3. Akamai and Cyber Security: Extending Your Perimeter of Defense for High Value Applications 1
Executive Summary
The U.S. government is engaged in a new type of war – one that occupies a vast and difficult-to-control frontier.
In this war, assaults continuously threaten the country’s vital infrastructure, critical missions, valuable assets, and
operational capabilities. Because the war is being conducted in cyberspace, the government is challenged to
detect, defend against, or otherwise disable the enemy.
Consider that in a recent report, General James (Hoss) Cartwright, vice chairman of the Joint Chiefs of Staff noted
37,000 reported breaches of government and private systems in fiscal year 2007, nearly 13,000 direct assaults on
federal agencies, and 80,000 attempted computer network attacks on Defense Department (DoD) systems1.
Clearly, government agencies and military services need to respond using new, innovative methods to counteract
this threat. In fact, recognizing that control of cyberspace is essential to America’s national security, the Air Force
has begun to reorganize around cyberspace operations 2. The establishment of the Air Force Cyber Command
represents the dawn of a new era, one in which the control of cyberspace is just as critical as the control of land,
air, sea, and space in defending the nation’s security.
This paper presents the approach and solutions that government must employ to ensure uninterrupted operations
and control of cyberspace, including:
• Extending and securing the Web-based application perimeter
• Mitigating Web-based attacks
• Maintaining situational awareness of Internet conditions and Web application health
Cyberspace: A Hostile Environment
Increasingly, the U. S. government relies on the Internet to deliver critical missions.
In fact, it’s starting to adopt Web 2.0 technologies—such as wikis and other social
networking applications—to promote information sharing, collaboration, command
and control, and user productivity. One example is Intellipedia, an online system for
collaborative data sharing used by the U.S. intelligence community3.
While the government explores best practices in applying next-generation Internet
technologies to support its mission, it needs to consider the potential security threats
on the Internet. As a distributed network of networks, the Internet is plagued by
congestion and outages and is vulnerable to attacks and unplanned failures. High-
profile sites in particular are targets for hackers, viruses, distributed denial of service
(DDoS) attacks, and cyber-terrorism. Furthermore, open access to information exposes
vulnerabilities in the form of security holes and often easy discovery of Web-based
assets open to probing and attack.
A recent report submitted to President Bush by the President’s Information Technology
Advisory Committee described the problem bluntly: “The information technology [IT]
infrastructure of the United States, which is now vital for communication, commerce
and control of our physical infrastructure, is highly vulnerable to terrorist and criminal
attacks.4”
Consider the story that broke in late 2007 about a rash of attacks on government
computer systems linked to Chinese servers. Or the fact that since 2006, hackers
have penetrated e-mail and other systems at the U.S. Defense, State, and Commerce
departments5.
The problem is exacerbated by the fact that almost anyone has the potential to enter
the realm of cyber warfare. In May 2007, a cyber attack was launched against the
Estonian government and commercial entities. Using waves of Distributed Denial of
Service (DDoS) “cyber storms”, the attacks severely degraded operations for the entire
month. Not until 2008 did the government identify the culprit—a disgruntled student.
4. Akamai and Cyber Security: Extending Your Perimeter of Defense for High Value Applications 2
In a “denial of service attack,” a Web
Akamai’s 1st Quarter 2008, The State of the Internet report notes that for all Web-based
site’s IP address is bombarded with
attacks – both brute force and targeted—“Akamai observed attack traffic originating
from 125 unique countries around the world. China and the United States were the two traffic in an attempt to overwhelm the
largest traffic sources, accounting for some 30% of [attack] traffic in total.” infrastructure managing the site.
The government has already begun implementing many measures to defend against
cyber attacks. For instance, the Air Force has created the Air Force Cyberspace Command,
which has led to a reorganization of the Air Force around cyberspace operations. Yet,
even as agencies express concern over their security posture and make plans to address it,
they are often unsure about the best course of action to defend their Web-based systems.
This uncertainty frequently leads government agencies into taking many of the missteps
already taken by commercial enterprises trying to defend their assets.
Why Traditional Solutions Fall Short
To compensate for the Internet’s security vulnerabilities, public-sector organizations have
attempted to bolster their centralized IT infrastructures by adding servers, software, and
more bandwidth, while implementing more complex access schemas. However, these
efforts solve only a portion of the problem – after all, attacks and vulnerabilities exist on
multiple levels and new ones are arising all the time. These approaches also tend to result
in a tradeoff between acceptable Web site and application performance and availability
versus increased security. Because each Web site is a single point within the vast Internet,
the Internet’s architecture (and related issues) is beyond any single entity’s control. The
bottom line—it’s impossible for any single site to maintain optimal security without fail.
Consider that a Web application’s DNS (Domain Name Service) is critical in successfully
connecting end users to Web applications. But most organizations frequently under-
deploy their DNS infrastructure, sometimes relying on just two or three DNS servers. Too
often, these servers reside in the same telecommunications network and perhaps even
in the same data center. This leaves the organization vulnerable to unplanned downtime
during cyber attacks, natural disaster, server failures, power losses, or telecommunications
network outages.
Employing a Layered Approach to Security
To satisfy their missions, government agencies and military services need to ensure the
security and uninterrupted availability of Web-based applications. Any attempt to protect
U.S. assets and national interests needs to revolve around the concept of “Defense in
Depth.” In short, “Defense in Depth” employs a methodology focused on deploying
a series of layered and interlocking defense mechanisms to detect, deflect, absorb, or
otherwise thwart Web application attacks.
The National Security Agency asserts that Defense in Depth includes both “defense in The “Defend the Fort” mentality is
multiple places, [meaning that] an organization needs to deploy protection mechanisms as obsolete as the Maginot Line – a
at multiple locations to resist all classes of attacks (e.g., Denial of Service attacks)”6, as well comprehensive and layered approach
as “layered defenses” that provide multiple boundaries to protect system infrastructure. must be employed to mitigate security
In short, a robust Defense in Depth strategy goes hand in hand with the realization that risks.
there are no “silver bullets” when it comes to protecting Web assets and maintaining
overall Information Assurance (IA). The “Defend the Fort” mentality is as obsolete as the
Maginot Line—a comprehensive and layered approach must be employed to mitigate
security risks.
To ensure uninterrupted operations and control of cyberspace, the government must
implement innovative solutions to mitigate security risks.
• Extend and Secure the Web-Based Application Perimeter
Agencies should extend their Web infrastructure and control to the edge of the Internet,
leveraging best-of-breed commercial managed services to ensure high availability and
performance while preventing unauthorized and undesirable access to critical
Web assets.
5. Akamai and Cyber Security: Extending Your Perimeter of Defense for High Value Applications 3
• Mitigate Web-Based Attacks
As Web-based attacks quickly rise in both number and intensity, government entities
will suffer significant consequences for not planning appropriately to mitigate these
threats. The U.S. government, armed services, and intelligence community need a
way to ward off any cyber attack with resiliency, and, in effect, weather
“cyber storms.”
• Maintain Situational Awareness of Internet Conditions and
Web Application Health
Major General William T. Lord asserted, “Mastery of cyberspace is essential to
America’s national security. Controlling cyberspace is the prerequisite to effective
operations across all strategic and operational domains.”7 The government cannot
control and defend against what it cannot see or detect. While cyberspace has
been called the “silent battleground”, it is not invisible, and government must take
advantage of opportunities to gain awareness of what is happening to Web-based
assets on the Internet.
Defense in Depth with Akamai
Akamai secures, deploys, operates, and monitors one of the world’s most distributed
computing networks—the Akamai EdgePlatform—comprising over 34,000 servers
in about 70 countries. This infrastructure is used to support the Web operations and
processes for over 2,700 organizations’ Web sites, applications, and IP communications,
typically operating at an aggregate rate of between 400-700 Gbps and 3-5 million
transactions per second.
Over the course of 10 years, Akamai has evolved its services to keep pace with the
evolution of Internet technologies and trends. Originally developed to ensure the
speedy and reliable delivery of static content, Akamai has created new services that help
government address its 21st-century Web application requirements.
Secure and Extend the Web-Based Application Perimeter
Government can improve the security, performance, and availability of Web applications
by applying a powerful combination of Akamai capabilities. Specifically, government
can realize significant benefits by using the following Akamai services:
• Dynamic Site Accelerator solution with Secure Content Delivery
• Enhanced Domain Name Service
• Akamai Site Shield
• Akamai Site Failover
• Authentication and Authorization
• Dynamic Site Acceleator Solution with Secure Content Delivery
The Dynamic Site Accelerator (DSA) service allows government agencies to extend
their Web application perimeter to the edge of the Internet to ensure consistently
fast performance, increased availability, and instant scalability for dynamic Web
applications. The Akamai EdgePlatform bypasses Internet bottlenecks and brings
content closer to end-users.
Intelligent routing technology connects each Web site visitor request to an optimal
Akamai server. Akamai’s patented DNS-based request routing and load balancing
technologies find the best edge server for each request—taking into account traffic
patterns, available bandwidth, network latency, user location, network problems,
server load, as well as the content being requested. The addition of Secure Content
Delivery allows organizations to deliver HTTPS sites using proven SSL cryptographic
technology.
6. Akamai and Cyber Security: Extending Your Perimeter of Defense for High Value Applications 4
• Enhanced Domain Name Service
Akamai’s Enhanced Domain Name Service enables agencies to globally
distribute their DNS infrastructure while disabling public Internet access to
sensitive internal DNS assets. The solution leverages the Akamai Platform,
requires no change to existing DNS administration processes, and provides
unparalleled security, reliability, scalability, and performance of DNS resolutions,
dependably directing end users to Web assets.
• Site Shield
Akamai Site Shield protects the origin site by effectively cloaking its accessible
IP space. While downstream Access Control Lists (ACLs) will only allow Site Shield
IPs to contact the agency’s origin Web application server, upstream ACLs and
associated router configurations prevent any other machines on the Internet
from masquerading as the Site Shield servers. As a result, no other machine on
the Internet has the ability to communicate directly with the origin server.
At the same time, Akamai’s distributed edge servers maintain complete access
to the current Web application via the Site Shield regions. If an Akamai server
ever needs content that it cannot find at one of its peers it will direct that request
to a Site Shield regions to be fulfilled. That means valid end users will always
be able to retrieve content from Akamai servers with maximum performance and
reliability while the origin remains protected.
• Site Failover
Site Failover frees organizations from the limitations of mirroring by storing and
delivering Web site content from a global network of thousands of servers on
the Akamai EdgePlatform. As a result, content remains available to requesting
users. Site Failover utilizes the network intelligence and data storage capabilities
of the Akamai EdgePlatform to provide three failover solutions:
—Failover to edge server
—Failover to alternate data center
—Failover to Akamai NetStorage
The needs of a particular organization and available infrastructure determine
which Site Failover option is appropriate. In all three scenarios, however, Akamai
automatically detects whether the customer’s origin server is responding to
requests, and will detect when it is back online.
• Authentication and Authorization
Optionally, organizations can leverage Akamai’s Advanced PKI (Public
Key Infrastructure) and OCSP (Online Certificate Status Protocol) capabilities
to further extend their use of client certificates. That means organizations
can confidently use authentication and authorization schemes for their Web
applications – without the risk of being overwhelmed by distributed denial of
service (DDoS) attacks.
Web-Based Attack Mitigation
Akamai’s globally distributed network monitors, absorbs, and deflects constant
attacks of varying types and degrees, often without any end-user service
degradation. Government organizations can take advantage of Akamai’s abilities
to mitigate brute force and targeted attacks, as well as to provide insight into
BOT networks.
• Brute Force Web Attack Mitigation
Akamai offers capabilities that reduce or eliminate the effects of brute force
attacks against an organization’s Web infrastructure. In fact, Akamai is well
positioned to mitigate certain DDoS attacks, in part due to the fact that Akamai’s
platform is massively distributed on a global scale.
7. Akamai and Cyber Security: Extending Your Perimeter of Defense for High Value Applications 5
By locking down DNS and HTTP Web infrastructure to only communicate with
Akamai servers, organizations are able to shield their Web and application servers
from a variety of denial of service and direct exploit attacks—including SYN flood
attacks against DNS and HTTP web resources, and common worms and viruses that
operate via malformed HTTP communications.
Given that the Akamai network serves 15-20% of all Web traffic today—and has
already sustained traffic spikes exceeding 1,100,000 Mbps—the Akamai platform
is well positioned to withstand fierce DDoS “cyber storms.”
• Akamai Insight for BOT Mitigation
BOT networks—that is, networks of distributed computers that have been
compromised or deployed for the specific purpose of launching and/or controlling
cyber attacks—constitute a persistent and growing cyber threat for all Internet
users.
In addition to the DDoS protections described above, Akamai recently began
implementing a specialized data analysis methodology for certain opt-in customers
whose Web applications are being delivered by Akamai. Using information captured
by Akamai and a score on the historic activity patterns of the Web entities being
analyzed, organizations can determine whether or not incoming visitors may
represent a portion of a BOT network or valid users driving a traffic spike.
• Targeted Web Attack Mitigation
Over the last few years, as enterprise network security measures have continued
to improve, attackers have adapted and now increasingly focus on the application
layer. Sometimes cyber attackers launch targeted attacks specifically designed to
take advantage of un-patched or known weaknesses in an organization’s
Web infrastructure in order to access information, deface a site, or gain control of a
Web server. Common examples of such attacks include SQL Injection, HTTP Request
Smuggling (sometimes called Request Splitting), Buffer Overflow, and Cross Site
Scripting (XSS). All of these exploits are common attack vectors being successfully
employed by hackers every few seconds.
Akamai’s Web Application Firewall was designed to help mitigate exactly these types
of attacks, enabling organizations to detect potential Web application attacks in HTTP
traffic before the request reaches their Web assets. If an anomalous and potentially
malicious pattern is detected in HTTP request headers, Akamai can either issue an
alert or block the traffic altogether.
The Akamai Web Application Firewall service provides a highly scalable, outer
defensive ring of Web application protection. Even organizations with Web
application protections in place can derive significant scalability and protection
benefits by migrating some of their Web application protection functions to the
Akamai platform.
Maintain Situational Awareness of Internet Conditions and
Web Application Health
The Internet is massively distributed and sometimes chaotic. Most organizations have
good access to data within their data center, but little insight into what is happening in
the network “cloud” beyond their data center walls. Akamai’s global scope and unique
position of delivering 15-20% of all Web traffic combined with its world-class data
collection mechanisms allow it to construct an accurate and comprehensive picture of
what’s happening on the Internet. This is valuable information that Akamai is able to
make available to its customers—enabling them to leverage vast amounts of data to
which they would otherwise have no access.
• Internet Intelligence Portal
Akamai’s Internet Intelligence Portal leverages this vast quantity of information to
provide detailed information on the overall state of the Internet, including backbone
health, DNS name server health, and BGP churn.
8. Akamai and Cyber Security: Extending Your Perimeter of Defense for High Value Applications 6
More fully exploiting Akamai’s Internet data via further customization of the Akamai
Internet Intelligence Portal can lead to powerful network intelligence. For example,
government agencies might be interested in building-level geo-location in
metropolitan regions, new methods to track cyberspace entities of interest,
information on proxy user populations and downstream network structure, correlation
between DNS infrastructure and its users, geo-location of satellite connections to the
country level, or identification of organizational fingerprints on the network.
Government agencies can use this information to identify Internet attacks or other
unusual activity, and to determine if Web application attacks on their infrastructure
represent a specific attack against their organization or network, or a general pattern
across the Web.
• Web Application Monitoring, Control, and Reporting
Akamai also provides organizations the visibility and control that comes with
knowing exactly how their extended infrastructure is functioning at all times. A set
of infrastructure management, monitoring, and reporting tools help Web application
owners optimize their performance and ensure the effectiveness of content and
data delivery. These tools offer a Web-based “cyber window” that civilian agencies,
the intelligence community, and the armed services can use to view traffic patterns
and geographic dispersions, monitor/troubleshoot origin infrastructure proactively,
and confirm successful delivery of content. A unique real-time alert capability informs
organizations when defined thresholds have been crossed, indicating that
performance and user experience have degraded.
Real-Time Monitoring and Historical Reporting
Real-time monitoring and historical reporting capabilities—delivered through Akamai’s
customer portal (Akamai EdgeControl Management Center)—provide data and
reports that aid in evaluating and maintaining Web application effectiveness and
performance, as well as analyzing Web traffic patterns. The portal’s historical
reporting system obtains information from traffic logs produced by thousands of
Akamai edge servers. These traffic logs—which are captured, processed, and loaded
into the Akamai Network Usage Database throughout the day—record requests
and responses for content delivered by the Akamai network. Once the data is
loaded, customers can view reports instantly online, or they can schedule them to be
automatically e-mailed in the format and at the frequency they define.
MONITOR SITE TRAFFIC LEVELS IN REAL TIME
9. Akamai and Cyber Security: Extending Your Perimeter of Defense for High Value Applications 7
Alerts
Because Akamai delivers all content and applications from the EdgePlatform, the
application owner’s origin infrastructure is shielded from the public Internet. However,
since the connection between a Web application origin and the EdgePlatform is
critical to delivering the latest content, organizations must be aware of any origin
issues in order to address them proactively. Akamai monitors origin infrastructure
24x7x365 and, through a real-time alert capability, e-mails or pages system managers
whenever customer-defined thresholds have been crossed. Alerts are tailored to
inform system managers of critical conditions, including:
• Edge bandwidth usage (drops or bursts of traffic)
• Origin server, connection, or DNS failure
• Incomplete or aborted downloads
• Access denied at origin
• URL not found
• Error codes
• SSL transaction failures
System managers also have access to tools to identify and solve problems quickly so
that end users never experience a single instance of failure.
EDGECONTROL MANAGEMENT CENTER ALERTS INTERFACE
Log Delivery
The mission-critical Web usage information logged by Akamai servers is delivered in
logs using a consolidated and standard industry format. Two file formats are
supported: Combined Log Format and W3C Extended Log Format.
Site and Visitor Intelligence
In addition to the basic reporting and monitoring available with the Dynamic Site
Accelerator service, an additional reporting module provides more detailed
intelligence. With Site and Visitor Intelligence customers can get timely and accurate
answers to the following questions:
• What does the traffic profile for my site look like?
• What times of the day does my site see the most traffic?
• Who are the top visitors to my site based on hits and volume?
• What are the most frequent requested web pages on my site?
• From what locations are end users coming to my site?
10. Akamai and Cyber Security: Extending Your Perimeter of Defense for High Value Applications 8
Site and Visitor Intelligence provides a powerful site traffic profile view by showing
periods of dense and light traffic to the site. The figure below shows an example of
visitors to the site on an hourly basis. With this view, organizations can make
decisions on when to make changes to the site and whether certain events and site
activities are resulting in expected application usage profiles.
SITE TRAFFIC PROFILE BASED ON UNIQUE VISITORS
Organizations can obtain details on the top visitors going to a specific site hostname
based on IP address. This provides insight into whether the site is getting flooded with
traffic from a specific IP address and if traffic is coming from the top visitors or is
spread across a more diverse user base.
TOP SITE VISITORS BASED ON IP ADDRESS
11. Akamai and Cyber Security: Extending Your Perimeter of Defense for High Value Applications 9
Akamai customers can access reporting that provides details on the Top URLs being
requested, enabling them to understand which URLs are the most frequently
requested and which URLs are generating the most traffic volume (MB).
TOP URLS BASED ON HITS AND TRAFFIC VOLUME
For organizations that want to ensure their target audience is connecting to their site,
Site and Visitor Intelligence also provides details on where users are coming from
based on country. For the United States, this also includes a breakdown of visitors
based on individual state.
END USER TRAFFIC BASED ON GEOGRAPHICAL LOCATION