Inside the Incapsula Cloud Security Platform
Co-founder of cloud security content delivery network explains what makes his platform work.
The modern threat landscape makes it very difficult for an enterprise to have all the expertise, skills and bandwidth required to defend against all forms of attack. That's where emerging cloud-based content delivery networks (CDN) that are focused on security could help.
One of the emerging vendors in the space is Incapsula, which has its roots in security vendor Imperva. In an interview with eSecurity Planet, Incapsula co-founder Marc Gaffan explained how his company's service works and why the cloud is the key to modern security.
Gaffan said the company is a subsidiary of Imperva, its sole investor. Incapsula has no data centers, but instead has global agreements with Equinix, Level 3 and other providers that have locations across the U.S., Middle East and Asia.
In terms of aggregate bandwidth and capacity, Gaffan said his company has deployments in 15 global centers today. Those data centers deliver over 300 Gigabits per second of network capacity.
One of the key reason why some organizations consider a CDN is to help defend against Distributed Denial of Service (DDoS) attacks. The largest DDoS yet recorded was reported in March of this year and it came in at 120 Gbps. In that attack, security cloud CDN vendor CloudFlare was able to sustain service even in the face of the packet onslaught.
In the 120 Gbps attack, the attacker leveraged something known as a DNS reflection attack, which amplified the number of inbound connections.
"You do need a lot of capacity to defend against a large DDoS," Gaffan said.
The way Incapsula works is the administrator of a website will redirect their DNS to Incapsula. Incapula then accelerates and protects the site. One of the key technologies that Incapsula uses for defense is its own web application firewall (WAF). Gaffan said his company's WAF is home-grown and built with expertise from parent company Imperva.
"We took that WAF know-how and built a WAF from the ground up in a way that can leverage the capabilities of the cloud," Gaffan said. "Building WAF as a service is very different then simply deploying an appliance in a data center."
As a cloud service, the Incapsula WAF can protect tens of thousands of sites at a time, and all those sites can benefit from shared intelligence. Attack patterns can be more easily correlated than an on-site deployment, which can translate into quicker mitigations.
When routing traffic to a third party service of any type, latency is always a concern. It's a concern that Gaffan stressed his company is very sensitive to and has taken steps to minimize.
"We build proxy, caching and optimization technology to mitigate for any potential additional latency," Gaffan said.
Incapsula as a service essentially operates as a reverse proxy, and the company has its own DNS infrastructure. Gaffan said Incapsula uses anycast and DNS-based load balancing.
"We have DNS infrastructure that will point you to the address of the closest data center to the user," Gaffan said.
The actual user site DNS information is not hosted by Incapsula, however.
"We are not an authoritative DNS provider, so we don't host the zone file," Gaffan said. "From our perspective, there is no access for an attacker to poison our DNS."
That said, Incapsula does rely on the authoritative DNS provider that the user's site is already using.
The market for cloud-based security services is now a robust one, with multiple entrants such as CloudFlare and Akamai, among others. Gaffan isn't too worried about the competition.
"If there is no competition, then you're not in the right place," Gaffan said. "From a DNA perspective, we're really a security company, that's where we focus."
Sean Michael Kerner is a senior editor at eSecurity Planet and InternetNews.com. Follow him on Twitter @TechJournalist.