Evolving the CDN / WAF Stack

A decade ago we built our first CDN/WAF solution. It was built from a need to keep websites from getting reinfected.

At the time, our company was focused on identifying and remediating hacked websites. What we learned in the process is that it really doesn't matter what you tell a website owner, they will rarely deploy the controls you recommend and the end result will be their website getting hacked again.

We set out to solve this problem by building our first Web Application Firewall (WAF). We quickly realized, however, that security that didn't account for performance wasn't going to work. No one will sacrifice speed for security (fun fact: almost everyone will will sacrifice security for speed). This led to our initial design built on top of a singular Anycast network.

What we learned is that while our initial design is effective for some, it introduced limitation when it came to large scale attacks and really limited what we could do when things went down. This translated to limited functionality for partners and platforms that were trying to serve 1,000's of properties at one time.

With NOC, we wanted to do things a bit different. Tackle the performance and security problem, but focus on flexibility when it's needed most - an attack.

Architectures Matter

A fallacy that exists in the world of CDNs is that the only effective CDN is one that provides100's of points of presence. In reality, this is only really important to a very small percentage of website owners (think single digit percentages).

Another fun fact is that if you're on a Free plan you're not actually getting the coverage you think you are, think single digit presence in the place of 100's. You also have the issue of freshness when you have so many points of presence, what this means is that architecturally speaking you actually get a stacked topology that means that cache doesn't always happen at the edge. You'll have edge servers that ensure optimal connection times, but requests then bounce back to cache servers at a different tier (stacked) who then respond.

At NOC, we built the platform with one single position in mind - not every one needs a global CDN. This means we don't believe in 100's of points of presence, and in our architecture we cache right at the edge. We can provide better, and comparable speeds to those incumbents because of this design.

We did this by changing the way we think about the problem.

The NOC Network Topology

To solve our problem, we turned to the Domain Name System (DNS), specifically the Authoritative DNS (AuthDNS). There we focused on tapping into all it's hidden potential allowing us to expose features that are rarely leveraged and enhancing them to provide us the control, security and performance we know organizations demand.

We placed our focus on AuthDNS first, released it's potential and leveraged our knowledge of Anycast networks to built an Anycast AuthDNS network as the foundation of our stack (not as common as you might think).

This allowed us to decouple the routing responsibility from the CDN in our original design. This also allowed us to introduce advanced routing control that is rarely found in CDN's, providing organizations better resilience, availability and business continuity.

The NOC Network

With this new design, the AuthDNS focuses on optimizing every request according to to their location and the most optimized route. It's then married to a secondary layer that runs both the CDN / WAF services in a geographically aligned location.

The beautfy of the design is that you get the failover and high-availability of an anycast network, with the routing power of Authoritative DNS (AuthDNS).

The NOC Stack

The ingenuity of the network topology is only piece of the differentiation. The second comes in how we leverage the three core services together.

Our design allows us to keep our security-focus, while enhancing the performance aspect. This translates to a more performant and secure website.

The NOC High-Level System Design

Our WAF / CDN / AuthDNS work in unison to provide a comprehensive protection layer across all Layer 3 / 4 / 7 attacks.

Our proprietary approach to security uses an updated deny-all approach and is specifically designed for open-source Content Management Systems (CMS). It also allows us to virtually patch and harden environments at our edge, removing the need for an organization to worry about it at their origin. This coupled with our understanding of networks allows us to offer comparable, and in some instances superior, performance to some of the largest providers in the market.

Building the stack does introduce some limitations one of which means you must a) have your Authoritative DNS with us, or b) leverage an Authoritative DNS that allows alias records for the APEX.

Why Try the NOC Platform

Switching a provider is always tough. Here are a couple of reasons why it's worth giving NOC a try:

Security Guarantee that your current Free provider does not offer you security. With the NOC platform, we start at $1 / domain and that includes speed and security. Security includes DDOS mitigation and Vulnerability exploitation.
Performance While our network size is a fraction of existing platform (currently at 50 POPs) our architecture innovation translates to comparable speeds. This means you don't lose your current performance in key markets.
Innovation This platform is designed to help network administrator more effectively respond to outages and attacks through advanced routing and self-healing features. If you're running complex deployments you'll enjoy the new flexibilities, things like optimizing routing to your origin based on geographic location, or smart routing based on users.

If you have any questions, or would like to learn more, send us an email at support@noc.org.

Posted in   cdn     by Tony Perez (@perezbox)

Improve Your Websites Speed and Security