How Akamai Web Security Service works

When you deliver your website on the ​Akamai​ Intelligent Platform, requests for content don't go directly to your origin server.
Instead, an ​Akamai​ server that's closest to the originating request, delivers a static cache of your content.
These servers are called edge servers, because they live at the "edge of the internet" in multiple locations around the globe, close to requesting machines. If the request is for dynamic content, the edge contacts the origin and fetches the content. Your Property Manager delivery configuration specifies what business rules apply to a request. Delivery configuration lives on the edge server with the static cache of your content.
You set up protections separately, in a security configuration, which also contains rules for handling a request.
These rules inspect a request for specific traits, behavior, originating machine, and other options you set when you create the security configuration. If a request triggers a rule, the server executes the action you specify. The security configuration file executes before your delivery configuration.

Let's get started! Our wizard walks you through a basic setup of your product, including creating certificates and other resources you may need to serve content on our network.
Are you new to ​Akamai Control Center​ or new to a product offered in ​Control Center​'s setup wizard? We'll customize your experience based on what your site needs to start serving traffic quickly. This means that you may see a few features instead of many for a product you're familiar with. You may also notice some differences between experiences if you're setting up a different product than one you've set up in the wizard before. Here's a look at the steps you'll take. Your specific steps may vary depending on what your hostname needs:
  • Set up your core content delivery network (CDN) settings and any specialized products you may have, like Web Application Protector, if applicable. Your core CDN settings include creating an edge certificate.
  • Review and test your site on the network.
  • Go live. CNAME over to ​Akamai​, test your site again, and serve live traffic.
  • If you want to, edit your new configuration and related objects to fine-tune your site.

    • Refer here: Get started with Akamai's content delivery solutions

    Akamai Service Onboarding Example

  • Customer Action to do
    • 1. Create origin hostname for Edge Server to origin server connection
    customername12052024-www.akamaicustomer.com A 1.2.3.4
    2. Spoofing test on Akamai Control Center on Staging or Production
    3. Partner and Customer spoofing test
    4. Get the customer confirmation
    5. Update CNAME and A DNS recored
      5a. Change www.akamaicustomer.com A record to CNAME with customer confirmation
      5b. www.customername.com A 1.2.3.4 → www.customername.com CNAME www.akamaicustomer.com.edgesuite.net

    • Security Configuration Action to do
      • 1. Create Certificate Provisioning System(CPS)
      2. Create, configure, and activate a Property Manager to deliver origin traffic to end users through Akamai Platform
      3. Create, configure, and activate a Security Configuration and a Security Policy for Web securit services

      • Security Configuration
        • Hostnames and path, Logging (SIEM)
        • Security Policy
          • Hostnames and path
          • IP/Geo Firewall
          • DoS Protection (Rate Policy)
          • Custom Rules
          • Web Application Firewall
          • API Request Constraints - API Definition and API Discovery
          • Client Reputation (AAP W/ ASM only)
          • Bot Visibility & Management
          • Malware Protection

        Web Security Products POC Selection Process

        Web Security Configuration Checklist

        • Target Digital Asset: define target hostname for POC
        • Customer solution (https://products.akamai.com or https://control.akamai.com/apps/dpl/#/)
        • POC Process - AAP included delivery
          • Property Manager configuration
            • Hostname, Edge hostname, origin hostname, Certification Provisioning System for certification, Caching
            • Configuration Test
              • Production site test
                • Property Manager test
                  • staging (edge hostname-staging.net, i.e. www.customer.com.edgesuite-staging.net)
                  • production (edge hostname.net, i.e. www.customer.com.edgesuite.net)
                • Spoofing test (Customer and Service team)
                • Change DNS A record to CNAME
              • Non-production site test
                • Property Manager test on
                  • Change DNS A record to CNAME
                  • production (edge hostname.net, i.e. www.customer.com.edgesuite.net)

        POC Checklist

      • Platform requirements
        • ➢ Scalability to match traffic demands and provide continuous protection without loss of performance
        ➢ Network layer [L3/4] distributed denial-of-service (DDoS) mitigation with a zero-second service-level agreement
        ➢ Architecture that can overcome the challenges of geographically dispersed applications
        ➢ Visibility into who is attacking, the frequency of attacks, and the severity of attacks with crowd-sourced attack intelligence across the platform
        ➢ Audit log capabilities to ensure proper usage
        ➢ Reverse proxy with web traffic via ports 80 and 443
        ➢ Protection of on-premises, private, or public cloud (including multi-cloud or hybrid-cloud) site origins
        ➢ Network privacy protections with SSL/TLS encryption

      • Web Application Firewall and DDoS Protection
        • ➢ Detection beyond signature-based attacks with anomaly and risk-based scoring
        ➢ Fully managed WAF rules to eliminate the need for continuous configuration and updates
        ➢ Machine learning, data mining, and heuristics-driven detection capabilities to identify rapidly evolving threats
        ➢ Client reputation scoring and intelligence for both individual and shared IP addresses
        ➢ Automatic web application firewall(WAF) rule updates with continuous real-time threat intelligence from security researchers
        ➢ Custom rules to quickly protect against specific traffic patterns (virtual patching)
        ➢ Ability to test new or updated WAF rules against live traffic before deploying to production
        ➢ Request rate limits to protect against automated or excessive bot traffic
        ➢ Protection (at a minimum) against SQL injection, XSS, file inclusion, command injection, SSRF, SSI, and XXE
        ➢ Protection from direct-to-origin
        ➢ Fully customizable predefined rules to meet specific customer requirements
        ➢ IP/Geography controls via multiple network lists to block or allow traffic from specific IP, subnet, or geographic areas
        ➢ Protection from application layer [L7] volumetric DoS attacks designed to overwhelm web servers with recursive application activity
        ➢ Protection from automated clients, such as vulnerability scanning and web attack tools

      • API Visibility, Protection and Control
        • ➢ Automatic discovery and profiling of unknown and/or changing APIs (including API endpoints, characteristics, and definitions)
        ➢ Rate controls (throttling) for API endpoints based on API key
        ➢ Automatic inspection of XML and JSON requests to detect API-based attacks
        ➢ API network lists (allowlists/blocklists) based on IP/Geography
        ➢ Custom API inspection rules to meet specific user requirements
        ➢ API lifecycle management with versioning
        ➢ Ability to predefine acceptable XML and JSON object formats that restrict the size, type, and depth of API requests
        ➢ Secure authentication and authorization via JSON Web Token (JWT) validation
        ➢ Protection of API back-end infrastructures from low and slow attacks designed to exhaust resources (e.g., Slow Post, Slow Get)
        ➢ Definition of allowed API requests by key (quota for each key defined independently) for full control over consumption
        ➢ Real-time alerts, reporting, and dashboards at the API level
        ➢ API onboarding using standard API definitions (Swagger/OAS and RAML)

      • Flexible Management
        • ➢ Open APIs and the CLI to integrate security configuration tasks into CI/CD processes
        ➢ Real-time dashboards, reporting, and heuristics-driven alerting capabilities
        ➢ Integration with on-premises and cloud-based security information and event management (SIEM) applications
        ➢ Centralized user interface (UI) to access detailed attack telemetry and analyze security events
        ➢ Full staging environment and the ability to implement change control
        ➢ Flexibility to manage WAAP via high-touch controls and/or fully automated protections
        ➢ Self-tuning security protections that automatically adapt to your traffic
        ➢ Fully managed security services to offload or augment your security management, monitoring, and threat mitigation