International Defense Security & Technology Your trusted Source for News, Research and Analysis
A Content Delivery Network (CDN) is a globally distributed network of web servers or Points of Presence (PoP) whose purpose is to provide faster content delivery. The content is replicated and stored throughout the CDN so the user can access the data that is stored at a location that is geographically closest to the user. This is different (and more efficient) than the traditional method of storing content on just one, central server. A client accesses a copy of the data near to the client, as opposed to all clients accessing the same central server, in order to avoid bottlenecks near that server.
CDN is an umbrella term spanning different types of content delivery services: video streaming, software downloads, web and mobile content acceleration, licensed/managed CDN, transparent caching, and services to measure CDN performance, load balancing, Multi CDN switching and analytics and cloud intelligence. CDN vendors may cross over into other industries like security, with DDoS protection and web application firewalls (WAF), and WAN optimization.
The goal is to provide high availability and performance by distributing the service spatially relative to end users. It also leads to improved user experience and more efficient network resource utilization. Other than better performance, CDNs also offload the traffic served directly from the content provider’s origin infrastructure, resulting in possible cost savings for the content provider.
Uptime is a critical component for anyone with an Internet property. Hardware failures and spikes in traffic, as a result of either malicious attacks or just a boost in popularity, have the potential to bring down a web server and prevent users from accessing a site or service. A well-rounded CDN has several features that will minimize downtime:
- Load balancing distributes network traffic evenly across several servers, making it easier to scale rapid boosts in traffic.
- Intelligent failover provides uninterrupted service even if one or more of the CDN servers go offline due to hardware malfunction; the failover can redistribute the traffic to the other operational servers.
- In the event that an entire data center is having technical issues, Anycast routing transfers the traffic to another available data center, ensuring that no users lose access to the website.
DOD Requirements for Content delivery Network (CDN) services
DISA provides, operates, and assures command and control and information-sharing capabilities, along with a globally accessible enterprise information infrastructure. All of this is to directly support joint warfighters, national level leaders, and other mission and coalition partners across the full spectrum of military operations.
The DoD is working within a constrained budget, as such, agencies such as DISA are charged with reducing or eliminating travel for meetings and conferences to help lower temporary duty costs. DISA departed from its in-person conference model and turned to virtual conferences and meetings to stream its mission-critical and sensitive information. However, this can be challenging when needing to reach a significant concentration of users deployed in austere environments or at sea with poor network connectivity. Historically, the agency would resort to technologies such as video teleconferencing to deliver their messages, but this incurred substantial costs as the equipment was expensive and resources were needed to install, operate and maintain the audio/ video equipment. Plus, it was no small feat delivering and scaling the infrastructure needed to deliver the content around the globe to a distributed audience.
The Goal
DISA needed to meet three key requirements to support DoD objectives:
- Contain costs: DISA wanted to make it possible for those it served to reduce their travel and logistics expenses for virtual meetings and conferences.
- Boost productivity: The agency wanted to enable more on-demand trainings so its constituents could view trainings at their convenience.
- Improve information access: DISA wanted to empower high-ranking military officials to more quickly and easily disseminate information in a controlled format.
For years, DISA had used Aura Managed CDN within its internal networks called Global Content Delivery Service (GCDS, the white-label name for Akamai’s MCDN) to deliver its web applications to warfighters around the world. DISA’s overarching mission is to provide an enterprise-level service for the DoD to accelerate delivery and improve the reliability of web applications. “With Akamai’s technology, the DoD has been able to realize significant cost savings while delivering critical content to military personnel across the world. Using Akamai to deliver streaming content to the warfighter was a logical extension of the partnership,” explains a civil engineer support personnel.
By adding streaming capabilities to GCDS, DISA successfully eased the technical burdens associated with delivering customers’ video while providing multiple options to disseminate information. Akamai’s HD platform (accredited and operational 24×7 on NIPRNet and SIPRNet) and customized media player featuring adaptive bit rate technology enabled the DoD to serve streaming content for large-scale events, whether planned or ad hoc. This included commander briefings, all-hands meetings, town halls, virtual conferences, trainings and more.
As organizations within the DoD were instructed to slash budgets and use common enterprise services, they began to discover this streaming service as an alternative to their costly and complex in-house solutions. For example, the Navy leveraged DISA’s on-demand streaming capability to deliver virtual trainings to multiple offices. Its traditional HR training model was to send a DVD or instructor to multiple physical locations and train students on the same topic. By using GCDS, the trainer was able to pre-record the training session, and send a link with the video to all enrolled students, via which they can view the training at their leisure. Through this model, the Navy was able to save on shipping and travel costs and make required training more efficient.
Using these streaming capabilities allowed the DoD to stream high-definition web content directly from user’s desktops. Commanders gained the ability to stay at their desks and brief their globally dispersed soldiers, sailors, airmen, Marines and civilians using the Unclassified-But-Sensitive Internet Protocol Router Network or the Secure Internet Protocol Router Network. As a result, DISA and its mission partners have been able to reach worldwide audiences in real time without building out a delivery infrastructure or website.
Urgency is paramount for high-ranking officials to deliver mission-critical information throughout the broader community. According to civil engineer support personnel, using DISA’s streaming service helped ensure that the message was seen and heard by all regardless of viewers’ location and time. Plus, DISA’s customers were alleviated of the technical burdens associated with delivering their messages, all the while reducing their operational and temporary-duty costs associated with events. Anyone with access to a DoD network could participate in GCDS-hosted events, including Airmen who are serving in contingency operations.
DDoS attacks on Content delivery Network (CDN)
Like all networks exposed to the internet, CDNs must guard against on-path attacks, data breaches, and attempts to overwhelm the network of the targeted origin server using DDoS attacks. Because the Internet is designed in such a way that data is transferred across many locations, it is possible to intercept packets of important information as they move across the globe. Through the utilization of a cryptographic protocol, only the intended recipient is able to decode and read the information and intermediaries are prevented from decoding the contents of the transferred data.
A CDN can have multiple strategies for mitigating vulnerabilities including proper SSL/TLS encryption and specialized encryption hardware.Information security is an integral part of a CDN. a CDN can keep a site secured with fresh TLS/SSL certificates which will ensure a high standard of authentication, encryption, and integrity. Investigate the security concerns surrounding CDNs, and explore what can be done to securely deliver content.
They are also effective against DDoS attacks, since they provide their own large distributed server infrastructure to absorb the volume of the attack. However, Distributed denial of service (DDoS) attacks are a growing threat for content delivery network (CDN) administrators. A DDoS CDN attack uses malware to take control of thousands of computers, often referred to as botnets, and direct them to flood a particular CDN with so many requests that it cannot adequately respond to legitimate traffic. DDoS CDN attacks are growing not only in frequency and sophistication as well. DDoS hackers continually find new ways to penetrate security measures and find their way around traditional firewalls in the CDN architecture. Recent attacks, for example, have targeted the application layer instead of the network and transport layers.
Features of Akamai’s protection against DDoS CDN threats
- DDoS attack support from a fully managed security service, augmenting adaptive rate controls to perform real-time analysis of ongoing attacks, create custom rules as needed, tune existing rules, and adapt quickly to changing attack vectors and multi-dimensional threats.
- Adaptive rate controls that automatically protect applications and CDNs against DDoS and other volumetric attacks by monitoring and limiting the rate of requests against them. Behavior-based rules enable networks to respond to spikes in requests within seconds, mitigating slow POST attacks and selectively alerting administrators or blocking attackers based on IP address and other parameters.
- Security monitor capabilities that provide real-time visibility into security events with the ability to drill down into the details of any DDoS CDN attack.
DISA’s Internet digital content and secure networking Global Content Delivery Services II (GCDS II) project
U.S. military information technology (IT) specialists needed a company to deliver secure digital content over the Defense Information System Network (DISN). They found their solution from Perspecta Enterprise Solutions LLC in Chantilly, Va. Officials of the Defense Information Technology Contracting Organization at Scott Air Force Base, Ill., announced a potential $201.5 million contract in Feb 2021 to Perspecta Enterprise Solutions for the Global Content Delivery Services II (GCDS II) project.
The acquisition is to provide state-of-the-art global content delivery capacity to meet current and future Department of Defense (DoD) customer requirements across the Defense Information System Network (DISN) and any other networks utilized by DoD users. The DISN is the U.S. Department of Defense (DOD) enterprise network for providing data, video, and voice services like video teleconferencing, electronic whiteboarding, and distributed warfighting simulations.
Defense Information Systems Agency (DISA) is required by DoD to enhance communication effectiveness through improved information interoperability. GCDS meets net-centric services by deploying content delivery capabilities at DISA-owned and other DISA approved processing locations. The objective is to obtain reliable, responsive, and cost effective content delivery services that are dynamically scalable, and utilize an on-demand service approach to support DISA and other DISA-approved locations in the continental United States (CONUS) and outside of the continental United States (OCONUS).
The GCDS II program capitalizes on commercial Internet technology and best practices to deliver DOD web content and applications across the Nonsecure Internet Protocol (IP) Router Network (NIPRNet), Secret Internet Protocol Router Network (SIPRNet), and CENTRIX-ISAF (CX-I). The GCDS II enables users of the DISN to perform tasks ranging from downloading security patches, checking email, viewing information portals, supporting decision making, and analyzing geospatial data dynamically.
The GCDS II is a global platform of hundreds of military servers that helps the DISN deliver rich, dynamic, and interactive content, transactions, and applications. The GCDS detects and avoids DISN problem spots and vulnerabilities to deliver mission-critical software downloads, and ensure that software applications perform reliably.
References and Resources also include:
https://www.akamai.com/us/en/our-customers/customer-stories-defense-information-systems-agency.jsp
