Think Your CDN Is Protecting You? Think Again...

A common trend in website hosting is to use a conventional CDN hosting provider that offers high-availability and improved performance by storing cached content in proxy servers in the cloud. These CDN solutions are effective in offloading much of the traffic from the original website. Where many CDN solutions fall short is in providing advanced security against web threats.

Here are a few things to consider if you're relying on your CDN solution to protect your organization from complex and sophisticated cyber-attacks.

CDNs are not especially effective in mitigating DDoS attacks

CDNs use surrogate servers located in geographically dispersed data centers over different regions. It seems natural that this approach would contain DDoS attacks. For instance, a CDN can absorb DDoS attack types by virtue of extended bandwidth without affecting content availability. The overload caused by a DDoS attack is combated on local network edge servers, which helps prevent server saturation.

However, with the increased complexity and sophistication of DDoS attacks the value that the CDN may have offered by the scattered network infrastructure has been virtually neutralized. DDoS attacks can now cripple a site no matter what type of CDN hosting is involved. Some cloud-based CDN solutions will only provide DDoS protection to a specific traffic limit, further making them ineffective at protecting against today's common volumetric attacks.

All of your content is not securely served by the CDN

CDNs can successfully cache static resources such as images, videos, audio clips, CSS files, and Java Scripts. Unfortunately, dynamically generated, rapidly changing pages as well as personalized pages cannot be cached and are delivered from the origin server. Therefore, dynamic web content is fully exposed to advanced attacks. From a broader perspective, any private or dynamic content is at risk when using a CDN.

“Add-On” WAF and security offerings are labor-intensive, basic, and unsuitable for enterprise-grade protection

Many CDN providers offer little to no security as part of their standard offerings. Those that do offer a WAF, included or as an add-on, mainly protect against general attacks such as known bad requests (e.g. stopping common SQL injection strings) and known bad actors (e.g. blocking known botnets). There are options to customize the WAF by integrating rule sets developed by industry experts (additional fees), importing existing ModSecurity rule sets, or writing custom rules which can require manual configuration and specialized knowledge to tune thousands of whitelist rules.

So, how can you ensure optimal website performance and security?

Trusted Knight's Protector-Air provides enterprise-grade application security and DDoS protection against the full range of web-based threats. By maintaining a secure, high-performance replica of the original website in the cloud, Protector-Air can provide security while at the same time improving website performance. Additionally, by leveraging the global Amazon Web Services CloudFront service as a solution provider, Protector-Air provides the benefits of improving website performance globally.

Danny Ennis

Throughout a distinguished 36-year career, Danny held senior-level positions throughout the National Security Agency (NSA). As Director of the Threat Operations Centers (NTOC), he led the effort to defend against cyber threats to sensitive U.S systems.