In the process of digitization, government and enterprises will face many online challenges. On the one hand, businesses are required to be open online, and services are also required to be stable, smooth and reliable. In addition, security and compliance must be ensured. This poses a challenge for business developers and operators. Very demanding. On January 6, at the Alibaba Cloud CDN annual product upgrade conference, Alibaba Cloud CDN product expert Peng Fei gave a detailed interpretation of the Alibaba Cloud CDN government and enterprise security acceleration solution.
In the digital transformation of enterprises, common challenges include the following situations: in emergencies, government websites and applications have high concurrent access, resulting in poor access; if the credibility media content is tampered with by malicious attacks, negative public opinion and theft will occur. Malicious acts such as chain piracy have led to the leakage of high-quality video content; the financial industry has strict compliance requirements, and the high availability of origin and node services is very important. DDoS and WEB application attacks affect business and enterprise assessments, and large-scale transactions The visit experience and cross-border visit experience urgently need to be guaranteed; traditional enterprises’ internal OA, ERP, mailbox, meeting and other office collaboration software have poor visit experience, which affects work efficiency, external online business data is crawled or WEB intrusion leads to corporate data leakage... and so on. All government and enterprise developers and operators need to avoid.
Therefore, in this scenario, the common challenges of government and enterprise applications exist in three aspects: The first is the guarantee of Internet access experience, including access delays and access failures caused by public access across regions and networks (operators). , And because the outlet bandwidth of the main station is fixed and limited, a good access experience cannot be guaranteed under sudden access. The second is the need to effectively avoid the risk of Internet attacks, including DDoS/CC and other network attacks that cause government Internet services Interruptions and attacks against WEB applications threaten the security of the main site’s applications and data; the third is that in the case of content distribution or user’s terminals, the data content is easy if there is a lack of content consistency verification, https transmission encryption and other technical guarantees Hijacked and tampered, causing bad effects.
In order to help the government and enterprise industries meet the challenges, Alibaba Cloud released solutions to accelerate government and enterprise security. The solution is a one-stop service of distribution acceleration + edge security jointly created by the Alibaba Cloud CDN team and the cloud security team. It solves the problems of the security and acceleration performance of the government, finance, media, and traditional enterprise content distribution, and escorts the cloud business. Customers can directly log in to the official website of Alibaba Cloud, search: government and enterprise security acceleration, go to the solution page for details, and leave the corresponding questions for free consultation with the Alibaba Cloud architect.
The solution is based on the strong content distribution capabilities accumulated by Alibaba Cloud CDN for many years. At the security level, the solution mainly has WAF application layer security, DDoS protection network layer security, content tamper-proof, full-link HTTPS transmission, and high availability and security. The capabilities in six aspects of security compliance have built a complete edge security system.
First of all, the entire program is based on a stable, extremely fast, intelligent and safe whole-site acceleration network construction. At present, Alibaba Cloud's entire 2800+ nodes cover six continents and more than 70 countries, with 130Tbps bandwidth reserves, and it accelerates more than 1.5 million domain names every day.
On this basis, in response to the mixed dynamic and static content of many enterprises, Alibaba Cloud's entire site accelerates to provide users with better multi-dimensional value-added capabilities, which can realize custom dynamic and static separation, use intelligent routing for dynamic content, and optimize transmission protocols. Compressed transmission, real-time network quality detection, and static content edge multi-level caching, back to the source with the operator, to ensure that the user's overall access quality can be optimized, the distribution efficiency is increased by 30%, and the speed increase effect is obvious.
Secondly, based on site-wide acceleration, the application layer security protection is built, which mainly includes the following dimensions:
1. Defend against WEB attacks on the edge
The CDN node integrates the WAF (WEB Application Firewall) function, which can resist common OWASP threats, resist CC attacks, manage machine traffic, reduce the load of the origin site, and effectively protect the security of the origin site's WEB application system. For example, retail companies now provide users with online mall services, and generally deploy corresponding WAF protection capabilities at the origin site. Once the content crosses the boundary, in many cases, network security protection is actually very uncontrollable. Up. CDN, as a network section closer to the user end, can provide a good protection effect if the corresponding attack can be blocked at the edge of the CDN.
Several major features of CDN WAF include: provide real-time updates of high-risk Web 0 Day vulnerabilities, provide virtual re-order protection within 24 hours; can effectively prevent SQL injection, XSS cross-site and other common Web attacks; support user-defined protection rules to prevent business risks, Resist CC attacks; based on machine traffic management, reduce the impact of crawlers and automated tools on website business, and reduce crawler traffic by 40%.
2. DDoS attack protection to ensure the reliability of website services
At the network layer, enterprises are more faced with DDoS or CC attacks, which poses great risks to business stability. For example, financial companies often require CDNs to provide corresponding CC protection services, because CDN itself is a reverse proxy service. Under this service mechanism, users' origin sites can be effectively protected, and edge nodes can block attacks.
CDN nodes are now able to better identify the characteristics of network attacks, and specify and block some non-service ports, such as non-80 and 443 port traffic in the first time. At the same time, based on the intelligent and accurate detection of CDN nodes, once traffic attacks are found and exceed the basic protection threshold, the attack traffic can be automatically scheduled to high-defense nodes to achieve traffic cleaning. When the attack stops, the traffic will automatically be scheduled back to the CDN service node. It can provide DDoS protection above 1Tbps as a whole to ensure the safety of customer business.
Three, multi-dimensional protection of transmission link content tamper-proof
Broadcasting and television media companies are very concerned about content consistency. The content must not be tampered with at the source site, CDN, or client. The solution provides a multi-dimensional, full-link content tamper-proof solution for this type of demand. First of all, it can provide customers with exclusive nodes to ensure the isolation of resources. Second, the full-link secure transmission is carried out within the CDN, between the CDN and the origin site and the client through the national secret algorithm. In addition, the content based on the national secret algorithm is consistent Sexual verification to ensure that the content is tamper-proof.
4. Easy-to-implement IPv6 conversion service to quickly meet compliance requirements
At present, from various perspectives such as supervision and industry development, it is imperative to reform the website to be compatible with IPv6. At present, CDN can fully support IPv6 access from the downstream of the CDN edge node to the upstream of the CDN edge node, and can follow the protocol. When the client request is IPv6, the return to the source will also be given priority to IPv6. The IPv4 source station can realize IPv6 address conversion without any modification, and it can be easily implemented and quickly meet industry regulatory requirements. At the same time, IPv6 nodes are fully covered to meet the access needs of operators in various regions, and the performance experience of IPv6 address translation services composed of a single node is better.
In summary, the Alibaba Cloud government-enterprise security acceleration solution seamlessly integrates the dual capabilities of acceleration and security. The core security capabilities include: WAF application layer security, DDoS network layer security, content tamper-proof, full-link HTTPS Six aspects of transmission, high-availability security, and security compliance. At the same time, more than just acceleration, a more complete enterprise-level CDN acceleration experience is formed in terms of serverless edge programmability, DevOps configuration management capabilities, and CDN and Alibaba Cloud system product integration (DATAV, SLS, OSS) capabilities.
Case interpretation
Before a certain official website implements HTTPS and IPv6 compliance reforms, many contents are not supported. It only supports IPv4 and HTTP services, which means that there may be some problems in compliance. At the same time, if the website needs to be modified, the cost is relatively high. When this official website uses CDN acceleration services, it can be quickly launched through CDN convenient docking, avoiding the technical transformation of the origin site, and can support IPv4 HTTP, IPv4 HTTPS, IPv6 HTTP, and IPv6 HTTPS in one-stop to ensure compliance and security.
For the official website, the improvement in user access experience is also very obvious. The left side of the figure below shows that the source site without CDN acceleration uses a single node to serve national access requests. The access experience in most regions is not good, and there are many places The slowest response time is about 15 seconds, which is close to the single veto indicator that triggers "site unavailability"; the same source site on the right side of the figure below uses CDN to accelerate the visit experience significantly improved across the country at the same time, the slowest response time, average response time Significantly shortened and service availability improved.
This article is the original content of Alibaba Cloud and may not be reproduced without permission.