Public Internet is brutal. It is essential to have a Web Application Firewall (WAF) and powerful Content Delivery Network (CDN) capabilities to protect your Web applications and Web sites. But what vendor shall we choose and why?

公共互联网是残酷的。 拥有Web应用程序防火墙(WAF)和强大的内容交付网络(CDN)功能来保护您的Web应用程序和网站至关重要。 但是我们应该选择哪个供应商，为什么呢？

The average cost of a data breach has risen to $3.92 million. Reports show a 1.6% increase in costs in 2018 and a 12% rise over the last five years. Fines for violating the regulation can range from up to €20 million ($22.5 million) to 4 per cent of a company annual global revenue — whichever is greater.

数据泄露的平均成本已上升到392万美元。 报告显示，2018年成本增长1.6％，过去五年增长12％。 违反该法规的罚款最高可达200​​0万欧元(2250万美元)，占公司全球年度收入的4％，以金额较大者为准。

Globally, just under 30% of organizations are likely to suffer at least one breach over the next 24 months. U.S. organizations face the highest costs with an average of $8.19 million per breach, driven by a complex regulatory landscape that can vary from state-to-state, especially when it comes to breach notification. In the UK the figure is slightly lower than the global average, at $3.88 million. The size of the average data breach is now 25,575 records, an increase of 3.9% compared to 2018. The average breach size in the U.S. is higher at 32,434 and slightly lower in the UK at 23,600 (both figures up over 2018). Each record lost costs around $150 on average globally; in the U.S. that figure rises to $242 while in the UK the cost is $155 per record. While the loss of thousands of records at a time is becoming common, Equifax-level breaches involving millions of records are still relatively rare. A “mega-breach” of 1 million records could cost a company $42 million — up from $40 million last year — while the loss of 50 million records might cost a company $388 million.

在全球范围内，在接下来的24个月中，将近30％的组织可能遭受至少一次违规。 美国组织面临的最高成本是每次违规平均819万美元，这是由于各州之间复杂的监管环境(尤其是涉及违规通知)的驱动。 在英国，这一数字略低于全球平均水平，为388万美元。 现在，平均数据泄露量为25,575条记录，与2018年相比增长3.9％。美国的平均数据泄露量更高，为32,434条，英国的平均数据泄露量为23,600次(均比2018年高)。 全球每条记录的损失成本平均约为150美元； 在美国，这一数字升至242美元，而在英国，每条唱片的成本为155美元。 尽管一次丢失成千上万的记录变得很普遍，但是涉及数百万条记录的Equifax级违反仍然相对罕见。 100万条记录的“大破坏”可能会使公司损失4200万美元(去年为4000万美元)，而丢失5000万条记录可能使公司损失3.88亿美元。

On the other hand, the prices of Attack services are becoming very low.

另一方面， 攻击服务的价格变得非常低。

For example, for $327 per week, bad actors can perform a DDoS attack on your Web application paralysing your business costing you thousands or millions.

例如，以每周327美元的价格，不良行为者可以对您的Web应用程序执行DDoS攻击，使您的业务瘫痪，使您损失成千上万。

Executives start getting these messages. Companies start setting better security practices. The penalties significantly outweigh savings from inaction.

高管们开始得到这些信息。 公司开始设定更好的安全措施。 罚款远远超过了无所作为带来的节省。

One of the most effective ways to protect your Web applications is to introduce Proactive Defense mechanisms. Proactive Defence infrastructure “predicts” cyberattacks before it happens and mitigates in real-time. Modern cyberattacks are sophisticated and massive. For example, a distributed denial-of-service (DDoS) attack is a malicious attempt to disrupt normal traffic of a targeted service by overwhelming the target with a flood of Internet traffic. A DDoS attack is like a traffic jam clogging up with highway, preventing regular traffic from arriving at its desired destination. Unlike other types of cyberattacks, DDoS attack defence requires extensive infrastructure that can absorb malicious traffic while letting regular traffic through.

保护Web应用程序最有效的方法之一就是引入主动防御机制。 主动防御基础架构可以在网络攻击发生之前“预测”并实时缓解。 现代网络攻击既复杂又庞大。 例如，分布式拒绝服务(DDoS)攻击是一种恶意尝试，目的是通过大量Internet流量淹没目标来破坏目标服务的正常流量。 DDoS攻击就像是交通拥堵，高速公路阻塞，阻止常规流量到达其期望的目的地。 与其他类型的网络攻击不同，DDoS攻击防御需要广泛的基础结构，这些基础结构可以吸收恶意流量，同时让常规流量通过。

Other types of cyberattacks include sending maliciously-formed requests with the expectation to disrupt Business services. Many attack types can be detected in real-time by Web Application Firewalls (WAF). WAF analyses the incoming traffic and automatically blocks undesired communications.

其他类型的网络攻击包括发送恶意形式的请求，以期破坏业务服务。 Web应用程序防火墙(WAF)可以实时检测许多攻击类型。 WAF分析传入的流量并自动阻止不需要的通信。

There are hundreds of Security software and hardware solutions on the market. This post is about modern cloud web applications and therefore, we shall analyse only modern cloud platforms capable to protect from enormous DDoS attacks. We shall go through four major players on the market.

市场上有数百种安全软件和硬件解决方案。 这篇文章是关于现代云Web应用程序的，因此，我们将仅分析能够保护免受大规模DDoS攻击的现代云平台。 我们将介绍市场上的四个主要参与者。

微软Azure (Microsoft Azure)

The Microsoft Azure solution has a rich set of functionality that is built from various Azure components. Building and deploying multiple components may bring higher costs and may be prone to errors and misconfigurations. Ongoing support may also require more advanced Security Operations knowledge and skills. Azure DDoS protection service provides defence against DDoS attacks. There are two options: Basic DDoS that comes at no extra costs, and Standard, a paid option, which can provide better services, access to logs, monitoring, L7 protection via WAF.

Microsoft Azure解决方案具有从各种Azure组件构建的丰富功能集。 构建和部署多个组件可能会带来更高的成本，并且容易出错和配置错误。 持续的支持可能还需要更高级的Security Operations知识和技能。 Azure DDoS保护服务可防御DDoS攻击。 有两种选择：免费提供基本DDoS，而付费选项Standard则可以提供更好的服务，对日志的访问，监视以及通过WAF的L7保护。

Azure Application Gateway with WAF is a web traffic load balancer that manages Web Applications traffic while providing the centralised protection of web applications from common exploits and vulnerabilities. A centralised WAF helps make security management much simpler and gives better assurance to application administrators against threats or intrusions. A WAF solution can also react to a security threat faster by patching a known vulnerability at a central location versus securing each of individual web applications.

带有WAF的Azure应用程序网关是一个Web通信量负载平衡器，它可以管理Web应用程序通信，同时集中保护Web应用程序免受常见漏洞和漏洞的侵害。 集中式WAF可以使安全管理更加简单，并为应用程序管理员提供更好的保证，使其免受威胁或入侵。 通过在中央位置修补已知漏洞而不是保护每个单独的Web应用程序，WAF解决方案还可以更快地对安全威胁做出React。

云耀斑 (Cloudflare)

Cloudflare is one of the world’s largest networks. Cloudflare provides security solutions to businesses, non-profits, bloggers, websites and apps. More than 20 million Internet properties are on Cloudflare. The Cloudflare network is growing by tens of thousands each day. Cloudflare powers Internet requests for ~10% of the Fortune 1,000 for more than 1 billion unique IP addresses per day.Cloudflare provides security by protecting Internet properties from malicious activities like DDoS attacks, malicious bots, and other nefarious intrusions. Cloudflare has an excellent reputation with the very advanced DDoS protection, WAF, Content Delivery Network (CDN), TLS traffic encryption, automatic certificate management and many other features.

Cloudflare是世界上最大的网络之一。 Cloudflare为企业，非营利组织，博客，网站和应用程序提供安全解决方案。 Cloudflare上有超过2000万个Internet属性。 Cloudflare网络每天增长数万。 Cloudflare为每天约10亿个唯一IP地址的约1000％的财富1000％的Internet请求提供动力。Cloudflare通过保护Internet属性免受恶意活动(如DDoS攻击，恶意机器人和其他恶意入侵)的影响，提供安全性。 Cloudflare以其非常先进的DDoS保护，WAF，内容交付网络(CDN)，TLS流量加密，自动证书管理和许多其他功能而享有盛誉。

Cloudflare administration includes a common control plane over multiple well-integrated services. The configuration can be done via an intuitive, secure Web portal.

Cloudflare管理包括对多个完全集成的服务的通用控制平面。 可以通过直观，安全的Web门户进行配置。

赤舞 (Akamai)

Akamai is a very advanced solution in Web Application Security and Content Delivery. The combination of Akamai solutions covers the requirements of the most demanding customers. However, the solution can be an overkill in specific applications. Akamai has a multitude of products. Kona and Ion products can cover the majority of the requirements related to Cybersecurity and Web Performance.

Akamai是Web应用程序安全性和内容交付中非常先进的解决方案。 Akamai解决方案的组合可满足最苛刻客户的要求。 但是，该解决方案在特定的应用中可能会显得过大。 Akamai有多种产品。 Kona和Ion产品可以满足与网络安全和Web性能有关的大多数要求。

Kona Site Defender provides application security at the Edge — closer to attackers and further from applications. With 178 billion WAF rule triggers a day, Akamai harnesses unmatched visibility into attacks to deliver curated and highly accurate WAF protections that keep up with the latest threats. Flexible protections help secure the entire application footprint and respond to changing business requirements, including APIs and cloud migration, with dramatically lower management overhead. Akamai reported that it successfully protected a customer experiencing the largest (1.3 TBps) DDoS attack.

Kona Site Defender在Edge上提供应用程序安全性-距攻击者更近，距离应用程序更远。 每天通过1780亿条WAF规则触发器，Akamai可以利用无与伦比的可见性进行攻击，以提供经过精心设计和高度准确的WAF保护措施，以应对最新威胁。 灵活的保护功能可帮助保护整个应用程序的覆盖范围，并响应不断变化的业务需求(包括API和云迁移)，并显着降低管理开销。 Akamai报告说，它成功保护了遭受最大(1.3 TBps)DDoS攻击的客户。

Ion is a suite of intelligent performance optimisations and controls that helps deliver superior web, mobile app experiences. Built on the SLA-backed availability of the globally distributed Akamai Intelligent Edge Platform™, Ion continuously monitors real user behaviour — applying best-practice performance optimisations automatically — and adapting in real-time to content, user behaviour, and connectivity changes.

Ion是一套智能的性能优化和控件，可帮助提供卓越的Web，移动应用程序体验。 Ion建立在SLA支持的全球分布式Akamai Intelligent Edge Platform™的可用性之上，可连续监视真实用户的行为-自动应用最佳实践性能优化-并实时适应内容，用户行为和连接更改。

亚马逊AWS CloudFront (Amazon AWS CloudFront)

Amazon CloudFront is a fast content delivery network (CDN) service that securely delivers data, videos, applications, and APIs to customers globally with low latency, high transfer speeds, all within a developer-friendly environment. CloudFront is integrated with AWS — both physical locations that are directly connected to the AWS global infrastructure, as well as other AWS services. CloudFront works seamlessly with services including AWS Shield for DDoS mitigation, Amazon S3, Elastic Load Balancing or Amazon EC2 as origins for your applications, and Lambda@Edge to run custom code closer to customers’ users and to customize the user experience.

Amazon CloudFront是一项快速的内容交付网络(CDN)服务，可在开发人员友好的环境中以低延迟，高传输速度安全地向全球客户交付数据，视频，应用程序和API。 CloudFront已与AWS集成-这两个物理位置都直接连接到AWS全局基础架构，以及其他AWS服务。 CloudFront可与服务(包括适用于DDoS缓解的AWS Shield，Amazon S3，Elastic Load Balancing或Amazon EC2作为您的应用程序源)以及Lambda @ Edge等服务无缝协作，以使定制代码更贴近客户用户并自定义用户体验。

Amazon CloudFront is a highly-secure CDN that provides both network and application-level protection. Your traffic and applications benefit through a variety of built-in protections such as AWS Shield Standard, at no additional cost. You can also use configurable features such as AWS Certificate Manager (ACM) to create and manage custom SSL certificates at no extra cost.

Amazon CloudFront是高度安全的CDN，可提供网络和应用程序级保护。 您的流量和应用程序将受益于各种内置保护，例如AWS Shield Standard，而无需支付额外费用。 您还可以使用诸如AWS Certificate Manager(ACM)之类的可配置功能来创建和管理自定义SSL证书，而无需支付额外费用。

结论 (Conclusion)

We have described four major players on the market. It is important to go through a particular system’s requirement to make your choice. We deliberately not including Gartner Magic quadrant charts here. These companies are jumping in the quadrant quite fast. The quadrant also presents some parts of the Security feature set. It is much better to look at the feature set and prices of the services that you want to use.

我们已经描述了市场上的四个主要参与者。 重要的是要经过特定系统的要求才能做出选择。 我们故意不在此处包括Gartner Magic象限图表。 这些公司正Swift进入象限。 该象限还显示了安全功能集的某些部分。 最好查看要使用的功能集和服务价格。

In my opinion, in general, the Cloudflare solution provides the best combination of well-integrated security services at a very reasonable price. Cloudflare also has entry-level plans, including a free plan for a simple single domain. The solution has a proven history of defending from massive-scale attacks. The Cloudflare solution is capable of absorbing an attack with the traffic that is 15 times higher than the world’s largest registered DDoS attack to date. Cloudflare is relatively easy to implement. It is a solution that works out-of-the-box without extensive engineering efforts. The solution offers a very nice and easy administration Web portal.

我认为，总体而言， Cloudflare解决方案以合理的价格提供了良好集成的安全服务的最佳组合。 Cloudflare还具有入门级计划，包括针对简单单个域的免费计划。 该解决方案具有抵御大规模攻击的可靠历史。 Cloudflare解决方案能够以比迄今为止全球最大的注册DDoS攻击高15倍的流量来吸收攻击 。 Cloudflare相对容易实现。 它是一种开箱即用的解决方案，无需大量的工程工作。 该解决方案提供了一个非常简单易用的管理Web门户。

John Yoon

约翰·尹

Solution Architect

解决方案架构师