Security
You get full control over who sees what, when and where. Get protected from digital thefts.
Benefits
Features
Protect your brand
Your content is only yours! So prevent others from using it in their contexts.
Business alignment
Build your own custom delivery rules and align your digital security implementation with your exact business needs.
Segregated network
Our entirely separate and secure CDN was built and dedicated solely to e-commerce traffic.
Stay in license
Get control over your content and easily restrict access by country, title, or date if you need it.
PCI compliance
Financial and transactional information is protected with the highest level of PCI compliance.
Secure HTTP
Full support for encrypted and authenticated HTTPS. Enhance our standard HTTPS delivery with a wide range of custom security certificates.
Rules-based delivery
Our HTTP Rules Engine lets you build your own custom set of access rules.
All-day Support
You can always rely on our support. Anytime, day-and-night we are ready to help you with any question with all the patience and without delays.
SSL delivery
We support everything you need - single hostname, wildcard, SAN, Extended Validation, or any other type of SSL certificate.
Network Security Freeze
You'll never see significant changes to our platform during the busiest e-commerce periods, such as the holiday season, to ensure maximum stability.
Broad authentication options
Token authentication, SWF authentication, and RTMPE let you restrict access by IP, TTL, URL, location, or referrer.
Analytics-powered security
With our EC360 Analytics Suite you have the detailed visibility you need to effectively control your site.
DDoS mitigation
Our robust IP Anycast and Rules Engine systems provide sophisticated DDoS mitigation strategies to keep you up and running.
Active failover & redundancy
Requests are routed automatically along the next-best path by our platform if degradation along one path occurs.
Try our features with a no commitment test account
SECURITY IN-DEPTH
Web Application Firewall (WAF)
Many web sites, web applications, and web servers receive and process requests from outside a company's protected internal network. That can result in a variety of malicious attacks including SQL injections, cross-site scripting, and application layer distributed denial of service (DDoS).
This exposure poses a threat to the customer’s infrastructure and the confidentiality, integrity, and availability of the data delivered by those resources over the Internet. These types of attacks can result in unauthorized access to content, the loss of personally identifiable information (PII), and the dissemination of private/copyrighted information.
The Web Application Firewall (WAF) service provides a layer of security between many of these security threats and the customer’s external web infrastructure. Our WAF increases security by monitoring, detecting, and preventing application layer attacks. It inspects inbound HTTP/HTTPS traffic against reactive and proactive security policies and blocks malicious activity in-band and on a real-time basis.
There are various layers to the protection provided to an origin server via Web Application Firewall, such as:
The diagram below illustrates how traffic is screened before it can ever reach our core network. The distributed nature of our worldwide network provides an additional layer of protection to origin servers. Finally, an intermediate caching layer may be enabled on an origin server as an additional measure to prevent web servers from being overloaded. This capability is known as Origin Shield.
WAF Setup
The manner in which Web Application Firewall should be configured varies by organization due to a variety of factors, such as those listed below.
HTTP Rules Engine
The Media Control Center (MCC) provides many different options that the customer can leverage to configure how his assets are handled by our CDN. However, the customer’s unique working environment may require an additional level of customization. For this reason, we provide an interface through which the customer can create custom rules that will override his MCC configuration and the default behavior of our edge servers. These custom rules can be created to handle how our edge servers cache and grant access to large and small assets.
A rule defines the criteria that a request has to meet before one or more features can take effect. For example, the customer can define a rule that disables caching for PHP assets.
However, when setting up a rule's criteria, the customer should keep in mind that a rule is interpreted as it is laid out. In other words, actions take place as a set of criteria is met. Once a set of criteria has been satisfied, then no additional attempts to match other criteria in the current rule will take place.
Using multiple rules allows the customer to exercise both coarse and granular control over how requests for his assets are handled. For example, the customer could create a rule that determines the default manner through which all requests are handled. After which, he could create a set of rules that determine how certain types of requests are handled for a particular location. In order for this type of configuration to work properly, the customer will need to pay attention to the order in which these rules are listed.
The order in which multiple rules are listed affects how they are handled. Rules are typically processed in the order that they appear. If a client's request satisfies the criteria for more than one rule, then the features associated with the matching criteria for each rule will take place. This could lead to a situation where conflicting actions will take place. In such a case, the last action to take place will take precedence over previous actions. Therefore, it is recommended that the customer place rules that should take precedence as close to the bottom of the list as possible.
The following illustration contains four sample rules that provide different instructions based on the type of request being performed. In this scenario, we'll assume that the client requests an HTML asset from the "Secure" folder on "myhostname.com." This type of request will satisfy the match criteria for all four rules. Therefore, the features associated with each of the rules will be applied to the request. If one or more rules contain conflicting instructions, then the rule closest to the bottom of the list will take precedence. In this sample scenario, the rule called "Apply to All HTML Requests for "myhostname.com" in "Secure" Folder" would take precedence over the other rules.
HTTP Rules Engine can be used to override and/or extend the CDN configuration defined in the MCC and the response headers defined by a web server (e.g., Apache or IIS).
The following illustration is of a rule that disables Token-Based Authentication for HTML files.
Token-Based Authentication
If Token-Based Authentication is enabled, then only requests that provide an encrypted token and comply to the requirements specified by that token will be honored. Only requests from clients that provide a valid token and meet its requirements will be honored. FTP transactions are excluded from Token-Based Authentication.
Many web sites, web applications, and web servers receive and process requests from outside a company's protected internal network. That can result in a variety of malicious attacks including SQL injections, cross-site scripting, and application layer distributed denial of service (DDoS).
This exposure poses a threat to the customer’s infrastructure and the confidentiality, integrity, and availability of the data delivered by those resources over the Internet. These types of attacks can result in unauthorized access to content, the loss of personally identifiable information (PII), and the dissemination of private/copyrighted information.
The Web Application Firewall (WAF) service provides a layer of security between many of these security threats and the customer’s external web infrastructure. Our WAF increases security by monitoring, detecting, and preventing application layer attacks. It inspects inbound HTTP/HTTPS traffic against reactive and proactive security policies and blocks malicious activity in-band and on a real-time basis.
There are various layers to the protection provided to an origin server via Web Application Firewall, such as:
- Inherent protection from DDoS attacks.
- Protection from application layer attacks.
- - Enable a comprehensive set of threat detection measures for the purpose of identifying malicious traffic. These measures define the types of application layer attacks that will be detected, such as:
- Protocol validation
- Malicious client identification
- Generic attack signatures
- Known vulnerabilities signatures
- Trojan/backdoor access
- Virus and Denial of Service
- Filtering out unwanted traffic by screening for a custom delivery profile.
- - Traffic that doesn’t meet the requirements defined in this HTTP delivery profile may be blocked before it even reaches our core network.
- Establishing traffic restrictions to block malicious traffic.
- - Requests may be whitelisted/blacklisted by IP address, country, URL, and/or referrers.
- - Our worldwide presence establishes an imposing and extensive barrier between an origin server and malicious traffic, regardless of whether it consists of a high-volume HTTP GET flood attack or a slow DDoS attack.
The diagram below illustrates how traffic is screened before it can ever reach our core network. The distributed nature of our worldwide network provides an additional layer of protection to origin servers. Finally, an intermediate caching layer may be enabled on an origin server as an additional measure to prevent web servers from being overloaded. This capability is known as Origin Shield.
WAF Setup
The manner in which Web Application Firewall should be configured varies by organization due to a variety of factors, such as those listed below.
Factor
Description
Web Applications
The type of web applications running on the origin server may affect the level of protection that may be applied via WAF.
Traffic Delivery Profile
The type of traffic that is considered legitimate affects the amount by which traffic may be restricted. Additionally, there may be multiple traffic delivery profiles that are specific to a site, role, or the action being performed.
Acceptable Risk
WAF allows the flexibility to determine the degree to which a site will be protected. A balance must be found between security and allowing the flow of legitimate traffic. A major factor in this balancing act is the degree to which an organization is able to cope with risk.
HTTP Rules Engine
The Media Control Center (MCC) provides many different options that the customer can leverage to configure how his assets are handled by our CDN. However, the customer’s unique working environment may require an additional level of customization. For this reason, we provide an interface through which the customer can create custom rules that will override his MCC configuration and the default behavior of our edge servers. These custom rules can be created to handle how our edge servers cache and grant access to large and small assets.
A rule defines the criteria that a request has to meet before one or more features can take effect. For example, the customer can define a rule that disables caching for PHP assets.
However, when setting up a rule's criteria, the customer should keep in mind that a rule is interpreted as it is laid out. In other words, actions take place as a set of criteria is met. Once a set of criteria has been satisfied, then no additional attempts to match other criteria in the current rule will take place.
Using multiple rules allows the customer to exercise both coarse and granular control over how requests for his assets are handled. For example, the customer could create a rule that determines the default manner through which all requests are handled. After which, he could create a set of rules that determine how certain types of requests are handled for a particular location. In order for this type of configuration to work properly, the customer will need to pay attention to the order in which these rules are listed.
The order in which multiple rules are listed affects how they are handled. Rules are typically processed in the order that they appear. If a client's request satisfies the criteria for more than one rule, then the features associated with the matching criteria for each rule will take place. This could lead to a situation where conflicting actions will take place. In such a case, the last action to take place will take precedence over previous actions. Therefore, it is recommended that the customer place rules that should take precedence as close to the bottom of the list as possible.
The following illustration contains four sample rules that provide different instructions based on the type of request being performed. In this scenario, we'll assume that the client requests an HTML asset from the "Secure" folder on "myhostname.com." This type of request will satisfy the match criteria for all four rules. Therefore, the features associated with each of the rules will be applied to the request. If one or more rules contain conflicting instructions, then the rule closest to the bottom of the list will take precedence. In this sample scenario, the rule called "Apply to All HTML Requests for "myhostname.com" in "Secure" Folder" would take precedence over the other rules.
HTTP Rules Engine can be used to override and/or extend the CDN configuration defined in the MCC and the response headers defined by a web server (e.g., Apache or IIS).
- Web Server (Customer Origin): A web server can define key response headers that will be associated with assets requested through our CDN. For example, a web server can define response headers that control the cache policy for requested assets. HTTP Rules Engine allows the customer to override those response headers to create a custom cache policy for content served through the CDN.
- Default CDN Response Headers: If certain key response headers have not been defined by the origin server, then a default response header value may be assigned to the cached asset and the response returned to the user agent. These default response header values can also be overridden by HTTP Rules Engine.
- MCC: The MCC allows the customer to define how assets can be accessed through the CDN. HTTP Rules Engine can be used to customize the actions that will take place when content is requested on the customer’s account. For example, he can create a rule that prevents users from a particular country or region from requesting content from a customer origin.
The following illustration is of a rule that disables Token-Based Authentication for HTML files.
Token-Based Authentication
If Token-Based Authentication is enabled, then only requests that provide an encrypted token and comply to the requirements specified by that token will be honored. Only requests from clients that provide a valid token and meet its requirements will be honored. FTP transactions are excluded from Token-Based Authentication.
Try our features with a no commitment test account
OTHER SERVICES
Application Delivery
Accelerate delivery of web applications and non-static content.
Caching
Our delivery and acceleration services will lead you to the world's digital threshold, from complete websites to mobile.
Analytics
Full and instant visibility into performance of the content and the user experience.
Download Manager
Your files are delivered globally with super-fast speed, intelligence and flexibility.
Security
Protect your applications and content from unauthorized use with the powerful security tools.
Edge Optimizer
Powered by Google PageSpeed, Edge Optimizer keeps your application's data and logic off of your network.
Streaming
We will deliver better than anyone else your Flash, Silverlight, or HTTP – live or on-demand.
Storage
It is more than just CDN storage. Security, replication, and caching infrastructures really mean massive scale at ultra-fast rates of speed.
Rules Engine
With our powerful tool you have the whole control over when, how and if the content is served and delivered.
Piranha Purge
Better caching flexibility, efficiency, and performance with Piranha Purge.
