Enterprise Architecture

• TOGAF

The Open Group Architecture Framework (TOGAF) is a framework - a detailed method and a set of supporting tools - for developing an enterprise architecture. It may be used freely by any organization wishing to develop an enterprise architecture for use within that organization
http://pubs.opengroup.org/architecture/togaf8-doc/arch/

The Open Group Architecture Framework (TOGAF) is a framework for enterprise architecture that provides an approach for designing, planning, implementing, and governing an enterprise information technology architecture
https://en.wikipedia.org/wiki/The_Open_Group_Architecture_Framework

• TOGAF® is the de facto global standard for Enterprise Architecture. The Open Group Architecture Forum, comprised of more than 200 enterprises, develops and maintains the TOGAF standard and publishes successive versions at regular intervals

http://www.opengroup.org/subjectareas/enterprise/togaf/

• TOGAF Version 9.1 10th New edition Edition

http://www.amazon.com/TOGAF-Version-9-1-Van-Haren/dp/9087536798/ref=sr_1_2?ie=UTF8&qid=1447357655&sr=8-2&keywords=togaf

TOGAF Yönetim Mimarisinin Faydaları
İşletmenin bütünüyle ilgili bir bakış açısı sağlayarak gerçekçi ve sürdürülebilir kararlar verilmesini sağlar.
Ticari stratejilerin temelindeki önceliklere göre, ticari gelişim ile bilişim stratejilerinin ve ona yön veren parametrelerin birbirleriyle ilişkilenmelerini sağlar.
İşletmenin var olan komponentlerine etkisinin kolaylıkla değerlendirilebileceği efektif bir Değişim Yönetimi sağlar.
İşletmenin farklı bölümleri veya farklı uygulamalar arası koordinasyonu ve iletişimi standartlara oturtarak ortak bir dil konuşulmasını sağlar.
Teknolojik modernizasyonun yapılabilmesi için mimari yapının kurulması, teknolojik gelişim yol haritasının çıkarılması, standardizasyonu ve modernizasyonun yapılabilmesini sağlar.
Ürün veya hizmet teslimat zamanlarını, halihazırda var olan komponentlerin çözüme en uygun olanlarının tespit edilmesi ve tekrar kullanılmasının sağlanmasıyla, en kısa hale getirir.
http://www.proya.com.tr/togaf/

• MODAF

The British Ministry of Defence Architecture Framework (MODAF) is an Architecture Framework which defines a standardised way of conducting Enterprise Architecture, originally developed by the UK Ministry of Defence.
https://en.wikipedia.org/wiki/MODAF

• The Concise Definition of The Zachman Framework by: John A. Zachman 

The Zachman Framework™ is a schema - the intersection between two historical classifications that have been in use for literally thousands of years. The first is the fundamentals of communication found in the primitive interrogatives: What, How, When, Who, Where, and Why. It is the integration of answers to these questions that enables the comprehensive, composite description of complex ideas. The second is derived from reification, the transformation of an abstract idea into an instantiation that was initially postulated by ancient Greek philosophers and is labeled in the Zachman Framework™: Identification, Definition, Representation, Specification, Configuration and Instantiation.

https://www.zachman.com/about-the-zachman-framework

• ZACHMAN

The Zachman Framework is an Enterprise Architecture framework for enterprise architecture, which provides a formal and highly structured way of viewing and defining an enterprise. It consists of a two dimensional classification matrix based on the intersection of six communication questions (What, Where, When, Why, Who and How) with six rows according to reification transformations
http://en.wikipedia.org/wiki/Zachman_Framework

• TOGAF vs Zachman: What’s The Difference?

What’s an enterprise architecture?

An enterprise architecture (EA) is a construct that communicates an organization’s entire enterprise system, consisting of:

    Technologies

    Processes

    Information assets

Your enterprise architecture provides various perspectives from a technology and business standpoint, allowing you to take a disciplined approach to managing those systems. In other words, your enterprise architecture defines the choice constraints that can be applied to enterprise IT and business systems and can have three core components: framework, methodology, and tooling.

Utilizing an EA solves two key problems facing technology-driven business organizations:

    Developing a thorough understanding between highly dependent subsets of enterprise systems allows organizations to reduce the overall complexity of the architecture.

    Helping establish a structured and well-informed decision-making process aligns technology with business goals.

TOGAF: The Open Group Architecture Framework

TOGAF is the de facto industry standard framework, offering a methodological approach to Enterprise Architecture design, planning, implementation, and governance. 

Zachman Enterprise Architecture

John Zachman was an IT pioneer who understood the problems facing IT-driven businesses. To solve these problems, he developed an early enterprise-architectural methodology in 1987—the Zachman Framework.

The Zachman Framework offers a model-based approach that:

    Specifies the deliverables

    Categorizes various aspects of enterprise system subsets into a matrix form

    Associates them with the decision choices of the business-I environment

Choosing TOGAF or Zachman

Which enterprise architecture you choose depends on your approach.

    The TOGAF framework provides a systematic approach for defining the process of creating or improving an Enterprise Architecture. With its ADM, the framework offers a process for implementing the decision choices in order to produce your desired model.

    The Zachman Framework is more of an ontology—a structured set of expressions that describe how artifacts can be categorized, and thus created, operated, and changed. Unlike TOGAF, Zachman uses various enterprise perspectives in order to scope, define, and plan details regarding individual subsets of your enterprise system.

Your organization may choose to use one—or you can opt for both. Together, the frameworks can complement each other, with TOGAF describing the detailed process for creating the Enterprise Architecture, and Zachman categorizing the artefacts.

https://www.bmc.com/blogs/togaf-vs-zachman/#

• SBVR/ORM

http://www.ormfoundation.org/files/folders/sbvr/tags/SBVR/default.aspx

• ArchiMate

ArchiMate® is an open and independent modelling language for enterprise architecture that is supported by different tool vendors and consulting firms. ArchiMate provides instruments to enable enterprise architects to describe, analyze and visualize the relationships among business domains in an unambiguous way
http://www3.opengroup.org/subjectareas/enterprise/archimatehttp://www3.opengroup.org/subjectareas/enterprise/archimate

• Archi is a free, open source, cross-platform tool and editor to create ArchiMate models.

http://archi.cetis.ac.uk/

• Enterprise Architect

http://www.sparxsystems.com/

• Where SABSA differs from other approaches, is that it defines a conceptual layered model which enables the provision of an holistic, strategic architectural approach as opposed to the more typically seen application of technology and process stand-alone and point solutions to tactical security objectives. For those familiar with, it also leverages the Zachman Framework and is compatible with TOGAF, ISO 27001, Agile and other methodologies.

SABSA ensures that different Views of security are taken in consideration through the layered model, as different stakeholders will need to be differently informed about what it means to them, whilst still allowing for traceability across the stack
https://medium.com/@marioplatt/what-is-sabsa-enterprise-security-architecture-and-why-should-you-care-a649418b2742

• SABSA stands for the Sherwood Applied Business Security Architecture. It provides a framework for developing risk-driven enterprise information security and information assurance architectures. It also aids in delivering security infrastructure solutions that support critical business initiatives. 

https://www.orbussoftware.com/us/governance-risk-and-compliance/sabsa/what-is-sabsa/

• Enterprise Architecture Frameworks (EAF): The Basics

Defining the Enterprise Architecture Framework

Simply stated, enterprise architecture framework (EAF) refers to any framework, process, or methodology which informs how to create and use an enterprise architecture.

So, what is enterprise architecture?

At a high level, enterprise architecture offers a comprehensive approach and holistic view of IT throughout an enterprise. An enterprise is a business, company, firm, or group of any size that provides consumers with goods and/or services. This can also include any organized unit that has a common goal, such as an industry consortium or non-profit group. An enterprise requires collaboration to achieve its goal or strategy while providing the good or service as best as it can to ensure customer satisfaction.

History of EAF

A commonly held tenet is that enterprise architecture frameworks date to the mid-1980s, in accordance with the publication of the Zachman Framework, developed by then-IBMer John Zachman

Benefits

Some enterprises look to adopt service-oriented architecture (SOA) or microservices architecture (MSA) (often a key component of establishing a digital transformation) which has an impact on both IT and business processes. These may be the best candidates for enterprise architecture.

At its most helpful, an enterprise architecture framework makes sense of the complexities of achieving business strategy via IT strategy, technology, and business needs across all silos of the company. When performed at its best, an enterprise architecture translates the vague and intangible business strategy to practical, concrete plans and actions. Then, these designs are translated into solutions that achieve business strategy

Types of Enterprise Architecture Frameworks

The types of enterprise architecture frameworks are often categorized by who created and released them. Today’s EA frameworks fall into a few types:

Those developed by consortiums, of which The Open Group Architecture Framework (TOGAF) is most known.

Those intended for defense industry use, such as the U.S.’s own Departure of Defense Architecture Framework.

Those intended for wider government use, including the FDIC Enterprise Architecture Framework, the Federal Enterprise Architecture Framework (FEAF), and the NIST Enterprise Architecture Model.

Those developed and released as open source.

Those developed by private companies or universities and released as proprietary material, like those from IBM or Gartner

https://www.bmc.com/blogs/enterprise-architecture-frameworks/

Backup & Archive

• Symantec Enterprise Vault

Symantec Enterprise Vault is an archiving platform that bridges the gap between legal and IT by adding intelligence to the way organizations store, manage, and discover information
http://www.symantec.com/business/enterprise-vault

• Symantec Backup Exec

Reliable windows server backup software designed for your growing business
http://www.symantec.com/business/backup-exec-for-windows-servers

• Veritas Netbackup

http://www.symantec.com/business/netbackup

Anti Virus (AV) & Anti-Spam

• ESET® Online Scanner

http://www.eset.com/int/home//products/online-scanner/

• Kaspersky Online Virus Scanner

http://www.kaspersky.com/virusscanner

• BitDefender Online Scanner

http://www.bitdefender.com/scan8/ie.html

• McAfee FreeScan

http://us.mcafee.com/root/mfs/scan.asp?affid=56

• F-Secure Online Scanner

http://support.f-secure.com/enu/home/ols.shtml

• Windows Defender Spyware

http://www.microsoft.com/athome/security/spyware/software/default.mspx

• Microsoft® Windows® Malicious Software Removal Tool (KB890830) Microsoft® Windows® Malicious Software Removal Tool (KB890830)

http://www.microsoft.com/downloads/details.aspx?familyid=AD724AE0-E72D-4F54-9AB3-75B8EB148356&displaylang=en

• Microsoft Baseline Security Analyzer v2.0.1 (for IT Professionals)

http://www.microsoft.com/downloads/details.aspx?familyid=4B4ABA06-B5F9-4DAD-BE9D-7B51EC2E5AC9&displaylang=en

• Checkpcidss.com does what the name suggest. It is an online application for scanning your website/server against PCI DSS security compliance. It is developed in Python using network socket programming.    https://syslint.com/checkpcidss

• The Microsoft Safety Scanner is a free downloadable security tool that provides on-demand scanning and helps remove viruses, spyware, and other malicious software. It works with your existing antivirus software.                                              http://www.microsoft.com/security/scanner/en-us/default.aspx

• The enhanced Mitigation Experience Toolkit (EMET) is designed to help prevent hackers from gaining access to your system.

A toolkit for deploying and configuring security mitigation technologies
Software vulnerabilities and exploits have become an everyday part of life
http://www.microsoft.com/en-us/download/details.aspx?id=29851

• Revo Uninstaller Pro

Revo Uninstaller Pro helps you to uninstall software and remove unwanted programs installed on your computer easily! Even if you have problems uninstalling and cannot uninstall them from "Windows Programs and Features (Add or Remove Programs)" control panel applet.
http://www.revouninstaller.com/

• CCleaner

CCleaner is the number-one tool for cleaning your Windows PC. It protects your privacy online and makes your computer faster and more secure. Easy to use and a small, fast download.
https://www.piriform.com/ccleaner

• Glary Utilities 4

The No. 1 Free, Powerful and All-in-one utility for cleaning your Windows PC
Boosts PC speed and fixes frustrating errors, crashes and freezes
Features one-click functionality and easy, automated options
Over 20 tools to maximize your Computer's performance

http://www.glarysoft.com/

Load Balancers

• NetScaler

Citrix NetScaler makes apps and cloud-based services run five times better by offloading app and database servers, accelerating app and service performance, and integrating security. Deployed in front of web and database servers, NetScaler combines high-speed load balancing and content switching, data compression, content caching, SSL acceleration, network optimization, application visibility and application security on a single, comprehensive platform.
http://www.citrix.com/English/ps2/products/feature.asp?contentID=2300357

• The LVS cluster system is also known as load balancing server cluster.

Virtual server is a highly scalable and highly available server built on a cluster of real servers. The architecture of server cluster is fully transparent to end users, and the users interact with the cluster system as if it were only a single high-performance virtual server.
The real servers and the load balancers may be interconnected by either high-speed LAN or by geographically dispersed WAN. The load balancers can dispatch requests to the different servers and make parallel services of the cluster to appear as a virtual service on a single IP address, and request dispatching can use IP load balancing technolgies or application-level load balancing technologies.
http://www.linuxvirtualserver.org/whatis.html

Content Delivery Network (CDN)

• A content delivery network or content distribution network (CDN) is a system of computers containing copies of data placed at various nodes of a network. When properly designed and implemented, a CDN can improve access to the data it caches by increasing access bandwidth and redundancy and reducing access latency.

http://en.wikipedia.org/wiki/Content_delivery_network

• Akamai

Akamai Web Application Acceleration and Performance Management, Streaming Media Services, and Content Delivery help companies build better web
http://www.akamai.com/

• limelight

http://www.limelight.com/

• Bypassing the CDN protection

In this article, you are going to learn how to skip the protection layer of a CDN. First of all, a CDN (Content Delivery Network), a service which acts as a reserve proxy
Many users use a CDN to shield their servers against DDoS attacks, as it receives all the traffic’s website and blocks these kind of requests before they deliver at the website’s server.
You need to know that the CDN supports protocols like HTTP and HTTPS, so if you have any other services like SSH or FTP, they will be obfuscated behind the CDN
An attacker will need to know the IP if they want to access to any of this services.

1. Subdomains
By using online tools like Dnsdumpster or similar, you can obtain a list of the indexed subdomains.
If you check them, you will find two ways to discover the IP.

The first one consists of looking for the services which are pointing to the CDN and it does not accept it. Some of these services may be on the same machine, so you can discover the IP. For example:
ftp.sitio.com
smtp.sitio.com
dns.sitio.com


1.1.Subdomains not indexed
If you want to find more subdomains, you need to use more tools which work by brute force. They are very useful when there are “private” subdomains with uncommon names, and they are not indexed to search engines. In these kind of searches it is reccomended to use tools like our own Fast Subdomain Scanner.
Once you have obtained all the subdomains, you can analyse which IP’s point at these subdomains.


The second way, you need to check all the IP’s which are pointing to the differents subdomains. Sometimes, a bad configuration might disclose the real IP by avoiding the CDN protection.
2. DNS track
Your servers might be pointing to the same IP direction after starting to work with the CDN. If you use any online tool to obtain the DNS track of your domain, then you will discover the IP. Some tools like Dnstrails or Viewdns can help you in this task.

3. IOT Tools
3.1. Shodan
the ssl filter by Shodan, as it lets you look for the strings in the certifications stored at the scanned IP.
3.2. Censys
Censys scans servers and saves related information of the server’s certificates.
it has a historical section where past results are stored.
3.3. Zoom Eye

4. Email headlines
Checking email headlines is another way to find the IP of a server.
https://opendatasecurity.io/how-to-bypass-cdn/

• What is CloudFlare? What does CloudFlare do with my website after I activate my website on CloudFlare?

CloudFlare is a Content Delivery Network which builds up a wall between the website and the visitor. Only visitors are allowed to go through CloudFlare and even search engine crawlers are allowed but not attackers. CloudFlare covers the real IP address of the website with their IP address. Mostly CloudFlare IP(s) starts with 104.x.x.x.

https://theshadowpress.com/configuring-cloudflare-website-to-avoid-getting-it-bypassed/

• A typical TCP connection is established through a process known as a three-way handshake. In it, a client sends out a connection request (SYN), receives an acknowledgment (SYN/ACK) and then responds with an acknowledgment of its own (ACK). This closes the loop and establishes the connection.

negotiating a SSL/TLS connection requires a few additional back-and-forths. This is because the browser and server now also need to:

    Agree upon a mutually-compatible method of encryption.

    Go through a process of mutual verification.

    Generate symmetric keys, used to encode and decode all information exchanged during the session.

These extra interactions add overhead to the process, resulting in two additional round trips—or more, depending on your server’s configuration.

Solution:

Use a CDN to Reduce Round Trip Time

Shortening round trip time is a core function of CDN—a service specifically designed to improve response speeds by reducing the physical distance between your website and its users.

What is a CDN

Content delivery networks (CDN) are the transparent backbone of the Internet in charge of content delivery.

To understand why CDNs are so widely used, you first need to recognize the issue they’re designed to solve. Known as latency, it’s the annoying delay that occurs from the moment you request to load a web page to the moment its content actually appears onscreen.

In all cases however, the delay duration is impacted by the physical distance between you and that website’s hosting server

A CDN’s mission is to virtually shorten that physical distance, the goal being to improve site rendering speed and performance.

points of presence, or PoPs

How a CDN Works

To minimize the distance between the visitors and your website’s server, a CDN stores a cached version of its content in multiple geographical locations (a.k.a., points of presence, or PoPs). Each PoP contains a number of caching servers responsible for content delivery to visitors within its proximity.

For example, when someone in London accesses your US-hosted website, it is done through a local UK PoP. This is much quicker than having the visitor’s requests, and your responses, travel the full width of the Atlantic and back.

Specifically, if you are running a strictly localized website, with the vast majority of your users located in the same region as your hosting, having a CDN yields little benefit. In this scenario, using a CDN can actually worsen your website’s performance by introducing another unessential connection point between the visitor and an already nearby server.

CDN BUILDING BLOCKS

PoPs(Points of Presence)

CDN PoPs (Points of Presence) are strategically located data centers responsible for communicating with users in their geographic vicinity. Their main function is to reduce round trip time by bringing the content closer to the website’s visitor. Each CDN PoP typically contains numerous caching servers

Caching Servers

Each CDN caching server typically holds multiple storage drives and high amounts of RAM resources.

SSD/HDD + RAM

Inside CDN caching servers, cached files are stored on solid-state and hard-disk drives (SSD and HDD) or in random-access memory (RAM), with the more commonly-used files hosted on the more speedy mediums

START USING A CDN

For a CDN to work, it needs to be the default inbound gateway for all incoming traffic. To make this happen, you’ll need to modify your root domain DNS configurations (e.g., domain.com) and those of your subdomains (e.g., www.domain.com, img.domain.com).

For your root domain, you’ll change its A record to point to one of the CDN’s IP ranges. For each subdomain, modify its CNAME record to point to a CDN-provided subdomain address (e.g., ns1.cdn.com). In both cases, this results in the DNS routing all visitors to your CDN instead of being directed to your original server.

START USING A CDN

For a CDN to work, it needs to be the default inbound gateway for all incoming traffic. To make this happen, you’ll need to modify your root domain DNS configurations (e.g., domain.com) and those of your subdomains (e.g., www.domain.com, img.domain.com).

For your root domain, you’ll change its A record to point to one of the CDN’s IP ranges. For each subdomain, modify its CNAME record to point to a CDN-provided subdomain address (e.g., ns1.cdn.com). In both cases, this results in the DNS routing all visitors to your CDN instead of being directed to your original server.

Why isn’t a CDN a Default Part of my Website Hosting?

In an ideal world, a CDN would be an integral part of any website hosting. However, when CDNs were first established in the late 1990s, they were far too expensive and only accessible to the largest organizations.

THE EVOLUTION OF CDNs

1st Gen Static CDN

2nd Gen Dynamic CDN

3rd Gen Multi-Purpose CDN

REVERSE PROXY LIVING ON THE EDGE

Content delivery networks employ reverse proxy technology. Topology wise, this means CDNs are deployed in front of your backend server(s).

the reverse proxy topology is being leveraged by multi-purpose CDNs to provide the following types of solutions:

Website Security

Deployed on the edge of your network, a CDN is perfectly situated to act as a virtual high-security fence and prevent attacks on your website and web application. The on-edge position also makes a CDN ideal for blocking DDoS floods, which need to be mitigated outside of your core network infrastructure.

Load Balancing

Load balancing is all about having a “traffic guard” positioned in front of your servers, alternating the flow of incoming requests in such a way that traffic jams are avoided.

Clearly, a CDN’s reverse proxy topology is ideal for this, as is the default recipient of all incoming traffic.

https://www.imperva.com/learn/performance/what-is-cdn-how-it-works/

• As of 2015, the last version of SSL (3.0) was officially deprecated. It has been replaced by TLS (Transport Layer Security), which provides stronger encryption while serving a similar function. However, the original name has stuck; many still refer to TLS as “SSL/TLS” or simply “SSL”.

How A CDN Can BOLSTER SSL/TLS PERFORMANCE

let’s first review how an SSL connection differs from it regular TCP counterpart.

A typical TCP connection is established through a process known as a three-way handshake. In it, a client sends out a connection request (SYN), receives an acknowledgment (SYN/ACK) and then responds with an acknowledgment of its own (ACK). This closes the loop and establishes the connection.

the time it takes to complete the handshake should be exactly equal to a single round trip time (RTT)

negotiating a SSL/TLS connection requires a few additional back-and-forths. 

This is because the browser and server now also need to:

Agree upon a mutually-compatible method of encryption.

Go through a process of mutual verification.

Generate symmetric keys, used to encode and decode all information exchanged during the session.

These extra interactions add overhead to the process, resulting in two additional round trips

For example

If the round trip time from San Francisco to your London server is 50 ms, then establishing a SSL/TLS handshake will take at least 150 ms.

Solution:

Use A CDN To Reduce Round Trip Time

Shortening round trip time is a core function of CDN—a service specifically designed to improve response speeds by reducing the physical distance between your website and its users.

CDN also speeds up all interactions during the SSL/TLS negotiation process

What is important here is to ensure that your CDN has a keep-alive functionality, also referred to as a persistent connection. With a keep-alive, a CDN maintains an open connection with the server between different user sessions for a few minutes at a time.

as long as your website is visited once every few minutes, the CDN and origin server won’t have to reengage in additional SSL/TLS negotiations. All of your visitors benefit from faster handshake times.

For example

After the SSL connection with the LA proxy is established, in the absence of a keep-alive functionality, the CDN has to re-open the connection with the origin server in London.

The round trip time between LA and London is 30 ms, so it will take 90 ms to negotiate the second SSL connection. This brings the total handshake time back to 150 ms.

the amount of round trips required for a SSL/TLS handshake depends on your server’s configuration. For example, extra round trips occur when your server isn’t optimized to handle TLS records above a certain size, resulting in additional back-and-forth interactions.

some server configurations can accelerate SSL/TLS communications, including:

False Start Enables the browser to send encrypted application data even before the SSL negotiation is complete.

Session Resumption Caches a visitor’s and server’s information to reduce negotiation times for repeat visitors.

SL/TLS communications rely on the existence of SSL certificates. These contain information about your domain and organization, in addition to the public key used to initiate the encrypted communications.

there is a difference between those SSL certificates purchased from an official certificate authority (CA), and free (self-signed) ones that can be generated using the OpenSSL toolkit.

a CA certificate is clearly a much better and more trusted option

using a self-signed certificate causes all of your visitors to get an alarming message every time they try to access your HTTPS assets. This can result in a huge dent in your traffic.

all SSL/TLS certificates are graded based on the quality of their individual implementation, usually based on the following criteria:

Protocol support – Preference is given to implementations that enforce the latest and most secure protocols.

Key exchange support – Preference is given to implementations using stronger cryptography when encoding session keys (e.g., Diffie-Hellman 2048-bit parameter).

Cipher support – Preference is given to implementations enforcing ciphers having stronger encryption (e.g., 256-bit).

CDN For An No-Hassle Grade A+ Certificate

Using a CDN means that the first leg of your SSL/TLS connection is always established using the provider’s own certificate, hosted on a CDN proxy. This has the benefit of auto-optimizing the security aspects of your SSL communications.

when new SSL vulnerabilities emerge—as they sometimes do—your CDN provider is likely to respond to them much more quickly than you can, updating its SSL implementation as part of your managed service.

This was the case with Heartbleed and POODLE vulnerabilities. CDN users were among the first to be protected

Two Are Better Than One

Even with a CDN auto-optimizing the first leg of your SSL connection, it’s still advisable to improve the implementation on the second leg by tweaking the SSL configuration on your origin server.

CDNs for Easy HSTS Activation

HTTP Strict Transport Security (HSTS) is a security feature that ensures that your domain are only accessed via a SSL/TLS connection. HSTS is particularly useful to websites having multiple subdomains, since it can be used to effortlessly manage SSL/TLS across all of of them in bulk.

https://www.imperva.com/learn/performance/cdn-and-ssl-tls/

Change the (S)Channel! Deconstructing the Microsoft TLS Session Resumption bug

https://blog.cloudflare.com/microsoft-tls-downgrade-schannel-bug/

Speeding up HTTPS with session resumption

https://calendar.perfplanet.com/2014/speeding-up-https-with-session-resumption/

A cosa serve TLS Session Resumption – Session Reuse

https://www.evemilano.com/tls-session-resumption/

• CDN uses DNS CNAME record to hide your origin (source) server. 

the SOA or primary DNS server 

SOA stands for Start Of Authority

CDN can also protect your primary/master DNS server (SOA)

CDN have the ability to “pull” content from their origin server during HTTP requests in order to cache them

GET request, CDN can also proxy POST requests.

check with your CDN provider to block PUT, TRACE, DELETE, CONNECT, which are unsafe HTTP methods.

WAF is not possible to protect all layer 7 attacks

 E.g. Application business logic bypass

WAF uses regular expressions to block matching attack patterns

WAF regex needs to be constantly fine tune and improve to block clever attacks

WAF can be bypassed given the attack enough time to figure out

Example: Blind SQL Injection WAF regular expression bypass

CDN WEAKNESS

your origin server's IP address is no longer advertised over DNS, it's still connected to the internet

If your IP address is not kept secret, attackers can bypass the CDN to attack your servers directly

CDN Security Protection Best Practices

Don’t use guessable origin domain name. The attacker can guess the origin system DNS record to bypass the controls. Or using Shodan (http://shodanhq.com)

Disable CDN debugging features. The debugging information can be used by attacks to design a DDoS attack.

Only allow your Origin server to communicate with your CDN servers by white-listing the CDN servers on your firewall.

Only allow your Primary DSN server to communicate with your CDN DNS servers by white-listing the CDN DNS servers on your firewall.

To prevent Direct-to-Origin attacks Subscribe to your ISP Clean-Pipe service or to a Scrubber service provider.

https://www.slideshare.net/AndrewChong7/content-delivery-network-and-web-application-firewall-v12

CDN Debugging Tips: Part 1

When using curl to debug CDN behavior, don't ever use curl -I. Using the I flag results in sending a HEAD request and that is often pointless and unintended. Your users will send GET requests not HEAD requests and the CDN may treat HEAD requests very differently from GET requests. So remember: don't use curl -I, ever

Don't test against just one POP

To send a request to a specific target endpoint (e.g. a CDNetworks server in Amsterdam), use the -H flag to add a Host header with your domain:

curl -svo /dev/null -H 'Host: cdn.yourdomain.com' 'http://91.194.205.21/path/to/file'

https://www.cdnplanet.com/blog/cdn-debugging-tips-part-1/