regular server maintenance. Sony needs to update whitelist in each firewall that shielding origin servers.
  • 21. Q & A