Hacking attempts can come out of nowhere, and once you get hacked, it can take days or weeks to clean up the mess (or you can get in trouble if a hacker is using your server to do malicious stuff). A CDN (Content Delivery Network) is a cloud-based service that is extremely easy to setup, affordable, and can block hackers, speed up your website, and significantly reduce the amount of spam you’re getting. In fact, we see no reason why any website owner should not be on one. Find out what a CDN can do for you, and how you can speed up your website and reduce spam and hack attempts today.
A CDN Can Make Your Site Faster and More Secure
A Content Delivery Network works by filtering out bad traffic (spam, hacking attempts, etc.) before it reaches your hosting server. Because the majority of traffic to any given site is usually some form of commenting or spam bot (ie. not a human), this can significantly lower your hosting bill. Additionally, CDN services typically host several servers globally (in the “cloud”), which means your site will load faster in other countries. A CDN also caches your content, which means fewer resources are used during each page load, and subsequently your website loads faster and your users have a better experience (ie. they are less likely to leave your website due to a slow loading page).
Here at We Rock Your Web we have found a significant reduction in spam comments, and page speed tests have shown our pages load significantly faster around the world. Finally, are hosting bandwidth costs have decreased, and our server is able to handle a larger traffic load. We compare two of the top CDN providers, Incapsula and CloudFlare, and ended up choosing the former to host our websites due to their increased performance when it comes to security.
What Makes Incapsula a Secure CDN?
Philip Tibom is a 23 year old security expert and white hat (on the good side of hacking) hacker from Sweden. He wrote a 22 page report on CDN security and came to the conclusion that Incapsula is a far more secure CDN than CloudFlare. If you’re interested in reading the full report, you can access it here [PDF]. I’m going to provide a summary.
Philip tested both products for a period of 6 months. His security review addresses the key security features of a CDN:
- Protection against bad bots
- A WAF (Web Application Firewall)
- DDoS Protection
What about pricing? Both services offer different pricing packages depending on the scale of your website and your specific needs. In his comparison, Philip used the Pro package from CloudFlare ($20/ month), and the Business package from Incapsula ($59/ month). We find out that the increased price in Incapsula is justified by the increase in security.
Here’s what’s included in our summary report:
- DNS Changes
- SQL Injection Protection
- XSS (Cross Site Scripting) Protection
- Remote File Inclusion Protection
- OWASP Top 10 Vulnerabilities
- Control Panel
- Spam Bot/ Bad Bot Protection
- PCI Compliance
- DDoS Protection
- Backdoor Protection
- 2-Factor Authentication
The first thing you do when signing up for a CDN service is point your DNS records at them. With CloudFlare you’re changing the entire nameserver, with Incapsula you merely update the DNS records. The benefit to CloudFlare’s approach is that their network is powered by 23 data centers globally. That means an attacker would have to take down all 23 data centers before your site goes down, a difficult task (without the CDN, your site typically has only 1-5 nameservers (in most cases, 2)). With Incapsula, you don’t get this added security benefit.
There’s a vulnerability present in both services in that an attacker can still attack your website directly (and bypass the CDN) if they know your IP address. The key is to set up a firewall on your webserver and block all connections except those from your CDN. If you’re on a shared server and don’t have access to a firewall, or if you have some sites on the CDN and some not, you can set site-specific blocking (ie. only allow CDN IP addresses through) in your .htaccess file (both services provide an easy to use .htaccess file that you can use or integrate with your existing file).
The next thing you need to do is actually prevent attackers from finding your IP address. CloudFlare provides a big vulnerability because it creates public DNS records that link directly to your IP address. If you choose CloudFlare, make sure you delete the direct.example.com record that is set up. Incapsula doesn’t suffer from this vulnerability.
Finally, an attacker can also discover your IP address via your MX records (email records). For this reason, it’s recommended to either not use email, or host your email on a different server than your website. For security purposes, it’s a bad idea to have your website and email on the same server. There’s other records such as ftp.example.com and cpanel.example.com that you may need to look into as well. Basically, do a simple DNS lookup on your site and see if you are able to find your IP address. If not, you should be good to go.
Philip performed 30 different real SQL-injections against web vulnerable applications (typically blog or CMS platforms such as WordPress, Joomla, Drupal, etc.). Here’s a video illustrating the approach:
Incapsula successfully protected against all 30 SQL injection attempts. In the few cases where there were false positives (legitimate website access attempts that Incapsula thought were SQL injection attempts), a screen is shown that informs you what’s happening so you can contact the website owner and ask for your IP to be whitelisted (the website owner also receives an email (an optional feature that can be disabled)).
CloudFlare only blocked 1 out of the 30 SQL injection attempts. Even worse, they simply present the user with a Captcha. If this is solved correctly, they can proceed with their SQL injection attempt.
XSS attacks can be more dangerous than SQL injection attacks, as they can infect your site with viruses, steal your authentication data (cookies), log keystrokes, and more. Philip tested 15 different random XSS attacks.
Incapsula Protected against 12 of the 15 attacks. And after seeing Philip’s review, they immediately put measures in place to block the rest.
CloudFlare did not protect against any of the attacks.
Neither CDN service protected against this type of attack, which is a reminder that you can’t rely solely on the CDN Firewall to protect you – you should also have secure code and if you’re running a CMS such as WordPress, Drupal, Joomla, etc. keep your website and modules up to date! The good news is that most hosting providers are already protecting against remote file inclusions. And we should add, Incapsula does map and protect against known RFI vulnerabilities. For example, the Timthumb vulnerability, which is one of the most prevalent RFI attacks out there, is blocked by Incapsula.
The OWASP (Open Web Application Security Project) publishes a list of top 10 security vulnerabilities that affect web applications. Incapsula protects against all the vulnerabilities that are under its control (3 out of the 10), while CloudFlare only managed to protect against 1 out of the 10 (out of a possible 3 under its control). The ones out of CDN control must be taken care of at the website (code) or hosting server level. View the report for details on each of the vulnerabilities.
Both Incapsula and CloudFlare offer great options for setting up a secure SSL connection. SSL is important for encrypting and securing data (such as login credentials) as they get passed to and from your website.
CloudFlare offers a control panel with simple block/allow reporting that doesn’t offer any further useful information. Incapsula not only gives more detailed information on each hacking attempt, it allows you to act on it, such as white listing an IP address for a false positive.
CloudFlare does a good job of preventing spam, but it also triggers quite a few false positives randomly, requiring legitimate users to fill out captcha’s they shouldn’t have to. Their bot reports are fairly straightforward. Incapsula offers more detail, and their system is almost flawless. Not one spam bot got through, and there wasn’t a single false positive (for Philip, we’ve had Incapsula installed for a while now and have come across several false positives, but nothing that couldn’t be resolved with a simple whitelisting of IP addresses).
PCI compliance is met by proving that your server protects sensitive financial information, such as credit card data. Can a CDN help with this? Yes. Does CloudFlare offer this capability? No. Does Incapsula? Yes. Here is their PCI certificate of compliance.
You probably heard in the news of DDoS (Distributed Denial of Service) attacks happening on high profile websites such as those of banks by the formidable hacking group Anonymous. A DDoS attack basically tried to flood a server with so much traffic that it will ultimately be overwhelmed and go offline. Because of the extensive resources it takes to handle a DDoS attack, neither CDN service offers this protection with anything but the most expensive plan (the enterprise packages).
However, both services automatically protect against smaller DDoS attacks due to the nature of how they are structured. Since both services host your website from multiple servers, an attacker would have to take them all down to take your website down everywhere.
This new capability allows Incapsula to counter backdoor shells (a backdoor is a security hole that a hacker can exploit to gain remote access to your website, which will allow them to deface your site, steal sensitive or confidential data, infect your visitors PC’s with viruses, and more).
How does Incapsula protect against backdoor attacks? They combine common HTTP signature detection methods with live on-execution request monitoring, which allows them to enhance basic signature detection and discover backdoors by tracing suspicious requests. This enables Incapsula to detect new and unidentified shells as well. Upon detection, Incapsula isolates the backdoor shell and notifies the admin, who will receive a secure preview link along with a direct path to the quarantined file, which they can then permanently remove. The same settings that apply to other Incapsula security features can be applied to the new backdoor shell detection. You can choose from “Alert,” “Quarantine,” and “Ignore.” (obviously, we recommend against the latter selection).
Backdoor Protection was officially released on Wednesday, January 30, 2013. While in Beta, it is available for free to all Incapsula customers.
Backdoor Protection Slideshow
Here’s a slideshow highlighting Incapsula’s new backdoor shell protection feature.
Incapsula has implemented a new, free protection feature that allows all its users to add 2 factor authentication (only devices that are recognized can login to your sites) called Login Protect. You can deploy the new 2FA feature on any URL (or URL group) to protect admin logins, staging areas, internal web applications, etc. Unlike other 2FA services, Login Protect’s integration requires no coding, data base modification or additional hardware (i.e. security keys). Watch the video below to learn more.
2-Factor Authentication Video
The hand down winner in terms of security is Incapsula. CloudFlare has some other great features, and a CDN is not only about security, but that is probably its most important use. Both offer free trials:
What About Other CDN Providers?
As time allows and more players enter the industry, we’ll add other services to this review, such as Amazon’s CloudFront. For the time being, Incapsula is the CDN to beat when it comes to security.
Share Your Experience
Did you like this article? Let us know and leave any questions or comments you may have in the comment section below.