cloudy wpcybersecurity

Akamai and Cyber Security: Extending Your Perimeter of Defense for High Value Applications —September 2008

White Paper

EXECUTIVE SUMMARY . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1

CYBERSPACE: A HOSTILE ENVIRONMENT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1

WHY TRADITIONAL SOLUTIONS FALL SHORT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2

EMPLOYING A LAYERED APPROACH TO SECURITY . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2

DEFENSE IN DEPTH WITH AKAMAI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

Secure and Extend the Web-based Application Perimeter . . . . . . . . . . . . . . . . . . . . . . 3

Dynamic Site Accelerator Solution with Secure Content Delivery . . . . . . . . . . . . . . 3

Enhanced Domain Name Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

Site Shield . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

Site Failover. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

Authentication and Authorization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

Web-based Attack Mitigation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

Brute Force Web Attack Mitigation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

Akamai Insight for BOT Mitigation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

Targeted Web Attack Mitigation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

Maintain Situational Awareness of Internet Conditions and Web Application Health . . . 5

Internet Intelligence Portal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

Web Application Monitoring, Control, and Reporting . . . . . . . . . . . . . . . . . . . . . . . 6

SUMMARY . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

ABOUT AKAMAI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

Table of Contents

Akamai and Cyber Security: Extending Your Perimeter of Defense for High Value Applications 1

Cyberspace: A Hostile Environment Increasingly, the U. S. government relies on the Internet to deliver critical missions. In fact, it’s starting to adopt Web 2.0 technologies—such as wikis and other social networking applications—to promote information sharing, collaboration, command and control, and user productivity. One example is Intellipedia, an online system for collaborative data sharing used by the U.S. intelligence community3.

While the government explores best practices in applying next-generation Internet technologies to support its mission, it needs to consider the potential security threats on the Internet. As a distributed network of networks, the Internet is plagued by congestion and outages and is vulnerable to attacks and unplanned failures. High-profi le sites in particular are targets for hackers, viruses, distributed denial of service (DDoS) attacks, and cyber-terrorism. Furthermore, open access to information exposes vulnerabilities in the form of security holes and often easy discovery of Web-based assets open to probing and attack.

A recent report submitted to President Bush by the President’s Information Technology Advisory Committee described the problem bluntly: “The information technology [IT] infrastructure of the United States, which is now vital for communication, commerce and control of our physical infrastructure, is highly vulnerable to terrorist and criminal attacks.4”

Consider the story that broke in late 2007 about a rash of attacks on government computer systems linked to Chinese servers. Or the fact that since 2006, hackers have penetrated e-mail and other systems at the U.S. Defense, State, and Commerce departments5.

The problem is exacerbated by the fact that almost anyone has the potential to enter the realm of cyber warfare. In May 2007, a cyber attack was launched against the Estonian government and commercial entities. Using waves of Distributed Denial of Service (DDoS) “cyber storms”, the attacks severely degraded operations for the entire month. Not until 2008 did the government identify the culprit—a disgruntled student.

Executive SummaryThe U.S. government is engaged in a new type of war – one that occupies a vast and difficult-to-control frontier. In this war, assaults continuously threaten the country’s vital infrastructure, critical missions, valuable assets, and operational capabilities. Because the war is being conducted in cyberspace, the government is challenged to detect, defend against, or otherwise disable the enemy.

Consider that in a recent report, General James (Hoss) Cartwright, vice chairman of the Joint Chiefs of Staff noted 37,000 reported breaches of government and private systems in fiscal year 2007, nearly 13,000 direct assaults on federal agencies, and 80,000 attempted computer network attacks on Defense Department (DoD) systems1.

Clearly, government agencies and military services need to respond using new, innovative methods to counteract this threat. In fact, recognizing that control of cyberspace is essential to America’s national security, the Air Force has begun to reorganize around cyberspace operations2. The establishment of the Air Force Cyber Command represents the dawn of a new era, one in which the control of cyberspace is just as critical as the control of land, air, sea, and space in defending the nation’s security.

This paper presents the approach and solutions that government must employ to ensure uninterrupted operations and control of cyberspace, including:

• Extending and securing the Web-based application perimeter

• Mitigating Web-based attacks

• Maintaining situational awareness of Internet conditions and Web application health


Akamai’s 1st Quarter 2008, The State of the Internet report notes that for all Web-based attacks – both brute force and targeted—“Akamai observed attack traffi c originating from 125 unique countries around the world. China and the United States were the two largest traffi c sources, accounting for some 30% of [attack] traffi c in total.”

The government has already begun implementing many measures to defend against cyber attacks. For instance, the Air Force has created the Air Force Cyberspace Command, which has led to a reorganization of the Air Force around cyberspace operations. Yet, even as agencies express concern over their security posture and make plans to address it, they are often unsure about the best course of action to defend their Web-based systems. This uncertainty frequently leads government agencies into taking many of the missteps already taken by commercial enterprises trying to defend their assets.

Why Traditional Solutions Fall Short To compensate for the Internet’s security vulnerabilities, public-sector organizations have attempted to bolster their centralized IT infrastructures by adding servers, software, and more bandwidth, while implementing more complex access schemas. However, these efforts solve only a portion of the problem – after all, attacks and vulnerabilities exist on multiple levels and new ones are arising all the time. These approaches also tend to result in a tradeoff between acceptable Web site and application performance and availability versus increased security. Because each Web site is a single point within the vast Internet, the Internet’s architecture (and related issues) is beyond any single entity’s control. The bottom line—it’s impossible for any single site to maintain optimal security without fail.

Consider that a Web application’s DNS (Domain Name Service) is critical in successfully connecting end users to Web applications. But most organizations frequently under-deploy their DNS infrastructure, sometimes relying on just two or three DNS servers. Too often, these servers reside in the same telecommunications network and perhaps even in the same data center. This leaves the organization vulnerable to unplanned downtime during cyber attacks, natural disaster, server failures, power losses, or telecommunications network outages.

Employing a Layered Approach to Security To satisfy their missions, government agencies and military services need to ensure the security and uninterrupted availability of Web-based applications. Any attempt to protect U.S. assets and national interests needs to revolve around the concept of “Defense in Depth.” In short, “Defense in Depth” employs a methodology focused on deploying a series of layered and interlocking defense mechanisms to detect, defl ect, absorb, or otherwise thwart Web application attacks.

The National Security Agency asserts that Defense in Depth includes both “defense in multiple places, [meaning that] an organization needs to deploy protection mechanisms at multiple locations to resist all classes of attacks (e.g., Denial of Service attacks)”6, as well as “layered defenses” that provide multiple boundaries to protect system infrastructure. In short, a robust Defense in Depth strategy goes hand in hand with the realization that there are no “silver bullets” when it comes to protecting Web assets and maintaining overall Information Assurance (IA). The “Defend the Fort” mentality is as obsolete as the Maginot Line—a comprehensive and layered approach must be employed to mitigate security risks.

To ensure uninterrupted operations and control of cyberspace, the government must implement innovative solutions to mitigate security risks.

• Extend and Secure the Web-Based Application Perimeter Agencies should extend their Web infrastructure and control to the edge of the Internet, leveraging best-of-breed commercial managed services to ensure high availability and performance while preventing unauthorized and undesirable access to critical Web assets.

In a “denial of service attack,” a Web site’s IP address is bombarded with traffi c in an attempt to overwhelm the infrastructure managing the site.

The “Defend the Fort” mentality is as obsolete as the Maginot Line – a comprehensive and layered approach must be employed to mitigate security risks.


• Mitigate Web-Based Attacks As Web-based attacks quickly rise in both number and intensity, government entities will suffer signifi cant consequences for not planning appropriately to mitigate these threats. The U.S. government, armed services, and intelligence community need a way to ward off any cyber attack with resiliency, and, in effect, weather “cyber storms.”

• Maintain Situational Awareness of Internet Conditions and Web Application Health Major General William T. Lord asserted, “Mastery of cyberspace is essential to America’s national security. Controlling cyberspace is the prerequisite to effective operations across all strategic and operational domains.”7 The government cannot control and defend against what it cannot see or detect. While cyberspace has been called the “silent battleground”, it is not invisible, and government must take advantage of opportunities to gain awareness of what is happening to Web-based assets on the Internet.

Defense in Depth with Akamai Akamai secures, deploys, operates, and monitors one of the world’s most distributed computing networks—the Akamai EdgePlatform—comprising over 34,000 servers in about 70 countries. This infrastructure is used to support the Web operations and processes for over 2,700 organizations’ Web sites, applications, and IP communications, typically operating at an aggregate rate of between 400-700 Gbps and 3-5 million transactions per second.

Over the course of 10 years, Akamai has evolved its services to keep pace with the evolution of Internet technologies and trends. Originally developed to ensure the speedy and reliable delivery of static content, Akamai has created new services that help government address its 21st-century Web application requirements.

Secure and Extend the Web-Based Application PerimeterGovernment can improve the security, performance, and availability of Web applications by applying a powerful combination of Akamai capabilities. Specifi cally, government can realize signifi cant benefi ts by using the following Akamai services:

• Dynamic Site Accelerator solution with Secure Content Delivery

• Enhanced Domain Name Service

• Akamai Site Shield

• Akamai Site Failover

• Authentication and Authorization

• Dynamic Site Acceleator Solution with Secure Content Delivery The Dynamic Site Accelerator (DSA) service allows government agencies to extend their Web application perimeter to the edge of the Internet to ensure consistently fast performance, increased availability, and instant scalability for dynamic Web applications. The Akamai EdgePlatform bypasses Internet bottlenecks and brings content closer to end-users.

Intelligent routing technology connects each Web site visitor request to an optimal Akamai server. Akamai’s patented DNS-based request routing and load balancing technologies fi nd the best edge server for each request—taking into account traffi c patterns, available bandwidth, network latency, user location, network problems, server load, as well as the content being requested. The addition of Secure Content Delivery allows organizations to deliver HTTPS sites using proven SSL cryptographic technology.


• Enhanced Domain Name Service Akamai’s Enhanced Domain Name Service enables agencies to globally distribute their DNS infrastructure while disabling public Internet access to sensitive internal DNS assets. The solution leverages the Akamai Platform, requires no change to existing DNS administration processes, and provides unparalleled security, reliability, scalability, and performance of DNS resolutions, dependably directing end users to Web assets.

• Site Shield Akamai Site Shield protects the origin site by effectively cloaking its accessible IP space. While downstream Access Control Lists (ACLs) will only allow Site Shield IPs to contact the agency’s origin Web application server, upstream ACLs and associated router confi gurations prevent any other machines on the Internet from masquerading as the Site Shield servers. As a result, no other machine on the Internet has the ability to communicate directly with the origin server.

At the same time, Akamai’s distributed edge servers maintain complete access to the current Web application via the Site Shield regions. If an Akamai server ever needs content that it cannot fi nd at one of its peers it will direct that request to a Site Shield regions to be fulfi lled. That means valid end users will always be able to retrieve content from Akamai servers with maximum performance and reliability while the origin remains protected.

• Site Failover Site Failover frees organizations from the limitations of mirroring by storing and delivering Web site content from a global network of thousands of servers on the Akamai EdgePlatform. As a result, content remains available to requesting users. Site Failover utilizes the network intelligence and data storage capabilities of the Akamai EdgePlatform to provide three failover solutions:

—Failover to edge server

—Failover to alternate data center

—Failover to Akamai NetStorage

The needs of a particular organization and available infrastructure determine which Site Failover option is appropriate. In all three scenarios, however, Akamai automatically detects whether the customer’s origin server is responding to requests, and will detect when it is back online.

• Authentication and Authorization Optionally, organizations can leverage Akamai’s Advanced PKI (Public Key Infrastructure) and OCSP (Online Certifi cate Status Protocol) capabilities to further extend their use of client certifi cates. That means organizations can confi dently use authentication and authorization schemes for their Web applications – without the risk of being overwhelmed by distributed denial of service (DDoS) attacks.

Web-Based Attack MitigationAkamai’s globally distributed network monitors, absorbs, and defl ects constant attacks of varying types and degrees, often without any end-user service degradation. Government organizations can take advantage of Akamai’s abilities to mitigate brute force and targeted attacks, as well as to provide insight into BOT networks.

• Brute Force Web Attack Mitigation Akamai offers capabilities that reduce or eliminate the effects of brute force attacks against an organization’s Web infrastructure. In fact, Akamai is well positioned to mitigate certain DDoS attacks, in part due to the fact that Akamai’s platform is massively distributed on a global scale.


By locking down DNS and HTTP Web infrastructure to only communicate with Akamai servers, organizations are able to shield their Web and application servers from a variety of denial of service and direct exploit attacks—including SYN fl ood attacks against DNS and HTTP web resources, and common worms and viruses that operate via malformed HTTP communications.

Given that the Akamai network serves 15-20% of all Web traffi c today—and has already sustained traffi c spikes exceeding 1,100,000 Mbps—the Akamai platform is well positioned to withstand fi erce DDoS “cyber storms.”

• Akamai Insight for BOT Mitigation BOT networks—that is, networks of distributed computers that have been compromised or deployed for the specifi c purpose of launching and/or controlling cyber attacks—constitute a persistent and growing cyber threat for all Internet users.

In addition to the DDoS protections described above, Akamai recently began implementing a specialized data analysis methodology for certain opt-in customers whose Web applications are being delivered by Akamai. Using information captured by Akamai and a score on the historic activity patterns of the Web entities being analyzed, organizations can determine whether or not incoming visitors may represent a portion of a BOT network or valid users driving a traffi c spike.

• Targeted Web Attack Mitigation Over the last few years, as enterprise network security measures have continued to improve, attackers have adapted and now increasingly focus on the application layer. Sometimes cyber attackers launch targeted attacks specifi cally designed to take advantage of un-patched or known weaknesses in an organization’s Web infrastructure in order to access information, deface a site, or gain control of a Web server. Common examples of such attacks include SQL Injection, HTTP Request Smuggling (sometimes called Request Splitting), Buffer Overfl ow, and Cross Site Scripting (XSS). All of these exploits are common attack vectors being successfully employed by hackers every few seconds.

Akamai’s Web Application Firewall was designed to help mitigate exactly these types of attacks, enabling organizations to detect potential Web application attacks in HTTP traffi c before the request reaches their Web assets. If an anomalous and potentially malicious pattern is detected in HTTP request headers, Akamai can either issue an alert or block the traffi c altogether.

The Akamai Web Application Firewall service provides a highly scalable, outer defensive ring of Web application protection. Even organizations with Web application protections in place can derive signifi cant scalability and protection benefi ts by migrating some of their Web application protection functions to the Akamai platform.

Maintain Situational Awareness of Internet Conditions and Web Application HealthThe Internet is massively distributed and sometimes chaotic. Most organizations have good access to data within their data center, but little insight into what is happening in the network “cloud” beyond their data center walls. Akamai’s global scope and unique position of delivering 15-20% of all Web traffi c combined with its world-class data collection mechanisms allow it to construct an accurate and comprehensive picture of what’s happening on the Internet. This is valuable information that Akamai is able to make available to its customers—enabling them to leverage vast amounts of data to which they would otherwise have no access.

• Internet Intelligence Portal Akamai’s Internet Intelligence Portal leverages this vast quantity of information to provide detailed information on the overall state of the Internet, including backbone health, DNS name server health, and BGP churn.


More fully exploiting Akamai’s Internet data via further customization of the Akamai Internet Intelligence Portal can lead to powerful network intelligence. For example, government agencies might be interested in building-level geo-location in metropolitan regions, new methods to track cyberspace entities of interest, information on proxy user populations and downstream network structure, correlation between DNS infrastructure and its users, geo-location of satellite connections to the country level, or identifi cation of organizational fi ngerprints on the network.

Government agencies can use this information to identify Internet attacks or other unusual activity, and to determine if Web application attacks on their infrastructure represent a specifi c attack against their organization or network, or a general pattern across the Web.

• Web Application Monitoring, Control, and Reporting Akamai also provides organizations the visibility and control that comes with knowing exactly how their extended infrastructure is functioning at all times. A set of infrastructure management, monitoring, and reporting tools help Web application owners optimize their performance and ensure the effectiveness of content and data delivery. These tools offer a Web-based “cyber window” that civilian agencies, the intelligence community, and the armed services can use to view traffi c patterns and geographic dispersions, monitor/troubleshoot origin infrastructure proactively, and confi rm successful delivery of content. A unique real-time alert capability informs organizations when defi ned thresholds have been crossed, indicating that performance and user experience have degraded.

Real-Time Monitoring and Historical Reporting

Real-time monitoring and historical reporting capabilities—delivered through Akamai’s customer portal (Akamai EdgeControl Management Center)—provide data and reports that aid in evaluating and maintaining Web application effectiveness and performance, as well as analyzing Web traffi c patterns. The portal’s historical reporting system obtains information from traffi c logs produced by thousands of Akamai edge servers. These traffi c logs—which are captured, processed, and loaded into the Akamai Network Usage Database throughout the day—record requests and responses for content delivered by the Akamai network. Once the data is loaded, customers can view reports instantly online, or they can schedule them to be automatically e-mailed in the format and at the frequency they defi ne.

MONITOR SITE TRAFFIC LEVELS IN REAL TIME


Alerts Because Akamai delivers all content and applications from the EdgePlatform, the application owner’s origin infrastructure is shielded from the public Internet. However, since the connection between a Web application origin and the EdgePlatform is critical to delivering the latest content, organizations must be aware of any origin issues in order to address them proactively. Akamai monitors origin infrastructure 24x7x365 and, through a real-time alert capability, e-mails or pages system managers whenever customer-defi ned thresholds have been crossed. Alerts are tailored to inform system managers of critical conditions, including:

• Edge bandwidth usage (drops or bursts of traffi c)

• Origin server, connection, or DNS failure

• Incomplete or aborted downloads

• Access denied at origin

• URL not found

• Error codes

• SSL transaction failures

System managers also have access to tools to identify and solve problems quickly so that end users never experience a single instance of failure.

EDGECONTROL MANAGEMENT CENTER ALERTS INTERFACE

Log Delivery The mission-critical Web usage information logged by Akamai servers is delivered in logs using a consolidated and standard industry format. Two fi le formats are supported: Combined Log Format and W3C Extended Log Format.

Site and Visitor Intelligence In addition to the basic reporting and monitoring available with the Dynamic Site Accelerator service, an additional reporting module provides more detailed intelligence. With Site and Visitor Intelligence customers can get timely and accurate answers to the following questions:

• What does the traffi c profi le for my site look like?

• What times of the day does my site see the most traffi c?

• Who are the top visitors to my site based on hits and volume?

• What are the most frequent requested web pages on my site?

• From what locations are end users coming to my site?


Site and Visitor Intelligence provides a powerful site traffi c profi le view by showing periods of dense and light traffi c to the site. The fi gure below shows an example of visitors to the site on an hourly basis. With this view, organizations can make decisions on when to make changes to the site and whether certain events and site activities are resulting in expected application usage profi les.

SITE TRAFFIC PROFILE BASED ON UNIQUE VISITORS

Organizations can obtain details on the top visitors going to a specifi c site hostname based on IP address. This provides insight into whether the site is getting fl ooded with traffi c from a specifi c IP address and if traffi c is coming from the top visitors or is spread across a more diverse user base.

TOP SITE VISITORS BASED ON IP ADDRESS


Akamai customers can access reporting that provides details on the Top URLs being requested, enabling them to understand which URLs are the most frequently requested and which URLs are generating the most traffi c volume (MB).

TOP URLS BASED ON HITS AND TRAFFIC VOLUME

For organizations that want to ensure their target audience is connecting to their site, Site and Visitor Intelligence also provides details on where users are coming from based on country. For the United States, this also includes a breakdown of visitors based on individual state.

END USER TRAFFIC BASED ON GEOGRAPHICAL LOCATION


The Akamai Difference

Akamai Technologies, Inc.U.S. Headquarters

8 Cambridge CenterCambridge, MA 02142Tel 617.444.3000Fax 617.444.3001U.S. toll-free 877.4AKAMAI(877.425.2624)

Akamai Technologies GmbH

Park Village, Betastrasse 10 bD-85774 Unterföhring, GermanyTel +49 89 94006.0

www.akamai.com

©2008 Akamai Technologies, Inc. All Rights Reserved. Reproduction in whole or in part in any form or medium without express written permission is prohibited. Akamai and the Akamai wave logo are registered trademarks. Other trademarks contained herein are the property of their respective owners. Akamai believes that the information in this publication is accurate as of its publication date; such information is subject to change without notice.

Akamai® provides market-leading managed services for powering rich media, dynamic transactions, and enterprise applications online. Having pioneered the content delivery market one decade ago, Akamai’s services have been adopted by the world’s most recognized brands across diverse industries. The alternative to centralized Web infrastructure, Akamai’s global network of tens of thousands of distributed servers provides the scale, reliability, insight and performance for businesses to succeed online. An S&P 500 and NASDAQ 100 company, Akamai has transformed the Internet into a more viable place to inform, entertain, interact, and collaborate. To experience The Akamai Difference, visit www.akamai.com.

Summary To achieve mission goals and satisfy National Essential Functions, government agencies and the armed services need to take advantage of the Internet and next-generation technologies. But successfully doing so requires an understanding of threats in cyberspace – and a proven strategy to combat them.

Because attacks can emanate from any direction, at any time, with no warning, traditional centralized Web infrastructure is especially vulnerable to security risks propagated via the Internet. When it comes to securing the country’s vital infrastructure, critical missions, valuable assets, and operational capabilities, government needs to move to a Defense in Depth approach that combines layers of security to thwart potential attacks.

Public-sector organizations worldwide choose Akamai because the company’s unique global platform and managed services provide an effective, reliable, integrated, fl exible, and comprehensive set of solutions that allow them to satisfy their goals and consistently deliver mission-critical applications under all conditions.

For more information on Akamai services for public-sector organizations, please visitwww.akamai.com/html/industry/public_sector.html.

1. National Journal’s Technology Daily, America already is in a cyber war, analyst says, November 27, 2007

2. Air and Space Power Journal, Air Force Cyber Command: What It Will Do and Why We Need It, February 20, 2007

3. Enterprise 2.0: CIA’s Secret Intellipedia Has Universal Relevance, InformationWeek, June 10, 2008

4. Cyber Security: A Crisis of Prioritization, President’s Information Technology Advisory Committee, February 2005

5. Contractor Blamed in DHS Data Breaches, WashingtonPost.com, September 24, 2007

6. National Security Agency, Defense in depth: A practical strategy for achieving Information Assurance in today’s highly networked environments, (undated)

7. United States Air Force Cyber Command, Air Force Cyber Command Strategic Vision, March, 3, 2008

cloudy wpcybersecurity

Technology

cyber attack

cyber security

control of cyberspace

web akamais

web application monitoring

government agencies

perimeter of defense

internet report