Providing a web application on the Internet can be a risky business. DDOS attacks are commonly exceeding 40 Gigabits per second of data, crackers are web crawling the Internet looking for vulnerabilities and much more. As a result, the data centre Internet connection is scaled for a worst case scenario and not for customer need. Cloudflare SSL solutions change this model by pushing the risk, traffic load and security into the cloud.
Takeaways:
- Enterprises can improve HTTPS website performance while enhancing security and key integrity at a reasonable price.
- Enterprises can prevent oversizing Internet connections and infrastructure and get savings in CapEx and OpEx.
- Enterprises can reduce cost of load balancers by using CDN, offloading SSL & reducing traffic load.
- Cloudflare continues to challenge incumbent CDN vendors with innovative Internet services based on commodity products and open source software
Stop Oversizing Internet Connections, Save Money
A standard design model for the Internet front end (shown in the following diagram) and has 5 functional parts.
Part 1 – DNS Service: It is still common for enterprises to host their own DNS to have full control when making changes to the website.
Part 2 – Internet Connection and DDOS Protection: Many companies are purchasing multiple 10 gigabit services from multiple providers so that there is enough bandwidth to resist DDOS attacks. While DDOS providers are well prepared to mitigate flood attacks the technology is less able to protect against application level attacks that happen inside the encrypted session. Therefore large Internet pipes remain common.
Part 3 – Firewall: A firewall is sized to same level as Internet connection and results in a high cost for purchase and ongoing maintenance. Firewalls that scale to tens of gigabits costs millions to purchase and hundreds of thousands to maintain every year. Firewalls still remain common design practice although they are becoming less useful as load balancers increase the security features.
Part 4 – Load Balancer : A load balancer has many functions the most important of which is load balancing client traffic between the Web Servers. SSL Termination and HTTP manipulation is very common functions but add little value to business need as these functions are increasingly replaced by MVC programming and sharding.
In addition to some performance enhancement through protocol optimisation and content enhancements is possible.
Part 5 – Web Servers: And finally, the traffic reaches the web servers which are scaled to handle to the predicted maximum of traffic during an attack.
The outcome of sizing for a security event based on high volumes of web requests is that most infrastructure runs as very low utilisation of between 10-30%. The capital and operational costs of these assets may be measured in the millions therefore solutions.
Improving Performance and Security With a CDN
Secure web applications, encrypted with HTTPS, are somewhat resistant to performance enhancement using content delivery networks. A CDN provider must decrypt traffic to cache content, perform traffic analysis for malicious content and other functions.
A company that implements a CloudFlare SSL solution will see major changes to their design. The diagram below shows 3 areas to consider:
Part 1 – CDN Provider: – Implementing a CDN like CloudFlare means that the DNS hosting is moved to an infrastructure that can cope with reflection attacks or simple overloading. The CDN uses the DNS to direct customers to their cache hosting on a global basis.
The CDN can provide extensive security and firewall functions. CDN Providers build analytics engines and threat response teams that provide more focus and capability than an Enterprise team that comparatively limited resources. Many CDN providers offers the equivalent of Web Application Firewall as part of the their services to secure their infastructure and ensure service delivery.
Part 2 – Internet Connection : The “Front End” Internet connection of the data centre can now be scaled down. An CDN provider is positioned to handle large volumes of traffic and a website with a steady load of, say, 1Gbps of traffic can design the front end for 5Gbps (compared with 40Gbps previously). Internet connections can be simplified to dual provider for redundant links, firewalls and load balancers can be scaled to lower cost models and continue to provide the features that are used today. This should result in savings of more the 50% in the front end.
Part 3: Web Servers: Now that the CDN is caching large amounts of web traffic the web servers can also be reduced by more than half with a further reduction in funding and simpler operation,
Perhaps the best reason is that you can sleep easier at night knowing that you have 24-hour DDOS and Web Application security system deployed that is run and operated by a company focussed on the task.
SSL Increasing To Dominate Web Traffic
Users are increasingly aware of the security of their data and the expectation of encryption for web traffic is rising. Google increases SEO ranking for sites that have HTTPS encryption by default and this has made webmasters take notice. The demand for SSL is on the rise.
The next generation of HTTP protocol, HTTP/2 currently plans for TLS encryption to be the default and addresses the underlying design problems of HTTP/1 that have limited SSL performance.
The Keyless SSL Private Key
CloudFlare recently announced a new and innovative process that maintains private key inside the physical security. Until now, the CDN provider needed the private key to intercept encrypted traffic and went to extreme lengths to maintain private crypto key security and integrity. Certain organisations, such as trading banks, are prevented by law and other reluctant to do this in spite of extensive preparations by CDN companies.
CloudFlare has developed some limited changes to the existing SSL web software that can be securely hosted on premises. You can find full details in this blog post – Keyless SSL: The Nitty Gritty Technical Details – but consider that avoiding key ceremonies, simplified key generation and single points of operation are significant cost avoidance and increase in security posture.
CloudFlare Business Model
Cloudflare is a plucky but mature startup that is dating up with big security features that compete strongly with CDN offerings for more traditional vendors like Akamai, Edgecast and others. Today it offers some free SSL services to smaller websites and prices to use other services are much less than competitors.
The Keyless SSL feature is a significant advance to enable large organisations to use CDN and reduce spending on physical infrastructure. It might be time to check out CDN providers again to see if they can improve the user experience through improved performance, increase security and also save money. You don’t hear that everyday.
Other Posts in This Series
- Analysis: CloudFlare Keyless SSL Scales Down Internet Connections (13th March 2015)
- Analysis: Marriot Court Case Highlights the Problems of WiFi Services (12th March 2015)
- Analysis: Example of WAN Orchestration (25th February 2015)
I have been a fan of CloudFlare for while, even though I only use it on a tiny website. My main reason for trying it was just to experiment with new technology, but I quickly discovered that I like the CloudFlare DNS management GUI better than my registrar (NameCheap).
In addition to the great features you mentioned, you should also share how CloudFlare provides an automatic IPv6 to IPv4 proxy for any website. And turning that feature on is a single checkbox (yes, it’s true). The entire CloudFlare user experience is super clean and simple; it feels like a well-made consumer app.