CDN security issues like #CloudBleed show that overlay networks make tradeoffs between performance and security. A Content Delivery Network (CDN) is like ball bearings for the Internet. Without edge caches to speed up the load times of pictures and other static content, the gears of the Internet would grind to a halt.
“Think of CloudBleed as sitting down at a restaurant and in addition to being handed a menu, you’re also handed the contents of the previous diner’s wallet.”
A CDN is a type of overlay network that moves website content closer to the end user to get better performance. Common services offered by Internet overlay networks include CDN services like edge caching, SSL offloading and edge routing. Overlay network providers include Cloudflare, Akamai and Teridion.
Internet overlay networks allow web site providers to leverage third party infrastructure to improve performance and security. Rather than building regional data centers, a web site provider can “rent” overlay network infrastructure at a fraction of the cost.
This document describes potential security concerns for overlay networks and CDNs, along with alternatives for reducing vulnerabilities while still improving performance.
CDN Security And Overlay Networks
There are three key architectural issues that web and mobile application providers should consider when assessing security issues for overlay networks:
- Stateful vs Stateless Overlay Networks: The type of edge service performed by the overlay network is important. Some examples are caching, routing, and SSL offload. Storing sensitive content across many edge nodes raises security risks.
- SSL key required vs Keyless Overlay Networks: Requiring SSL keys can provide better performance. The cost is new security vulnerabilities. This is particularly true if content is being cached within edge nodes.
- Shared vs Shared Nothing Overlay Networks: Shared infrastructure means other people’s problems can become your problem. Isolation can reduce this risk.
Stateful Vs Stateless Overlay Networks
Most CDNs cache content at many geographically distributed locations. In contrast, some overlay networks are “stateless”, with no sensitive content stored in the edge nodes. Caching static and publically available content in a CDN has very low risk. For example, public images, videos and fonts are commonly and safely cached in CDNs.
To address these security issues, there are two types of stateless overlay networks:
- SSL offload: an edge node can handle the SSL handshake with the end user on behalf of the origin server. This can greatly decrease the overhead of supporting an SSL connection. The cost is that it requires the origin web site to share its SSL keys.
- Edge routing: an edge node can handle TCP termination and optimize routing back to the origin server. This can improve performance without requiring SSL certificates.
SSL Key Required Vs Keyless Overlay Networks
An overlay network can perform an SSL handshake with end users through an edge node. This requires an SSL certificate from the origin web site. Although traffic between the end user and the edge node is encrypted, content within the cache is generally not. This makes these caches potential targets for hacking attempts.
Overlay networks that can accelerate traffic without requiring SSL certificates reduce security risks for web and mobile app providers. CloudFlare is one of the leaders in promoting keyless SSL as a more secure network overlay architecture.
CDN Security And “Shared Everything” Overlay Networks
Overlay network vendors typically make significant investments in security infrastructure. Yet their very size and success threatens CDN security and attracts attack. In short, CDN Points of Presence (POPs) increase the attack surface for potential hackers. This risk to web sites grows even more when they share SSL certificates with an overlay network provider.
The benefit of a CDN is to limit network congestion in serving up static content. However the security risk is that any user with root-like permissions on a CDN server can access and replace content. This in turn requires that CDN customers trust the security for every CDN POP.
In addition, having many web sites share the same network infrastructure creates more cloud security challenges. For example, Cloudflare operates a large, shared infrastructure. In fact, only about 3,000 of CloudFlare’s web sites had malformed HTML tags. Even so, the resulting bug leaked private data from over 7 million web sites.
A different approach is for overlay networks to operate separate and isolated virtual networks on a per customer basis. In some cases, segregation can be on a per URL basis. This “shared nothing” approach helps ensure that even if one virtual network is compromised, other networks will not be affected. With isolation between customers, a bug like CloudBleed poses a far lower risk.
Towards More Secure Overlay Networks
While CDNs will undoubtedly remain popular for caching static files, CDN security is a concern with more sensitive or dynamic content. The following table summarizes how different overlay networks compare for managing highly secure content.
|Overlay Network Security Requirement||Edge Routing||SSL Offload||Edge Caching|
|Stateless – no data cached at edge||Yes||Yes||No|
|Dynamic – accelerates all content||Yes||Yes||No|
|Keyless – no SSL key required||Yes||No||No|
|Isolated – no shared infrastructure||Yes||No||No|
One example of an overlay network that works based on edge routing is Teridion. The Teridion solution is focused on accelerating both dynamic and static content across the internet without compromising security. In the world of SaaS, accelerating dynamic content is crucial to customer retention. The following chart shows the elements of the Teridion solution.
Thousands of Teridion sensors are deployed globally in the world’s leading public cloud providers. These collect real-time Internet performance and reachability data that feed Teridion’s multi-cloud orchestrator. The orchestrator uses these insights to construct and optimize a dynamically generated, per-customer Internet overlay network, called a Virtual Backbone Network. Virtual routers are automatically instantiated wherever needed to deliver the best performing route between the SaaS application and the suer. Teridion’s innovation is the power of the orchestrator to automatically provision, modify and move routers predictively, ahead of ramping congestion or increases in demand, ensuring the best performance between the end user and the SaaS or web application.
For more information on Teridion:
- Download our architectural whitepaper
- Inform yourself with our customer case studies
- Request a free trial– it’s really easy and quick to set up
In summary, the CloudBleed bug has raised awareness of the potential CDN security issues associated with distributing content and SSL keys. Web and mobile application providers should look at a variety of factors to determine the optimal overlay network solution that meets their requirements.
“This is the tiniest compromise of Cloudflare. A moderate compromise of Cloudflare could be an internet-threatening incident.” – Ryan Lackey, former Cloudflare employee