Ads 468x60px

12 de febrero de 2018

Amazon CloudFront

There are companies who would like to deliver their information such as web pages, video, documents, audio, etc to the greatest number of user as possible into a high resilience architecture thus content delivery networks are increasingly important for these companies. Today, thanks to cloud service providers and content delivery networks, users can watch streaming videos or listen live music easily and without disruptions from anywhere and, meanwhile, companies can pay as they go to the cloud where cloud providers charge based on usage.

A Content Delivery Network or CDN is a network of computers hosted in different regions around the world which store a copy of data that can be delivered to users based mainly on proximity. For instance, if we were a spanish company who deliver video in EMEA and LATAM, we could upload our video to the CDN to be delivered quickly to end users based on geography. We shouldn’t confuse CDN with Global Server Load Balancing (GSLB) because GSLB provides load balancing between data centers thus load balancing our services, while CDN is based on GSLB architecture.

AWS Regions

There are many companies who offer CDN services like Amazon, Akamai or Cloudflare. All of them have data centers available on five continents to deliver content quickly. For instance, Amazon has more than 11 data centers where we can create our virtual Data Center with AWS Elastic Load Balancing for high availability, we can protect our services with AWS Shield & AWS WAF, and we can also accelerate our web applications with Amazon CloudFront. On the other hand, Cloudflare is well known by his powerful network which is able to reach high throughputs and protect our services against DDoS attacks. However, Akamai has always been, from my point of view, a content delivery provider.

High Availability and Scalability Architecture

Amazon CloudFront is a global content delivery network integrated with AWS services which help us to deliver highly available and scalable applications with high performance and it’s also able to secure content at the edge. In addition, it’s cost effective because we pay only for the data transfer and requests used to deliver content to our customers. Amazon CloudFront is easy to use and deploy from AWS Management Console, where we have to choose the viewer protocol policy and allowed HTTP methods as well as caching and encryption configuration. What’s more, distribution settings like price class, security protection and HTTP/2 support can be chosen as well as logging and IPv6 compatibility.

Amazon CloudFront Distribution Settings

As IT engineers, when we have to design high available, scalable and reliable architectures, we have to take into account many things. First, we have to design our services thinking about failures thus we should design avoiding single point of failures. Multiple servers with a load balancer help us to meet this requirement. Second, one data center may not be enough thus we’ll need multiple data centers balanced with GSLB in different regions and databases should also be replicated and synchronized. Finally, monitoring is a must for dynamic scalability. Many requests, more servers. Few requests, less servers. On the other hand, we can use content delivery network services like Amazon CloudFront, Akamai or Cloudflare to deliver our web pages, video or audio easily without thinking about networking or load balancing.

What are you thinking about? Are your services highly scalable and available?

5 de febrero de 2018

AWS Shield & AWS WAF

I’ve already written about AWS Key Management Service and AWS Security Best Practices as well as how to create your virtual Data Center into AWS Cloud with firewalls, load balancers, WAF, etc. I’ve also written about Web Application Vulnerabilities and Web Application Firewall (WAF). Therefore, I want to write today about AWS WAF & AWS Shield, which are useful to protect our Web Services and WebSockets.

There are increasingly types of threats. They are increasingly sophisticated. They are increasingly difficult to detect with traditional security tools like network layer firewalls. Instead, we should deploy and install advanced security tools like SIEM and WAF to detect and protect our services of DDoS Attacks, application attacks and bad bots like HTTP floods attacks, Amplification DDoS Attacks, Social Engineering Attacks, application exploits, crawlers, Web Scraping Attacks, etc. Most of them are advanced attacks difficult to detect by traditional firewalls.

Types of Threats
AWS Shield is useful if we’re hosting services into AWS Cloud and we want DDoS protection without infrastructure changes. In addition, AWS Shield also minimizes impact on application latency and we can customize protections for our applications as well. There are two types of AWS Shield into AWS Cloud. The Standard Protection which is available to all AWS customers at no additional cost for protecting our services from most common attacks like SYN/UDP floods, reflection attacks, etc. The Advanced Protection where we pay for additional protections, features and benefits like protecting against large DDoS attacks as well as cost protection to absorb DDoS scaling cost. Therefore, if we want DDoS protection for our applications, we should read, study and test AWS Shield to know which one suit into our requirements.

AWS Shield Dashboard
I’ve already written about Web Application Firewalls (WAF), and AWS WAF is one of them where we can filter web traffic with custom rules, we can block malicious requests and we can also monitor and tune our web applications. AWS WAF is able to block HTTP floods attacks, SQLi attacks, XSS attacks, scanners and probes, bots and scrapers, brute force attacks as well as it’s able to check against IP reputation lists, blacklists and whitelists. In addition, we can configure AWS WAF to import rulesets of commercial signatures to detect general and known exploits.

Fortinet Managed Rules for AWS WAF - General and Known Exploits
We can configure AWS WAF easily and automatically thanks to AWS CloudFormation Templates. On the other hand, If we can also configure AWS WAF manually. Conditions like XSS, SQLi or IPs addresses are assigned to rules, then rules are applied to Web ACLs to protect our web applications. AWS WAF can protect web applications deployed with AWS CloudFront as well as deployed with AWS ELB. It’s important to highlight we’ll pay for rules and Web ACLs created into the AWS WAF.

Common Attack Protection SQLi Rule for AWS WAF
It’s up to you what you need and how much you can afford. AWS Shield with Advanced Protection along with AWS WAF with Managed Rules through AWS CloudFront is one of the best security solution but, maybe, it’s too expensive and too much protection for your web applications. This is the real cloud, we’ll pay as we go.

Regards my friends.
Related Posts Plugin for WordPress, Blogger...

Entradas populares