Network accessible sites and providers of online services and content are often subjected to malicious attacks. These attacks attempt to compromise confidentiality, integrity, and availability of the site, service, or content. Attacks can be conducted in any number of ways. Structured query language (SQL) injections, server-side scripting, and application layer or distributed denial of service (DDOS) are examples of a small set of attack methodologies.
Firewalls have proven to be effective defenses to many such attacks. A firewall can be a hardware or software based security solution. The firewall can be configured with white-lists, black-lists, rules, and policies that detect potentially malicious data traffic from acceptable data traffic. The firewall can also be configured to restrict detected malicious data traffic from entering or exiting a network or provide alerts to notify an administrator of an attack.
However, many sites and service providers now offload the delivery of their content and services to a distributed platform, such as a content delivery network (CDN). FIG. 1 presents an exemplary distributed platform architecture operating as a CDN. The CDN operates edge servers at different points-of-presence (PoPs) 110 that are often located at different edges of the Internet or other large network infrastructure. The PoPs 110 are geographically separated from one another. Customers including network site operators, content providers, and service providers interface with the CDN in order to specify configurations for the content and services they want to offload to the CDN for delivery. The CDN passes the customer configurations to the PoP 110 servers. In response, the PoP 110 servers obtain the customer content and services and deliver those content and services on behalf of the customers to users in an optimized manner. Specifically, the servers of each PoP 110 optimally serve the customer content and services to a set of users that are geographically proximate to that PoP 110. Each PoP 110 further provides redundancy to accommodate demand spikes and failover to provide continuous service in the event of equipment or network failure.
In terms of protecting and insulating customers from malicious attacks, the CDN (i.e., distributed platform) faces many challenges. The first challenge is that an attack can be launched against any customer at any of the PoPs 110. Firewall protection is therefore needed at each of the PoPs 110. The second challenge is that each PoP 110 simultaneously hosts and serves content and services of several different customers. A one-size-fits-all firewall solution applying the same white-lists, black-lists, rules, and policies for all customers is impractical and sub-optimal for customers. Different customers will offer different content and services from the same PoPs 110. Typically, these customers will have differing requirements as to what is acceptable data that should be allowed through the CDN firewall and what is potentially malicious data that should be restricted at the CDN firewall. Moreover, different customers may want to handle malicious data differently.
Accordingly, there is a need for a distributed platform web application firewall that insulates customer content and services from malicious attacks at each distributed platform PoP. There is further a need for each PoP to simultaneously support multiple firewall instances with each firewall instance providing different protections for different distributed platform customers. In other words, there is a need to allow each distributed platform customer the ability to configure its own protections and have the distributed platform enforce the protections configured by each customer independently. There is further a need to allow customers to test new protections without compromising existing protections that they have already configured.