A Closer Look at CloudFlare and Incapsula: Next Generation CDN Services
Content delivery networks (CDNs) are online services that were traditionally used to help accelerate the distribution of web content and ensure business continuity.
Today a new generation of CDNs built to harness advancements in hardware, networking and cloud computing. These next gen CDNs are radically different in architecture from their predecessors, and are designed to consolidate multiple technologies for website acceleration and security into a full-blown application delivery solution.
The popularity of these next-gen platforms is now rejuvenating the traditionally consolidated and somewhat stale CDN market. According to a recent study, the CDN market is estimated to grow from $3.71 billion in 2014 to $12.16 billion by 2019.
Among the trendsetters leading this transformation are CloudFlare and Incapsula. CloudFlare was among the first to offer a free CDN service, in essence sparking this revolution. Incapsula, spun off from security giant Imperva, upped the ante by imbuing the CDN platform with security-oriented technologies.
Motivated in part by their own competition, the relentless innovation of these companies is advancing the CDN space forward in leaps and bounds. Today, this innovation is also ushering in a new trend of using cloud-based services to replace security and availability enterprise-grade appliance.
Let’s take a closer look at how CloudFlare and Incapsula address enterprises’ application delivery requirements.
Acceleration & Caching
In 2014 CloudFlare shook up the CDN market when it launched a free CDN for websites of all sizes, making content delivery easy and affordable for a wide variety of website owners - previously excluded from this market due to the cost of legacy CDNs. With 28 data centers around the world, CloudFlare offers customers a global presence on an affordable budget.
Incapsula was founded in 2009 as a spin-off of data security leader Imperva. Compared to CloudFlare, Incapsula’s product offers a business-oriented solution that emphasizes website security and high availability. Incapsula service is equally affordable and is highly acclaimed for its award-winning access control DDoS protection features. Incapsula’s worldwide network currently numbers 20 data centers.
Both companies use proprietary caching technologies to deliver content quickly and optimize the user experience.
In terms of acceleration, each CDN does an excellent job of caching static content.
Incapsula, however, may have an advantage when it comes to dynamic content caching. The reason is Incapsula’s patent-pending machine learning algorithms that are able to identify cacheable dynamic content by the way it’s being accessed by users.
Rather than caching dynamic web pages, CloudFlare uses its Railgun™ technology to further compress web content. While unable to actually cache dynamically generated objects, Railgun contributes to overall delivery speed, offering an effective solution for static HTML sites.
Protecting Against Volumetric DDoS Attacks
Today’s network DDoS attacks, often exceeding 100-200 Gbps, can only be countered by a strong infrastructure capacity. This is one reason why cloud-based platforms like CloudFlare and Incapsula, which provide large resource pools, are rapidly becoming the industry standard for DDoS mitigation.
Both solutions offer on-demand bandwidth overprovisioning that scale capacity to absorb and filter DDoS traffic. This means you can protect your website or application against even the largest DDoS attacks, without having to pay up front for bandwidth you don’t need on a regular basis. Since both of these cloud-based services are built on top of large global networks, they are well-equipped to handle any sized DDoS attack.
Recently, Incapsula has gone a step further with “Behemoth” scrubbing servers. Each of these massive beasts is able to filter 170Gbps worth of traffic at an inline rate. Incapsula currently has five “Behemoths” deployed. Together these provide an 800+Gbps boost to Incapsula’s already massive 700+Gbps network.
DNS DDoS Protection
In addition, both Incapsula and CloudFlare offer DDoS protection services for web applications and DNS servers. Service activation is based on a simple change of DNS settings to re-route all website traffic (HTTP/HTTPS) through the vendors’ respective networks. Both solutions do a good job of mitigating volumetric network DDoS attacks using their high-capacity networks of servers.
Application Layer DDoS Protection
Where these services differ is in their approach to Layer 7 DDoS attacks which are executed by DDoS bots. These types of stealthy attacks are difficult to detect, since they are often designed to mimic “human” behavior.
Here Incapsula’s solution relies on classification algorithms that inspect signatures and behavior patterns to distinguish between legitimate and malicious traffic. The company’s claim to fame is its client classification technology with a less than a 1% false positive rate.
CloudFlare, on the other hand, offers an equally effective but significantly less user-friendly solution that relies on challenge screens and CAPTCHA pages, which are presented to visitors during the attack.
Time to Mitigation
Time-to-mitigation is the duration required to start blocking a DDoS attack once it has been identified. This is critical, since on-demand solutions based on human intervention are fallible. This is why many perpetrators attack during major holidays, the middle of the night, or weekends when IT staff may not be available.
Incapsula response to this problem is an always-on solution that automatically detects and triggers mitigation of all types of DDoS attacks.
With CloudFlare, customers must identify the Layer 7 attack and then manually click the “I’m under attack” button. This approach is obviously less reliable and can result in some performance degradation and even potential downtime.
Protecting Non-Web Assets
Today’s DDoS attackers do not stop at web/application and DNS servers. Any component of your network infrastructure with an IP address is, in effect, a target. This includes servers used for gaming, FTP, email, VoIP, etc.
To combat this threat, Incapsula has added a third layer to its DDoS Protection service, designed to safeguard critical network infrastructure across entire subnet ranges.
Enabled by Border Gateway Protocol (BGP) routing and GRE tunneling, this protection is versatile enough to protect all types of resources, including the commonly targeted gaming platforms and FTP and email servers.
Web Application Firewall
It is clear that Incapsula’s security focus, and its use of Imperva’s best-in-class Web Application Firewall (WAF) technology, gives it a leg up in this area – allowing it to offer an enterprise grade self-developed technology.
CloudFlare also offers a very dependable WAF option, which uses a variation of the open source ModSecurity platform and is effective against most common web threats.
However, in a comparative pentest conducted in February 2013 by the Zero Science Lab, CloudFlare’s WAF often failed to stop certain types of application attacks (e.g., SQL injection, Remote File Inclusion).
Since then, CloudFlare has revamped its solution, adding a new rule-based engine to the ModSecurity core. In a second round of pen-tests, CloudFlare still came up short, but showed a significant improvement to its original 0/123 score.
Online merchants who handle consumer credit card information are required to deploy a web application firewall in front of their website. Both CloudFlare and Incapsula offer PCI-certified WAFs that fully comply with PCI 6.6 type 1 reporting requirements.
Custom Security Rules
In addition to its default rule sets, CloudFlare offers an option of turning on/off pre-defined rules in accordance with security policies.
Incapsula, on the other hand, offers a flexible custom rule engine (a.k.a. IncapRules) for fast creation of security rules tailored to your enterprise’s security policy and use cases.
Availability is a critical requirement for today’s business-critical applications. With the cost of network downtime estimated by Gartner to be hundreds of thousands of dollars per hour, the importance of maintaining business continuity is a given.
Load balancers remove single points of failure and ensure application availability by monitoring the "health" of application servers, and only sending requests to servers and applications that can respond in a timely manner.
CloudFlare and Incapsula both perform load balancing in the cloud and do not rely on hardware appliances, which can be a single point of failure. Using the Anycast routing scheme, CloudFlare’s network picks the most preferential route (i.e., the shortest path from the sender to the recipient). At the data center, if a server is down or overloaded, traffic is sent randomly to the next available server.
Rather than using proximity-based routing like CloudFlare, Incapsula uses Layer 7 load balancing solution to distribute incoming requests based on the actual load of traffic on each server. This approach allows for efficient resource utilization, offering the Incapsula user a choice of several smart load balancing algorithms (e.g., load distribution based on number of actual pending requests).
Incapsula supports both local and global server load balancing (GSLB) with the option to set different policies for in-data center and cross-data center load distribution. This provides an additional degree of control and efficiency to its users.
Data Center Failover
Incapsula's service supports automatic failover between primary and secondary sites to enable high availability. To this end Incapsula performs periodic health checks of all servers on service.
As soon as the platform detects that the primary server has gone down, Incaspsula automatically kick-starts your pre-configured standby server to help keep your website and web apps available.
Currently, CloudFlare doesn’t provide a similar failover option. However, Anycast routing can be used to redirect traffic to a standby server, pending its manual activation by the network’s operator.
Incapsula’s high availability solutions are complemented by a live monitoring option that allows you to keep track of your web server and data center activity in real-time. This is a very nice feature that lets you detect issues ahead of time and re-route traffic to a viable server to eliminate lags or outages.
Both companies offer a premium Enterprise CDN, with 24x7 support and enterprise-grade uptime SLAs. Both Incapsula and CloudFlare also offer the option to purchase WAF, DDoS protection and load balancing features separately or to bundle them all together into a complete application delivery solution.
With prices starting at around $300/month and scaling up to few thousand dollars a month for a complete application delivery bundle. CloudFlare and Incapsula are now expanding their market share at the expense of CDN veterans like Akamai who often cannot compete with the new integrated technologies and the low-cost pricing model.