INTEGRA Open Source at Integra Dubai AGILE. SECURE. TRANSFORMATIVE.
LinkedIn Facebook Social Media
Amazon Web Services (AWS) Web Application Firewall (WAF) Service Delivery
Case Study - CloudFront for Asset and Application Delivery

Iskaan is a multi-community management solution operating in the Middle East. The applications have multiple components from addressing customer questions, to managing booking, making and tracking of payments for customer properties, connecting community and building managements to owners, tenants and third-party service providers.

 

Iskaan had a rather constrained environment which was not highly available, secure and prone to disaster. The pipeline for deployment of code was not setup. They wanted an environment which was highly available, secure, have regular backup for their data and scalable for any unprecedented events. The project also called for a warm DR environment with real time replication between regions.

The backend legacy API is used for serving dynamic responses when invoked with REST via load-balancer endpoints (ELB). Being the most critical part of the operation of the business, preventing DDoS attacks, lowering API request throttling and API call response latency, and speed of content delivery is crucial to operational excellence.

The deployment of the entire web application on AWS after re-architecting to a highly available, resilient, scalable and immutable environment with the adoption of DevOps principles and CI/CD methodology helped the customer to have an always-on infrastructure serving their thousands of corporate customers in the Middle East. Specifically, with the help of Amazon CloudFront, it was possible to offer the end users blazing fast content, both static and dynamic and offer secure access to confidential customer documentation, uploaded and stored on S3. This is made possible with the combination of Amazon CloudFront and AWS Web Application Firewalls.

Amazon CloudFront helps in mitigation against DDoS attacks by reducing the number of requests abd connections back to the origin, thus protecting the origins from flood and reflection attacks. It also prevents slow writing attackers using applications like sloworis. OWASP rules on AWS WAF prevent the most common threats to the application and assets.

The use of signed URLs restrict the content to authenticated users, and is further restricted by time that a resource is available once the URL is signed. OAI and custom headers helps in further restrictions on the content and how it is accessed.

Latency and time to first byte is reduced by CloudFront which uses keep-alive connections, TCP slow start optimization, and proximity connections.

Usage and anomalies are monitored in near realtime by integration with our managed NOC/SOC which uses a custom ELK stack for monitoring, dashboarding, and alerting.

 

HOW THE ENVIRONMENT IS SECURED

The environment is secured with Amazon CloudFront, AWS WAF, AWS Certificate Manager and other AWS services. Domain Fronting and Sub Domain misuse is prevented by CloudFront by comparing the account from which the ACM SSL certificate is issued with the domain making the request. If the accounts do not match, a 421 reply is returned by CloudFront. Alternate domain (CNAME) misuse is also prevented by CloudFront.

Data is encrypted in transit at all points right to the origin. TLS v1.2 is enforced and all non-secure requests are upgraded to secure HTTPS. Requests to S3 and other content requests are protected with header options like X-XSS-Protection and X-Content-Type-Options. Lambda@Edge is used to dynamic header modifications. OAI is used for making sure no direct access to buckets are allowed.

 

The image below shows the architecture of the Integra SOC ELK stack and the integration with customer accounts. This is a generic representation and is common to all customers.

Having Amazon CloudFront immediately decreased the average time to first byte as well as overall load times for web pages. Increased security for the content, protection from hotlinking, domain spoofing as well as domain fronting were achieved as a result of CloudFront deployment. The integration of the AWS Web Application Firewall protects the site and its availability by the use of default as well as custom rulesets. The API and customer assets are used extensively by applications and connected to from different third party applications, and a marked improvement in response times as well as availability is seen and reported by customers of Iskaan.

AWS COMPONENTS USED

Amazon CloudFront

Amazon S3

AWS WAF

Amazon EC2

Amazon ALB

Lambda

AWS ACM Lambda@Edge AWS ElasticCache

 

Integra Technologies FZE
PO 341352, A4-311, Dubai Digital Park
Dubai Silicon Oasis
Dubai, United Arab Emirates

Telephone: +971 4 3364 840
Fax: +971 4 3364 842
Email: info@integratech.ae

Integra Cloud Technologies LLC
PO 341352, A4-311, Dubai Digital Park
Dubai Silicon Oasis
Dubai, United Arab Emirates

Telephone: +971 4 3364 840
Fax: +971 4 3364 842
Email: info@integratech.ae

Integrasys Technologies
Level 2, B'Hub
Mar Ivanios Campus
Trivandrum, India

Telephone: +91 81290 16520
Email: info@integratech.ae

Current Events


No current events.

 

Copyright © 2004-2021 Integra Technologies FZE