SlideShare uma empresa Scribd logo

Edge 2016 keeping tls secure

A
akamaidevrel

Learn how the Akamai secure CDN ensures that it always serves the content that you intended. In this presentation David Kaufman will break down the secure CDN into three zones – Origin, Midgress, and Origin (as well as data at rest), and discuss how to manage your TLS configuration throughout to keep your content secure.

Tecnologia
1 de 15
Baixar para ler offline
Keeping TLS Secure
© AKAMAI - EDGE 2016 Keeping TLS Secure ● How do we ensure that the Akamai Secure CDN serves the content you intended? ○ Akamai techniques and technology ○ Customer best practices
© AKAMAI - EDGE 2016 Refresher: Akamai Network Architecture ● Lots of distributed servers ● Fastest path is not always most-direct path ● Protect TLS content throughout the network
© AKAMAI - EDGE 2016 Secure CDN as Three Zones (plus one) ● Edge: Akamai servers that end-user clients connect to ● “Midgress”: Akamai servers talking to other Akamai servers ● “At rest”: cached content on an Akamai server ● Origin connection: Akamai servers talking to your servers Edge Origin Midgress At rest
© AKAMAI - EDGE 2016 Protecting content on the Origin connection ● Prevent man-in-the-middle attacks ○ For privacy - keep customer information confidential ○ For integrity - actually serve your content ● What should you do? ○ Secure with TLS (actually we make you) ○ Keep TLS versions and ciphers up-to-date ○ Validate origin certificates Edge Origin Midgress At rest
© AKAMAI - EDGE 2016 Origin certificate validation ● Origin certificate is customer-managed ○ Plan for rotation - and rotate! ○ Configure Akamai appropriately ● Simplest case - commercial certificate ○ Use Akamai trust store (similar to browser store) ● Tighter security - certificate pinning ○ Please don’t pin the origin (“leaf”) certificate! Pin the root, or an intermediate ○ More effort for customer ● Special case - Third-party trust store ○ Especially Amazon Web Services ○ Akamai updates trust store when third-party rotates
© AKAMAI - EDGE 2016 Protecting content at rest ● Still a lot of HTTP traffic on the network ○ HTTP and HTTPS share the same URLs ○ HTTP is vulnerable to man-in-the-middle attacks Edge Origin Midgress At rest
© AKAMAI - EDGE 2016 Separating HTTP and HTTPS ● Cache partitioning ○ “secure cache” vs “non-secure cache” ○ Happens before customer configuration ● Maintained throughout the network ○ Midgress connections keep secure content separate from non-secure Cache http://www.example.com/common.jsp https://www.example.com/common.jsp
© AKAMAI - EDGE 2016 Protecting content through “Midgress” ● Prevent man-in-the-middle attacks ○ For privacy - keep customer information confidential ○ For integrity - actually serve your content ● Similar to origin connection, but multi-tenant and greater scale ○ Under Akamai control (mostly) Edge Origin Midgress At rest
© AKAMAI - EDGE 2016 Midgress content protection ● Identity certificates ○ Identify server in network and role ○ Only released to authentic Akamai server, at startup time ● TLS connection with mutual authentication ○ Maintain current TLS version and ciphers ○ Parent (server) validates client certificate ○ Child (client) validates server certificate ● Multiple policies applied ○ Apply geographic restrictions ○ Defend against server impersonation ● Content separation ○ Secure content separate from non-secure
© AKAMAI - EDGE 2016 Protecting content at the Edge ● Customer-specific configuration ● Protecting certificate private keys ● Elliptic Curve Cryptography is here Edge Origin Midgress At rest
© AKAMAI - EDGE 2016 Independent per-customer configuration ● Concept of a “slot” ○ Certificate + customer-specific, certificate-specific configuration ○ Many thousands of “slots” on Secure CDN ● Certificate management ○ Automatic rotation, with customer notification at each stage ○ Let’s Encrypt (DV): hands-free renewals ○ Symantec (OV, EV), Geotrust (OV): supported renewals ○ Third-party (any type) ● Connection configuration ○ TLS version, ciphers, other fine details ■ Use up-to-date Cipher Profiles ○ Mutual authentication (with help)
© AKAMAI - EDGE 2016 Isolated Software Security Module (ISSM) ● Who remembers Heartbleed? ○ Widespread 2014 OpenSSL vulnerability ○ Allowed attacker to read sections of web server memory ○ Potentially exposed SSL certificate private keys ● ISSM ○ A separate system that holds private key information ○ Removes private keys from the attack surface ○ Layer of protection against the next buffer over-read bug
© AKAMAI - EDGE 2016 ECDSA certificates are here ● Elliptic Curve Digital Signature Algorithm ○ Delivers equivalent protection from much smaller public keys (160-bit ECDSA public key similar to 1024-bit DSA public key) ○ But, not ubiquitously supported yet ● Compatible ECDSA deployment ○ Each Secure CDN slot will combine an ECDSA and an RSA certificate ○ Proxy server offers the correct certificate, based on each request ● Limitations ○ Currently available for Symantec-brand certificates ○ Default-on for new certificate enrollments ○ Watch out for certificate pinning
© AKAMAI - EDGE 2016 Any questions? Customer takeaways: ● Manage your origin TLS configuration ● Please don’t pin leaf certificates (Origin or Edge) ○ On the Edge: use Change Management, maybe disable ECDSA Edge Origin Midgress At rest

Recomendados

Edge 2016 acme - lets encrypt your origin
Edge 2016 acme - lets encrypt your originEdge 2016 acme - lets encrypt your origin
Edge 2016 acme - lets encrypt your originakamaidevrel
 
Edge 2016 h2 in the real world
Edge 2016 h2 in the real worldEdge 2016 h2 in the real world
Edge 2016 h2 in the real worldakamaidevrel
 
Edge 2016 automating h2 push
Edge 2016 automating h2 pushEdge 2016 automating h2 push
Edge 2016 automating h2 pushakamaidevrel
 
Edge 2016 IPv6 is here: the future is now
Edge 2016 IPv6 is here: the future is nowEdge 2016 IPv6 is here: the future is now
Edge 2016 IPv6 is here: the future is nowakamaidevrel
 
Edge 2016 hold until told
Edge 2016 hold until toldEdge 2016 hold until told
Edge 2016 hold until toldakamaidevrel
 
Edge 2016 barbarians at the gateway
Edge 2016 barbarians at the gatewayEdge 2016 barbarians at the gateway
Edge 2016 barbarians at the gatewayakamaidevrel
 
Edge 2016 solving everyday problems with next generation mapping
Edge 2016 solving everyday problems with next generation mappingEdge 2016 solving everyday problems with next generation mapping
Edge 2016 solving everyday problems with next generation mappingakamaidevrel
 
Measuring what matters
Measuring what mattersMeasuring what matters
Measuring what mattersCliff Crocker
 

Recomendados

Edge 2016 acme - lets encrypt your origin
Edge 2016 acme - lets encrypt your originEdge 2016 acme - lets encrypt your origin
Edge 2016 acme - lets encrypt your originakamaidevrel
 
Edge 2016 h2 in the real world
Edge 2016 h2 in the real worldEdge 2016 h2 in the real world
Edge 2016 h2 in the real worldakamaidevrel
 
Edge 2016 automating h2 push
Edge 2016 automating h2 pushEdge 2016 automating h2 push
Edge 2016 automating h2 pushakamaidevrel
 
Edge 2016 IPv6 is here: the future is now
Edge 2016 IPv6 is here: the future is nowEdge 2016 IPv6 is here: the future is now
Edge 2016 IPv6 is here: the future is nowakamaidevrel
 
Edge 2016 hold until told
Edge 2016 hold until toldEdge 2016 hold until told
Edge 2016 hold until toldakamaidevrel
 
Edge 2016 barbarians at the gateway
Edge 2016 barbarians at the gatewayEdge 2016 barbarians at the gateway
Edge 2016 barbarians at the gatewayakamaidevrel
 
Edge 2016 solving everyday problems with next generation mapping
Edge 2016 solving everyday problems with next generation mappingEdge 2016 solving everyday problems with next generation mapping
Edge 2016 solving everyday problems with next generation mappingakamaidevrel
 
Measuring what matters
Measuring what mattersMeasuring what matters
Measuring what mattersCliff Crocker
 
Edge 2016 what slows you down - your network or your device
Edge 2016 what slows you down - your network or your deviceEdge 2016 what slows you down - your network or your device
Edge 2016 what slows you down - your network or your deviceakamaidevrel
 
Edge 2016 your hero images need you
Edge 2016 your hero images need youEdge 2016 your hero images need you
Edge 2016 your hero images need youakamaidevrel
 
Securing your web infrastructure
Securing your web infrastructureSecuring your web infrastructure
Securing your web infrastructureWP Engine
 
Advanced Caching Concepts @ Velocity NY 2015
Advanced Caching Concepts @ Velocity NY 2015Advanced Caching Concepts @ Velocity NY 2015
Advanced Caching Concepts @ Velocity NY 2015Rakesh Chaudhary
 
Hans Nipshagen (Akamai) | TU - Hack & Attacks
Hans Nipshagen (Akamai) | TU - Hack & AttacksHans Nipshagen (Akamai) | TU - Hack & Attacks
Hans Nipshagen (Akamai) | TU - Hack & AttacksMedia Perspectives
 
Akamai Korea - Tech Day (2015/03/11) DNS
Akamai Korea - Tech Day (2015/03/11) DNSAkamai Korea - Tech Day (2015/03/11) DNS
Akamai Korea - Tech Day (2015/03/11) DNSSangJin Kang
 
EDNS0 Client-Subnet for DNS based CDNs by Matt Jansen
EDNS0 Client-Subnet for DNS based CDNs by Matt JansenEDNS0 Client-Subnet for DNS based CDNs by Matt Jansen
EDNS0 Client-Subnet for DNS based CDNs by Matt JansenMyNOG
 
Future of CDN - Next 10 Years - Ahmet Ozalp, Akamai Technologies - DigiWorld ...
Future of CDN - Next 10 Years - Ahmet Ozalp, Akamai Technologies - DigiWorld ...Future of CDN - Next 10 Years - Ahmet Ozalp, Akamai Technologies - DigiWorld ...
Future of CDN - Next 10 Years - Ahmet Ozalp, Akamai Technologies - DigiWorld ...IDATE DigiWorld
 
Flawless Application Delivery with NGINX Plus
Flawless Application Delivery with NGINX PlusFlawless Application Delivery with NGINX Plus
Flawless Application Delivery with NGINX PlusPeter Guagenti
 
Akamai Korea - Tech Day (2015/03/11) HTTP/2
Akamai Korea - Tech Day (2015/03/11) HTTP/2Akamai Korea - Tech Day (2015/03/11) HTTP/2
Akamai Korea - Tech Day (2015/03/11) HTTP/2SangJin Kang
 
Akamai 서비스 트러블 슈팅 및 테스트 방법과 도구
Akamai 서비스 트러블 슈팅 및 테스트 방법과 도구Akamai 서비스 트러블 슈팅 및 테스트 방법과 도구
Akamai 서비스 트러블 슈팅 및 테스트 방법과 도구SangJin Kang
 
What is Nginx and Why You Should to Use it with Wordpress Hosting
What is Nginx and Why You Should to Use it with Wordpress HostingWhat is Nginx and Why You Should to Use it with Wordpress Hosting
What is Nginx and Why You Should to Use it with Wordpress HostingWPSFO Meetup Group
 
Csp and http headers
Csp and http headersCsp and http headers
Csp and http headersColdFusionConference
 
Scaling Marketplace to 10,000 Add-Ons - Arun Bhalla
Scaling Marketplace to 10,000 Add-Ons - Arun BhallaScaling Marketplace to 10,000 Add-Ons - Arun Bhalla
Scaling Marketplace to 10,000 Add-Ons - Arun BhallaAtlassian
 
Inside election night at The New York Times | Altitude NYC
Inside election night at The New York Times | Altitude NYCInside election night at The New York Times | Altitude NYC
Inside election night at The New York Times | Altitude NYCFastly
 
CIRCUIT 2015 - Akamai: Caching and Beyond
CIRCUIT 2015 - Akamai: Caching and BeyondCIRCUIT 2015 - Akamai: Caching and Beyond
CIRCUIT 2015 - Akamai: Caching and BeyondICF CIRCUIT
 
Supercharge Application Delivery to Satisfy Users
Supercharge Application Delivery to Satisfy UsersSupercharge Application Delivery to Satisfy Users
Supercharge Application Delivery to Satisfy UsersNGINX, Inc.
 
Rails security: above and beyond the defaults
Rails security: above and beyond the defaultsRails security: above and beyond the defaults
Rails security: above and beyond the defaultsMatias Korhonen
 
Load Balancing and Scaling with NGINX
Load Balancing and Scaling with NGINXLoad Balancing and Scaling with NGINX
Load Balancing and Scaling with NGINXNGINX, Inc.
 
Securing open stack for compliance
Securing open stack for complianceSecuring open stack for compliance
Securing open stack for complianceTomasz Zen Napierala
 
FreeBSD and Hardening Web Server
FreeBSD and Hardening Web ServerFreeBSD and Hardening Web Server
FreeBSD and Hardening Web ServerMuhammad Moinur Rahman
 
How to protect your IoT data on AWS
How to protect your IoT data on AWSHow to protect your IoT data on AWS
How to protect your IoT data on AWSLahav Savir
 

Mais conteúdo relacionado

Mais procurados

Edge 2016 what slows you down - your network or your device
Edge 2016 what slows you down - your network or your deviceEdge 2016 what slows you down - your network or your device
Edge 2016 what slows you down - your network or your deviceakamaidevrel
 
Edge 2016 your hero images need you
Edge 2016 your hero images need youEdge 2016 your hero images need you
Edge 2016 your hero images need youakamaidevrel
 
Securing your web infrastructure
Securing your web infrastructureSecuring your web infrastructure
Securing your web infrastructureWP Engine
 
Advanced Caching Concepts @ Velocity NY 2015
Advanced Caching Concepts @ Velocity NY 2015Advanced Caching Concepts @ Velocity NY 2015
Advanced Caching Concepts @ Velocity NY 2015Rakesh Chaudhary
 
Hans Nipshagen (Akamai) | TU - Hack & Attacks
Hans Nipshagen (Akamai) | TU - Hack & AttacksHans Nipshagen (Akamai) | TU - Hack & Attacks
Hans Nipshagen (Akamai) | TU - Hack & AttacksMedia Perspectives
 
Akamai Korea - Tech Day (2015/03/11) DNS
Akamai Korea - Tech Day (2015/03/11) DNSAkamai Korea - Tech Day (2015/03/11) DNS
Akamai Korea - Tech Day (2015/03/11) DNSSangJin Kang
 
EDNS0 Client-Subnet for DNS based CDNs by Matt Jansen
EDNS0 Client-Subnet for DNS based CDNs by Matt JansenEDNS0 Client-Subnet for DNS based CDNs by Matt Jansen
EDNS0 Client-Subnet for DNS based CDNs by Matt JansenMyNOG
 
Future of CDN - Next 10 Years - Ahmet Ozalp, Akamai Technologies - DigiWorld ...
Future of CDN - Next 10 Years - Ahmet Ozalp, Akamai Technologies - DigiWorld ...Future of CDN - Next 10 Years - Ahmet Ozalp, Akamai Technologies - DigiWorld ...
Future of CDN - Next 10 Years - Ahmet Ozalp, Akamai Technologies - DigiWorld ...IDATE DigiWorld
 
Flawless Application Delivery with NGINX Plus
Flawless Application Delivery with NGINX PlusFlawless Application Delivery with NGINX Plus
Flawless Application Delivery with NGINX PlusPeter Guagenti
 
Akamai Korea - Tech Day (2015/03/11) HTTP/2
Akamai Korea - Tech Day (2015/03/11) HTTP/2Akamai Korea - Tech Day (2015/03/11) HTTP/2
Akamai Korea - Tech Day (2015/03/11) HTTP/2SangJin Kang
 
Akamai 서비스 트러블 슈팅 및 테스트 방법과 도구
Akamai 서비스 트러블 슈팅 및 테스트 방법과 도구Akamai 서비스 트러블 슈팅 및 테스트 방법과 도구
Akamai 서비스 트러블 슈팅 및 테스트 방법과 도구SangJin Kang
 
What is Nginx and Why You Should to Use it with Wordpress Hosting
What is Nginx and Why You Should to Use it with Wordpress HostingWhat is Nginx and Why You Should to Use it with Wordpress Hosting
What is Nginx and Why You Should to Use it with Wordpress HostingWPSFO Meetup Group
 
Scaling Marketplace to 10,000 Add-Ons - Arun Bhalla
Scaling Marketplace to 10,000 Add-Ons - Arun BhallaScaling Marketplace to 10,000 Add-Ons - Arun Bhalla
Scaling Marketplace to 10,000 Add-Ons - Arun BhallaAtlassian
 
Inside election night at The New York Times | Altitude NYC
Inside election night at The New York Times | Altitude NYCInside election night at The New York Times | Altitude NYC
Inside election night at The New York Times | Altitude NYCFastly
 
CIRCUIT 2015 - Akamai: Caching and Beyond
CIRCUIT 2015 - Akamai: Caching and BeyondCIRCUIT 2015 - Akamai: Caching and Beyond
CIRCUIT 2015 - Akamai: Caching and BeyondICF CIRCUIT
 
Supercharge Application Delivery to Satisfy Users
Supercharge Application Delivery to Satisfy UsersSupercharge Application Delivery to Satisfy Users
Supercharge Application Delivery to Satisfy UsersNGINX, Inc.
 
Rails security: above and beyond the defaults
Rails security: above and beyond the defaultsRails security: above and beyond the defaults
Rails security: above and beyond the defaultsMatias Korhonen
 
Load Balancing and Scaling with NGINX
Load Balancing and Scaling with NGINXLoad Balancing and Scaling with NGINX
Load Balancing and Scaling with NGINXNGINX, Inc.
 
Securing open stack for compliance
Securing open stack for complianceSecuring open stack for compliance
Securing open stack for complianceTomasz Zen Napierala
 

Mais procurados (20)

Edge 2016 what slows you down - your network or your device
Edge 2016 what slows you down - your network or your deviceEdge 2016 what slows you down - your network or your device
Edge 2016 what slows you down - your network or your device
 
Edge 2016 your hero images need you
Edge 2016 your hero images need youEdge 2016 your hero images need you
Edge 2016 your hero images need you
 
Securing your web infrastructure
Securing your web infrastructureSecuring your web infrastructure
Securing your web infrastructure
 
Advanced Caching Concepts @ Velocity NY 2015
Advanced Caching Concepts @ Velocity NY 2015Advanced Caching Concepts @ Velocity NY 2015
Advanced Caching Concepts @ Velocity NY 2015
 
Hans Nipshagen (Akamai) | TU - Hack & Attacks
Hans Nipshagen (Akamai) | TU - Hack & AttacksHans Nipshagen (Akamai) | TU - Hack & Attacks
Hans Nipshagen (Akamai) | TU - Hack & Attacks
 
Akamai Korea - Tech Day (2015/03/11) DNS
Akamai Korea - Tech Day (2015/03/11) DNSAkamai Korea - Tech Day (2015/03/11) DNS
Akamai Korea - Tech Day (2015/03/11) DNS
 
EDNS0 Client-Subnet for DNS based CDNs by Matt Jansen
EDNS0 Client-Subnet for DNS based CDNs by Matt JansenEDNS0 Client-Subnet for DNS based CDNs by Matt Jansen
EDNS0 Client-Subnet for DNS based CDNs by Matt Jansen
 
Future of CDN - Next 10 Years - Ahmet Ozalp, Akamai Technologies - DigiWorld ...
Future of CDN - Next 10 Years - Ahmet Ozalp, Akamai Technologies - DigiWorld ...Future of CDN - Next 10 Years - Ahmet Ozalp, Akamai Technologies - DigiWorld ...
Future of CDN - Next 10 Years - Ahmet Ozalp, Akamai Technologies - DigiWorld ...
 
Flawless Application Delivery with NGINX Plus
Flawless Application Delivery with NGINX PlusFlawless Application Delivery with NGINX Plus
Flawless Application Delivery with NGINX Plus
 
Akamai Korea - Tech Day (2015/03/11) HTTP/2
Akamai Korea - Tech Day (2015/03/11) HTTP/2Akamai Korea - Tech Day (2015/03/11) HTTP/2
Akamai Korea - Tech Day (2015/03/11) HTTP/2
 
Akamai 서비스 트러블 슈팅 및 테스트 방법과 도구
Akamai 서비스 트러블 슈팅 및 테스트 방법과 도구Akamai 서비스 트러블 슈팅 및 테스트 방법과 도구
Akamai 서비스 트러블 슈팅 및 테스트 방법과 도구
 
What is Nginx and Why You Should to Use it with Wordpress Hosting
What is Nginx and Why You Should to Use it with Wordpress HostingWhat is Nginx and Why You Should to Use it with Wordpress Hosting
What is Nginx and Why You Should to Use it with Wordpress Hosting
 
Csp and http headers
Csp and http headersCsp and http headers
Csp and http headers
 
Scaling Marketplace to 10,000 Add-Ons - Arun Bhalla
Scaling Marketplace to 10,000 Add-Ons - Arun BhallaScaling Marketplace to 10,000 Add-Ons - Arun Bhalla
Scaling Marketplace to 10,000 Add-Ons - Arun Bhalla
 
Inside election night at The New York Times | Altitude NYC
Inside election night at The New York Times | Altitude NYCInside election night at The New York Times | Altitude NYC
Inside election night at The New York Times | Altitude NYC
 
CIRCUIT 2015 - Akamai: Caching and Beyond
CIRCUIT 2015 - Akamai: Caching and BeyondCIRCUIT 2015 - Akamai: Caching and Beyond
CIRCUIT 2015 - Akamai: Caching and Beyond
 
Supercharge Application Delivery to Satisfy Users
Supercharge Application Delivery to Satisfy UsersSupercharge Application Delivery to Satisfy Users
Supercharge Application Delivery to Satisfy Users
 
Rails security: above and beyond the defaults
Rails security: above and beyond the defaultsRails security: above and beyond the defaults
Rails security: above and beyond the defaults
 
Load Balancing and Scaling with NGINX
Load Balancing and Scaling with NGINXLoad Balancing and Scaling with NGINX
Load Balancing and Scaling with NGINX
 
Securing open stack for compliance
Securing open stack for complianceSecuring open stack for compliance
Securing open stack for compliance
 

Semelhante a Edge 2016 keeping tls secure

How to protect your IoT data on AWS
How to protect your IoT data on AWSHow to protect your IoT data on AWS
How to protect your IoT data on AWSLahav Savir
 
How to Secure your Hybrid Enviroment - Pop-up Loft Tel Aviv
How to Secure your Hybrid Enviroment - Pop-up Loft Tel AvivHow to Secure your Hybrid Enviroment - Pop-up Loft Tel Aviv
How to Secure your Hybrid Enviroment - Pop-up Loft Tel AvivAmazon Web Services
 
SECURE SOCKET LAYER ( WEB SECURITY )
SECURE SOCKET LAYER ( WEB SECURITY )SECURE SOCKET LAYER ( WEB SECURITY )
SECURE SOCKET LAYER ( WEB SECURITY )Monodip Singha Roy
 
PPT ON WEB SECURITY BY MONODIP SINGHA ROY
PPT ON WEB SECURITY BY MONODIP SINGHA ROYPPT ON WEB SECURITY BY MONODIP SINGHA ROY
PPT ON WEB SECURITY BY MONODIP SINGHA ROYMonodip Singha Roy
 
Last mile authentication problem: Exploiting the missing link in end-to-end s...
Last mile authentication problem: Exploiting the missing link in end-to-end s...Last mile authentication problem: Exploiting the missing link in end-to-end s...
Last mile authentication problem: Exploiting the missing link in end-to-end s...Priyanka Aash
 
Cloud computing, SaaS, and security
Cloud computing, SaaS, and securityCloud computing, SaaS, and security
Cloud computing, SaaS, and securityMichael Van Kleeck
 
Enhancing Security of MySQL Connections using SSL certificates
Enhancing Security of MySQL Connections using SSL certificatesEnhancing Security of MySQL Connections using SSL certificates
Enhancing Security of MySQL Connections using SSL certificatesMydbops
 
PLNOG 6: Christian Kaufmann - How Akamai delivers your packets - the insight
PLNOG 6: Christian Kaufmann - How Akamai delivers your packets - the insight PLNOG 6: Christian Kaufmann - How Akamai delivers your packets - the insight
PLNOG 6: Christian Kaufmann - How Akamai delivers your packets - the insight PROIDEA
 
PLNOG 6: Christian Kaufmann - How Akamai delivers your packets - the insight
PLNOG 6: Christian Kaufmann - How Akamai delivers your packets - the insight PLNOG 6: Christian Kaufmann - How Akamai delivers your packets - the insight
PLNOG 6: Christian Kaufmann - How Akamai delivers your packets - the insight PROIDEA
 
Adopting Modern SSL / TLS
Adopting Modern SSL / TLSAdopting Modern SSL / TLS
Adopting Modern SSL / TLSAvi Networks
 
Magento Meetup New Delhi- Magento2 Speed Optimization
Magento Meetup New Delhi- Magento2 Speed OptimizationMagento Meetup New Delhi- Magento2 Speed Optimization
Magento Meetup New Delhi- Magento2 Speed OptimizationWebkul Software Pvt. Ltd.
 
Secure Content Delivery with AWS
Secure Content Delivery with AWSSecure Content Delivery with AWS
Secure Content Delivery with AWSAmazon Web Services
 
Secure Content Delivery with AWS
Secure Content Delivery with AWSSecure Content Delivery with AWS
Secure Content Delivery with AWSAmazon Web Services
 
BSides Rochester 2018: Chaim Sanders: How the Cookie Crumbles: Modern HTTP St...
BSides Rochester 2018: Chaim Sanders: How the Cookie Crumbles: Modern HTTP St...BSides Rochester 2018: Chaim Sanders: How the Cookie Crumbles: Modern HTTP St...
BSides Rochester 2018: Chaim Sanders: How the Cookie Crumbles: Modern HTTP St...JosephTesta9
 
Inro to Secure Sockets Layer: SSL
Inro to Secure Sockets Layer: SSLInro to Secure Sockets Layer: SSL
Inro to Secure Sockets Layer: SSLDipankar Achinta
 
Content Growth by Kams Yueng
Content Growth by Kams YuengContent Growth by Kams Yueng
Content Growth by Kams YuengMyNOG
 
Aws training in bangalore
Aws training in bangalore Aws training in bangalore
Aws training in bangalore apponix123
 
Data communication Part 11
Data communication Part 11Data communication Part 11
Data communication Part 11Alex Fernandez
 
Using an API Gateway for Microservices
Using an API Gateway for MicroservicesUsing an API Gateway for Microservices
Using an API Gateway for MicroservicesNGINX, Inc.
 

Semelhante a Edge 2016 keeping tls secure (20)

FreeBSD and Hardening Web Server
FreeBSD and Hardening Web ServerFreeBSD and Hardening Web Server
FreeBSD and Hardening Web Server
 
How to protect your IoT data on AWS
How to protect your IoT data on AWSHow to protect your IoT data on AWS
How to protect your IoT data on AWS
 
How to Secure your Hybrid Enviroment - Pop-up Loft Tel Aviv
How to Secure your Hybrid Enviroment - Pop-up Loft Tel AvivHow to Secure your Hybrid Enviroment - Pop-up Loft Tel Aviv
How to Secure your Hybrid Enviroment - Pop-up Loft Tel Aviv
 
SECURE SOCKET LAYER ( WEB SECURITY )
SECURE SOCKET LAYER ( WEB SECURITY )SECURE SOCKET LAYER ( WEB SECURITY )
SECURE SOCKET LAYER ( WEB SECURITY )
 
PPT ON WEB SECURITY BY MONODIP SINGHA ROY
PPT ON WEB SECURITY BY MONODIP SINGHA ROYPPT ON WEB SECURITY BY MONODIP SINGHA ROY
PPT ON WEB SECURITY BY MONODIP SINGHA ROY
 
Last mile authentication problem: Exploiting the missing link in end-to-end s...
Last mile authentication problem: Exploiting the missing link in end-to-end s...Last mile authentication problem: Exploiting the missing link in end-to-end s...
Last mile authentication problem: Exploiting the missing link in end-to-end s...
 
Cloud computing, SaaS, and security
Cloud computing, SaaS, and securityCloud computing, SaaS, and security
Cloud computing, SaaS, and security
 
Enhancing Security of MySQL Connections using SSL certificates
Enhancing Security of MySQL Connections using SSL certificatesEnhancing Security of MySQL Connections using SSL certificates
Enhancing Security of MySQL Connections using SSL certificates
 
PLNOG 6: Christian Kaufmann - How Akamai delivers your packets - the insight
PLNOG 6: Christian Kaufmann - How Akamai delivers your packets - the insight PLNOG 6: Christian Kaufmann - How Akamai delivers your packets - the insight
PLNOG 6: Christian Kaufmann - How Akamai delivers your packets - the insight
 
PLNOG 6: Christian Kaufmann - How Akamai delivers your packets - the insight
PLNOG 6: Christian Kaufmann - How Akamai delivers your packets - the insight PLNOG 6: Christian Kaufmann - How Akamai delivers your packets - the insight
PLNOG 6: Christian Kaufmann - How Akamai delivers your packets - the insight
 
Adopting Modern SSL / TLS
Adopting Modern SSL / TLSAdopting Modern SSL / TLS
Adopting Modern SSL / TLS
 
Magento Meetup New Delhi- Magento2 Speed Optimization
Magento Meetup New Delhi- Magento2 Speed OptimizationMagento Meetup New Delhi- Magento2 Speed Optimization
Magento Meetup New Delhi- Magento2 Speed Optimization
 
Secure Content Delivery with AWS
Secure Content Delivery with AWSSecure Content Delivery with AWS
Secure Content Delivery with AWS
 
Secure Content Delivery with AWS
Secure Content Delivery with AWSSecure Content Delivery with AWS
Secure Content Delivery with AWS
 
BSides Rochester 2018: Chaim Sanders: How the Cookie Crumbles: Modern HTTP St...
BSides Rochester 2018: Chaim Sanders: How the Cookie Crumbles: Modern HTTP St...BSides Rochester 2018: Chaim Sanders: How the Cookie Crumbles: Modern HTTP St...
BSides Rochester 2018: Chaim Sanders: How the Cookie Crumbles: Modern HTTP St...
 
Inro to Secure Sockets Layer: SSL
Inro to Secure Sockets Layer: SSLInro to Secure Sockets Layer: SSL
Inro to Secure Sockets Layer: SSL
 
Content Growth by Kams Yueng
Content Growth by Kams YuengContent Growth by Kams Yueng
Content Growth by Kams Yueng
 
Aws training in bangalore
Aws training in bangalore Aws training in bangalore
Aws training in bangalore
 
Data communication Part 11
Data communication Part 11Data communication Part 11
Data communication Part 11
 
Using an API Gateway for Microservices
Using an API Gateway for MicroservicesUsing an API Gateway for Microservices
Using an API Gateway for Microservices
 

Último

Top 10 Most Downloaded Games on Play Store in 2024
Top 10 Most Downloaded Games on Play Store in 2024Top 10 Most Downloaded Games on Play Store in 2024
Top 10 Most Downloaded Games on Play Store in 2024SynarionITSolutions
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...Principled Technologies
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdflior mazor
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAndrey Devyatkin
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?Igalia
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingEdi Saputra
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024The Digital Insurer
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyKhushali Kathiriya
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century educationjfdjdjcjdnsjd
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)wesley chun
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MIND CTI
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherRemote DBA Services
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...apidays
 

Último (20)

Top 10 Most Downloaded Games on Play Store in 2024
Top 10 Most Downloaded Games on Play Store in 2024Top 10 Most Downloaded Games on Play Store in 2024
Top 10 Most Downloaded Games on Play Store in 2024
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 

Edge 2016 keeping tls secure

  • 2. © AKAMAI - EDGE 2016 Keeping TLS Secure ● How do we ensure that the Akamai Secure CDN serves the content you intended? ○ Akamai techniques and technology ○ Customer best practices
  • 3. © AKAMAI - EDGE 2016 Refresher: Akamai Network Architecture ● Lots of distributed servers ● Fastest path is not always most-direct path ● Protect TLS content throughout the network
  • 4. © AKAMAI - EDGE 2016 Secure CDN as Three Zones (plus one) ● Edge: Akamai servers that end-user clients connect to ● “Midgress”: Akamai servers talking to other Akamai servers ● “At rest”: cached content on an Akamai server ● Origin connection: Akamai servers talking to your servers Edge Origin Midgress At rest
  • 5. © AKAMAI - EDGE 2016 Protecting content on the Origin connection ● Prevent man-in-the-middle attacks ○ For privacy - keep customer information confidential ○ For integrity - actually serve your content ● What should you do? ○ Secure with TLS (actually we make you) ○ Keep TLS versions and ciphers up-to-date ○ Validate origin certificates Edge Origin Midgress At rest
  • 6. © AKAMAI - EDGE 2016 Origin certificate validation ● Origin certificate is customer-managed ○ Plan for rotation - and rotate! ○ Configure Akamai appropriately ● Simplest case - commercial certificate ○ Use Akamai trust store (similar to browser store) ● Tighter security - certificate pinning ○ Please don’t pin the origin (“leaf”) certificate! Pin the root, or an intermediate ○ More effort for customer ● Special case - Third-party trust store ○ Especially Amazon Web Services ○ Akamai updates trust store when third-party rotates
  • 7. © AKAMAI - EDGE 2016 Protecting content at rest ● Still a lot of HTTP traffic on the network ○ HTTP and HTTPS share the same URLs ○ HTTP is vulnerable to man-in-the-middle attacks Edge Origin Midgress At rest
  • 8. © AKAMAI - EDGE 2016 Separating HTTP and HTTPS ● Cache partitioning ○ “secure cache” vs “non-secure cache” ○ Happens before customer configuration ● Maintained throughout the network ○ Midgress connections keep secure content separate from non-secure Cache http://www.example.com/common.jsp https://www.example.com/common.jsp
  • 9. © AKAMAI - EDGE 2016 Protecting content through “Midgress” ● Prevent man-in-the-middle attacks ○ For privacy - keep customer information confidential ○ For integrity - actually serve your content ● Similar to origin connection, but multi-tenant and greater scale ○ Under Akamai control (mostly) Edge Origin Midgress At rest
  • 10. © AKAMAI - EDGE 2016 Midgress content protection ● Identity certificates ○ Identify server in network and role ○ Only released to authentic Akamai server, at startup time ● TLS connection with mutual authentication ○ Maintain current TLS version and ciphers ○ Parent (server) validates client certificate ○ Child (client) validates server certificate ● Multiple policies applied ○ Apply geographic restrictions ○ Defend against server impersonation ● Content separation ○ Secure content separate from non-secure
  • 11. © AKAMAI - EDGE 2016 Protecting content at the Edge ● Customer-specific configuration ● Protecting certificate private keys ● Elliptic Curve Cryptography is here Edge Origin Midgress At rest
  • 12. © AKAMAI - EDGE 2016 Independent per-customer configuration ● Concept of a “slot” ○ Certificate + customer-specific, certificate-specific configuration ○ Many thousands of “slots” on Secure CDN ● Certificate management ○ Automatic rotation, with customer notification at each stage ○ Let’s Encrypt (DV): hands-free renewals ○ Symantec (OV, EV), Geotrust (OV): supported renewals ○ Third-party (any type) ● Connection configuration ○ TLS version, ciphers, other fine details ■ Use up-to-date Cipher Profiles ○ Mutual authentication (with help)
  • 13. © AKAMAI - EDGE 2016 Isolated Software Security Module (ISSM) ● Who remembers Heartbleed? ○ Widespread 2014 OpenSSL vulnerability ○ Allowed attacker to read sections of web server memory ○ Potentially exposed SSL certificate private keys ● ISSM ○ A separate system that holds private key information ○ Removes private keys from the attack surface ○ Layer of protection against the next buffer over-read bug
  • 14. © AKAMAI - EDGE 2016 ECDSA certificates are here ● Elliptic Curve Digital Signature Algorithm ○ Delivers equivalent protection from much smaller public keys (160-bit ECDSA public key similar to 1024-bit DSA public key) ○ But, not ubiquitously supported yet ● Compatible ECDSA deployment ○ Each Secure CDN slot will combine an ECDSA and an RSA certificate ○ Proxy server offers the correct certificate, based on each request ● Limitations ○ Currently available for Symantec-brand certificates ○ Default-on for new certificate enrollments ○ Watch out for certificate pinning
  • 15. © AKAMAI - EDGE 2016 Any questions? Customer takeaways: ● Manage your origin TLS configuration ● Please don’t pin leaf certificates (Origin or Edge) ○ On the Edge: use Change Management, maybe disable ECDSA Edge Origin Midgress At rest