Method and system for protecting web sites from public internet threats
First Claim
1. A method operative in a content delivery network (CDN) having a set of content servers organized into regions and that provide content delivery on behalf of participating content providers, wherein a given content provider operates an origin server, comprising:
- shielding the given content provider'"'"'s origin server from Internet Protocol (IP) traffic routable over the public Internet; and
delivering content published at the given content provider'"'"'s origin server from a CDN region.
1 Assignment
0 Petitions
Accused Products
Abstract
The present invention addresses the known vulnerabilities of Web site infrastructure by making an origin server substantially inaccessible via Internet Protocol traffic. In particular, according to a preferred embodiment, the origin server is “shielded” from the publicly-routable IP address space. Preferably, only given machines (acting as clients) can access the origin server, and then only under restricted, secure circumstances. In a preferred embodiment, these clients are the servers located in a “parent” region of a content delivery network (CDN) tiered distribution hierarchy. The invention implements an origin server shield that protects a site against security breaches and the high cost of Web site downtime by ensuring that the only traffic sent to an enterprise'"'"'s origin infrastructure preferably originates from CDN servers. The inventive “shielding” technique protects a site'"'"'s Web servers (as well as backend infrastructure, such as application servers, databases, and mail servers) from unauthorized intrusion—improving site uptime and in the process, customer loyalty.
-
Citations
14 Claims
-
1. A method operative in a content delivery network (CDN) having a set of content servers organized into regions and that provide content delivery on behalf of participating content providers, wherein a given content provider operates an origin server, comprising:
-
shielding the given content provider'"'"'s origin server from Internet Protocol (IP) traffic routable over the public Internet; and
delivering content published at the given content provider'"'"'s origin server from a CDN region. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. In a Web site comprising an origin server, a firewall and router connectable to the publicly-routable Internet, the improvement comprising:
-
apparatus associated with a private IP address space and being positioned upstream of the firewall and downstream of the router for shielding the origin server from Internet Protocol (IP) traffic routable over the public Internet; and
a security mechanism comprising (a) a first access control implemented in the firewall for restricting access to the origin server except via the private IP address space, and (b) a second access control implemented in the router for restricting IP spoofing for addresses within the private IP address space. - View Dependent Claims (9, 10, 11)
-
-
12. A method of protecting a Web site from attack, the Web site comprising an origin server, a firewall and router connectable to the publicly-routable Internet, comprising:
-
restricting access to the origin server except from a private IP address space located between the firewall and the router; and
serving content published at the origin server from a content delivery network. - View Dependent Claims (13, 14)
-
Specification
-
- Resources
-
Current AssigneeAkamai Technologies, Inc.
-
Original AssigneeAkamai Technologies, Inc.
-
InventorsSundaram, Ravi, Rahul, Hariharan S., Afergan, Michael M., Ellis, Andrew B.
-
Granted Patent
-
Time in Patent OfficeDays
-
Field of Search
-
US Class Current709/229
-
CPC Class CodesH04L 63/0209 Architectural arrangements,...H04L 63/0227 Filtering policies mail mes...H04L 63/0263 Rule managementH04L 63/101 Access control lists [ACL]H04L 63/1441 Countermeasures against mal...H04L 65/1101 Session protocolsH04L 65/612 for unicastH04L 67/1001 for accessing one among a p...
