WP How Incapsula Works With Your CDN | Imperva

How Incapsula Works With Your CDN

How Incapsula Works With Your CDN

If you’re looking for a CDN with security features but already enjoy the use of another CDN, Incapsula content delivery network (CDN) offers complete website security to protect your web assets. Many organizations use more than one CDN. For example, LinkedIn uses three CDNs, whereas eBay uses two. Providing redundancy, load balancing, site acceleration, protection against data leakage—and now increased APAC coverage—Incapsula CDN can be deployed along with your existing service.

Incapsula CDN is a globally distributed system of data centers that uses intelligent caching and cache control options. In addition content and network optimization tools help make your website and web application run faster than ever before.

When used correctly, a multi-CDN strategy provides great advantages to content owners, including the ability to better control quality, prevent overage charges, ensure bandwidth commitments are met, and permitting a selection process for delivery using additional requirements.

Dan Rayburn, StreamingMedia.com

There are three Incapsula CDN deployment options:

  • Parallel to your CDN – Best suited for sites already using a CDN for performance and need security services
  • In front of your CDN – Best suited for websites requiring full security coverage for all traffic at the edge, as well as for your other CDN service
  • Behind your CDN – Best suited for deployments where you do not want to modify your existing CDN setup, but still require an added security layer (e.g., for stopping application DDoS attacks)

A parallel configuration positioning Incapsula side-by-side to your CDN

A parallel configuration positioning Incapsula side-by-side to your CDN

In this deployment, your static content that requires caching and poses a minimal security risk may be routed through your non-Incapsula CDN. Meanwhile, dynamic content—more likely to be a potential attack target—can be routed through Incapsula for security and acceleration.

Your website traffic is separated by assigning different subdomains to the two traffic types. This is achieved by adding a dedicated static subdomain for such resources and pointing it to your original CDN. All other subdomains are pointed to Incapsula.

With this configuration you get the full benefits of Incapsula DDoS mitigation and web security services while maintaining all of the performance characteristics of your existing CDN. While there is no integration between the two CDNs, application code changes may be required.

A tiered configuration placing Incapsula in front of your CDN

A tiered configuration placing Incapsula in front of your CDN

By pointing all domains to Incapsula and configuring the other CDN addresses as the origin servers, Incapsula can work as a first tier in front of your other CDN, handling all website traffic. This option is best suited for sites that require site traffic security coverage across the board.

Requiring minimal integration between the two CDNs, this configuration is dependent on services provided by your original CDN.

A tiered configuration placing Incapsula behind your CDN

A tiered configuration placing Incapsula behind your CDN

Incapsula can work as a second tier behind your original CDN, covering traffic forwarded from it toward your origin servers. This deployment lets you get the most out of your original CDN service, where you don’t want to modify its setup, but still have the need for an added security layer.

CDNs often modify incoming traffic before forwarding it to origin servers. Meanwhile, Incapsula security features rely on connection, session, request structure and client attributes in order to accurately detect and stop attacks. Therefore, to maintain full security integrity this deployment requires integration from the Incapsula side.

For all deployments Incapsula provides an integration module that includes:

True client IP extraction – Extracts the true client IP from headers added by your other CDN

Best-effort client classification – CDNs may change some traffic attributes causing minimal degradation in client classification performance. Incapsula overcomes such challenges, specifically for high profile clients such as browsers and crucial services (Google, Bing and others)

Traffic origin validation – Makes sure that only traffic originating from the other CDN is handled in order to prevent abuse

This deployment is achieved by pointing your domains to your other CDN and configuring the Incapsula CNAME as your origin servers.

Let me know if you have questions about Incapsula CDN and how to deploy it for your organization by writing in a comment.