Secure CDN: Achieving Managable, Controllable and Centralized Management

As many countries place great importance on security, specific laws and regulations have been developed to standardize and supervise product safety. In China, laws and regulations such as the "Cybersecurity Law", "Basic Requirements for Information System Security Protection", "Data Security Law", and "Personal Information Protection Law" have been implemented. In the European Union, regulations such as the "General Data Protection Regulation" and "European Cyber Resilience Act" have been introduced, covering various areas including host security, data security, personal information, and network security. Moreover, national-level cybersecurity initiatives like network protection campaigns and National Cybersecurity Awareness Weeks continue to expand, demonstrating the significant attention given to security by the respective countries. At the same time, cyberattackers are becoming more sophisticated in their techniques, diversifying their attack methods and aiming at lower-level targets. These observations reveal that content delivery network (CDN) customers face three key security pressures: external attack pressure, compliance governance pressure, and security operation and maintenance (O&M) pressure.

To address the security demands mentioned above, ZTE has developed its secure CDN solution that incorporates security as a significant component of CDN. Secure CDN builds a CDN system that is founded on host security and targets business security. It achieves a comprehensive protection from the inside out by detecting, analyzing, blocking and tracing security incidents at the host and business levels. Through the professional service security operation center (SSOC), secure CDN also achieves manageable, controllable and centralized management, allowing for rapid respond to various security incidents.

ZTE Secure CDN Solution

ZTE secure CDN solution consists of two major components: the management center and the client program. The management center adopts a B/S architecture, allowing administrators to manage the host devices effectively. This includes managing device login accounts, process management, log auditing, security policy configuration, host security, and anti-tampering module settings, creating an integrated security system. The client program is an independent program running on the local host. It executes tasks and policies issued by the management center, and collects and reports behavior data necessary for security auditing and detection. The functional modules of ZTE secure CDN solution are shown in Fig. 1.

—Host security: By utilizing log analysis and event tracing technologies, combined with functions such as asset management, vulnerability scanning, risk detection, and baseline check, ZTE secure CDN solution promptly identifies potential security risks in servers. These risks include security vulnerabilities, weak passwords, file upload risks, and fileless attacks. The solution offers comprehensive protection and early warning against malicious scanning, brute-force attacks, abnormal login, reverse shell, and local privilege escalation.  

—Service security: By utilizing the operating system kernel protection technology, ZTE secure CDN solution monitors and protects the content in CDN servers in real time to prevent unauthorized tampering. The solution incorporates remote disaster recovery and anti-hotlink protection technologies to safeguard service security within CDN servers. Additionally, the data masking technology is also used to prevent the disclosure of sensitive data stored in CDN servers.

• Content Security
  

The CDN host server primarily consists of VOD content, live streaming content, TSTV and TVOD, and database. ZTE secure CDN solution protects the security of the content within CDN from the three aspects:

—Local content tampering prevention: Using the operating system kernel event-triggering technology, the solution protects the security of the content stored in CDN host servers.

—Content distribution tempering prevention: Comparing feature values of the files, the solution safeguards the security of VOD content distributed between CDN nodes.

—Live streaming tempering prevention: Implementing tamper-proofing for streaming media based on I-frame and for HLS content based on TS file feature values, the solution ensures the security of live content distributed between CDN nodes.

In addition, in emergency scenarios, the solution offers a one-click shutdown feature to quickly take content offline, minimizing the negative impact of unauthorized content. It also provides a one-click reset function for TVOD to reset any on-compliant content, ensuring compliance and security.

• Service Security

To ensure the security of CDN services, ZTE secure CDN solution offers security protection in terms of user service, service quality, source legitimacy, and node disaster recovery. These security measures provide reliable protection and support for CDN services.  

—User service anti-hotlink protection: User requests are encrypted using algorithms such as AES or MD5 to prevent unauthorized access or hotlinking.

—Service quality protection: By utilizing forward error correction (FEC) for live streaming, the solution ensures user viewing quality even in scenarios with a 2% packet loss, without introducing any additional latency. Additionally, the automatic repeat-request (ARQ) technology for VOD enables automatic retransmission of lost packets, ensuring optimal user experience even in situations with a 5% packet loss.

—Fraudulent website alert: The system for detecting fraudulent websites leverages big data resources and advanced technologies to build a precise and efficient system for technical blocking and countermeasures. Its goal is to prevent fraudulent calls, block fraudulent messages, restrict access to fraudulent websites, and prevent fraudulent money transfers.

—Node disaster recovery: By utilizing various disaster recovery technologies including Anycast scheduling, private network redundancy for live streaming, source redundancy for live streaming, and active/standby platform, the solution ensures uninterrupted service of CDN nodes even in abnormal scenarios.

• Data Security

Sensitive data such as IP addresses, user names, passwords, and email addresses are stored in CDN. To prevent the disclosure of sensitive user data, secure CDN provides a visual management interface for data masking configuration. It adopts AES256 reversible encryption algorithm and SHA256+ SALT irreversible algorithm to mask sensitive data, effectively preventing data disclosure within the CDN.

• Host Security

To ensure the security of the CDN host, a comprehensive approach is implemented. Initially, a thorough assessment of CDN hardware and software assets is conducted to identify potential vulnerabilities and ensure compliance. Subsequently, proactive measures are taken for attack defense and detection. Finally, a traceability analysis is performed to establish an integrated host security defense system.

—Asset management: This involves managing server basic information, processes, accounts, ports, network connections, and operating system.

—Risk detection: This involves detecting risks within the host, such as backdoors, vulnerabilities, weak passwords, trojans, and abnormal files. By identifying these abnormal risks in the host, the system triggers alerts to initiate further inspection.

—Intrusion detection and defense: This involves detecting and alerting on threats such as abnormal login, backdoors, local privilege escalation, malicious scanning, malicious processes, and brute-force attacks. It also includes proactive defense against CSRF attacks, deserialization attacks, file upload attacks, SQL injection attacks, and other attack behaviors.  

—Security O&M: The host security O&M subsystem monitors various security states on CDN host devices, including abnormal processes, operations, account activities, and other exceptional conditions.

Future Product Planning

To improve the security and governance capabilities of CDN, it is recommended to adopt systematic defense and digital operations for product planning. This involves building a layered defense system through capability stacking and using digital metrics to drive security operations, thereby enhancing the practical effectiveness of CDN's security protection. The future secure CDN planning will focus on the following three aspects:

• Building a unified security platform to simplify management: Integrating CDN security products with a unified design concept, including platform integration, functional integration, and management integration. This can significantly simplify the complexity of CDN system construction, operation and expansion.
• Implementing a layered defense system for manageable security risks: Optimizing closed-loop defense strategies against security threats, and planning based on prevention, protection, detection and response. This enables effective defense against both known and unknown security threats, significantly reducing security risks.  
• Providing security operation tools to improve CDN security intelligence: Providing methods and tools for security operations to present CDN security effects in real time. This enables targeted analysis of current weaknesses and facilitates the improvement of CDN security management maturity and intelligence level as needed.