We previously looked at how you can tune Amazon Web Services DDoS mitigation to protect your EC2 instance. In this article we cover how you can greatly enhance security and achieve high availability on your AWS site using Imperva Incapsula.
For anyone hosting an application(s) on AWS, Incapsula offers an enterprise-grade, cloud-based, application delivery solution. It complements AWS by providing award-winning web application security and DDoS protection.
Our global CDN infrastructure was built specifically to protect cloud resources. Its advanced, simultaneous load balancing lets you maximize your web application performance and availability. Incapsula mitigates DDoS attacks without your or your customers’ cloud services being impacted.
Advanced DDoS Protection
Our cloud-based DDoS protection service uses proprietary technologies to handle attack traffic before it ever reaches your AWS infrastructure. Comprising a global 3 Tbps network, 32 scrubbing centers mitigate the largest DDoS assaults—including SYN flood and DNS amplifications exceeding 100 Gbps. Having the highest level of scalability and resiliency, each dedicated server—dubbed a Behemoth—performs robust, deep packet inspection at the most granular level to identify and block malicious packets. All attributes of every incoming packet are instantly examined with no interruption to user experience.
Incapsula DDoS Protection for AWS automatically detects and mitigates volumetric network and sophisticated application DDoS attacks. Mitigation is applied outside your own network, allowing only filtered traffic to reach your hosts. The process is transparent to your users.
In addition always-on threat monitoring offers immediate detection of application attacks. Your team can create and instantly propagate custom security measures with IncapRules, an easy-to-use rules engine.
As an AWS customer, you benefit from our many years of experience in mitigating thousands of DDoS attacks. Incapsula ensures that your applications are always secure from massive volumetric attacks and sophisticated application layer attacks.
Here are a few of the many advantages of DDoS Protection for AWS:
- Leverages global network of data centers
- Offers advanced traffic inspection technology and scaling on demand
- Transparently mitigates, with very low false positives (< 0.01%)
- Available as always-on or on-demand service
Web Application Firewall
Incapsula cloud-based, PCI-certified web application firewall (WAF) safeguards your hosted applications from costly data breaches and downtime. It secures your application from all hacking attempts—including SQL injection (SQLi), cross-site scripting (XSS), illegal resource access and other OWASP Top 10 threats. Advanced client classification technology blocks bad bots often used in DDoS attacks, scraping and vulnerability scanning.
Incapsula WAF uses a combination of client classification and risk analysis technologies. These inspect traffic within the context of your application and identify potential risks without impacting its functionality. Beneficial bot traffic is distinguished from malicious traffic and suspicious activity such as comment spam, scraping, and vulnerability scanning is immediately blocked. Legitimate bots—such as Google, Facebook and Pingdom—continue to have complete access to your website.
Incapsula WAF for AWS features:
- PCI Level 1 certification (meets requirement 6.6 without needing any changes to your AWS-based applications)
- Proven stress-testing against millions of attacks
- A rules engine (IncapRules) for custom security rules you can apply to your organization’s security policies
- Shell detection that identifies and blocks attempts to install a new (or operate a pre-existing) backdoor on your site
- Integrated, two-factor authentication that requires no coding or database management, protecting any resource type—login pages, secure web applications and other online assets
- Advanced protection that distinguishes between good and bad bot traffic
- Crowdsourced threat intelligence that boosts security abilities
With Incapsula Infrastructure Protection you can secure all elements of your critical infrastructure, such as web, email or FTP across entire subnet ranges. During an attack, traffic is rerouted through our scrubbing centers using BGP announcements. Incapsula acts as your ISP in that situation and advertises all protected IP range announcements. All incoming traffic is inspected and filtered, with only legitimate traffic is securely forwarded to your enterprise network via GRE tunneling. We previously wrote about how to configure a GRE tunnel for an AWS Ubuntu server.
Customers who don’t have an entire Class C subnet can use IP Protection to secure multiple service types and protocols. As in Infrastructure Protection, you receive a protected IP address from Incapsula and all incoming traffic is subsequently inspected and filtered.
Individual IP address protection is ideal for gaming servers and SaaS applications that have high-traffic, critical non-HTTP assets with low IP counts. It’s also for cloud deployments looking for direct-to-IP attack prevention.
How Crowdsourcing Helps
Through analyzing incident data from sites under our protection, Incapsula continually uses the data to refine our security practices and implement new policies. Customers benefit as these are propagated across our entire global network. Our security effectiveness is further enhanced by a combination of machine learning algorithms and the collective know-how of our team of experts.
For more information on how you can protect your AWS instance check out our resources
Please leave me a comment if you have any questions on AWS, Incapsula or DDoS protection.