The CDN Edge Web Application Firewall (WAF) has matured greatly over the last couple of years, with Akamai leading the way. Today’s CDNs offering Edge WAF include Akamai, Incapsula, CloudFlare and Yottaa. There are many flavors of WAF, from on premise WAF, to cloud-based WAF bundled with DDoS Mitigation Services, to CDN Edge WAF. In my opinion, the CDN Edge WAF is likely to thrive amongst all options, because securing the content, and delivering it from the same rack, or data center, makes the most architectural sense, from a performance standpoint. When caching servers are next to DDoS Mitigation Appliances and WAF servers, hundreds of millions seconds are saved in the process, as opposed to having a WAF/DDoS Mitigation Service sit in one POP, and CDN caching servers in another POP.
The need for change is here. CDNs must build the next generation of the Edge WAF, in order to counter tomorrows DDoS attacks, which are becoming more sophisticated and lethal. What is the next generation CDN Edge WAF? The next iteration of the Edge WAF must incorporate advanced algorithms that enable it to learn its surroundings, and make decisions based on certain types of behavior, and traffic patterns. The nex-gen Edge WAF must become an advanced behavioral application that analyzes traffic patterns, in order to detect anomalies, and take action. FireEye, Fortscale, and many other cybersecurity platforms have this type of functionality built-in, where they analyze data, in order to detect zero day vulnerabilities and advanced malware. I bet Akamai and Incapsula will make the first move into this area, then the rest of the CDN industry will follow suit.