Akamai To Imperva Incapsula Migration Guide
Akamai to Imperva IncapsulaMigration GuideG U IDE1
Akamai to Imperva IncapsulaMigration GuideGU I D EIntroductionImperva Incapsula is an enterprise-grade cloud service that helps companies deliver applicationsmore efficiently and securely. This is accomplished through four core sub-services: CDN &Optimizer, Website Security, DDoS Protection and load balancer. Leveraging a multi-layerapproach and product set, the Incapsula service accelerates the delivery of web content andprotects applications from external threats and attacks.The purpose of this guide is to help enterprises successfully migrate from Akamai’s CDN to theIncapsula CDN. It is intended for Akamai customers who have decided to leave Akamai’s CDNand are planning their transition to the Incapsula CDN.This document provides practical guidance for planning and executing migrations of websitesand applications from the Akamai network to the Incapsula network. In addition to providingbasic information about configuring and setting up the Incapsula service, this guide alsooutlines the key similarities and differences in the way the services work, so you can betterunderstand what to expect when you move to Incapsula.Basic ConfigurationScopingFor both Akamai and Incapsula, the definition of a site is the same. Each site is designatedby a DNS record, known as a CNAME, which represents a domain or subdomain (e.g., www.example.com, blog.example.com). The CNAME is provided by Incapsula when you migrate tothe service. You will also receive an IP record for your top level (naked) domain (e.g., example.com).Supporting SSL TrafficIf you are using the Kona Web Application Firewall to inspect and filter SSL traffic, you may recallthat adding the SSL support required a lengthy process that typically takes up to one month.For enterprises migrating to Incapsula, setting up support for SSL certificate is simple, fast(usually within 24 hours) and free of charge. You can upload your own SSL certificate using theIncapsula customer self-service portal, or generate a new certificate via Incapsula.During system activation, Incapsula automatically identifies websites that support SSL traffic(HTTPS) and leads you through a simple setup process for those sites. This process generates acertificate for your domain that will be hosted on our servers. During the setup process you willbe asked to approve the creation of a certificate by our certificate provider.The process of adding SSL support involves three simple steps:1. Within 24 hours of adding the website you will receive an email from one of our SSLcertificate authority partners, requesting approval to generate an SSL certificate for yourdomain. To approve this request simply reply with “yes” in the message body.2. After your approval Incapsula will provision the service to support SSL on your domain. Thisprocess can take up to 24 hours.3. Once the process is completed, you will be notified by email and you will be able to proceedto the next step of adding your website to the Incapsula service2
Akamai to Imperva IncapsulaMigration GuideGU I D EClient IP TrackingMany application owners need to track the IP addresses of their visitors. This becomes morecomplicated when the application is delivered via proxy servers on a CDN, since the applicationsees the proxy’s IP address rather than the client’s real IP.The X-Forwarded-For (XFF) HTTP header is the de facto standard (RFC) for identifying theoriginating IP address of a client connecting to a web server through an HTTP proxy or loadbalancer. The main drawback of XFF is that if your traffic passed through three proxies, threeheaders are added to your web page, which adds complexity for your application.For this reason CDNs like Akamai and Incapsula use proprietary headers rather than thestandard XFF format. Akamai customers typically do this with a header called “True Client IP,”which can be customized as needed.The Incapsula version of this proprietary header is known as “Incap-Client-IP”, and is providedfree of charge. In order to keep using the header name you used on Akamai (and to avoidmaking changes to your applications), you can customize the “Incap-Client-IP” header name to“True Client IP” using the Incapsula configuration settings.Transition ProcessIncapsula and Akamai use DNS redirection to re-route incoming traffic (HTTP/HTTPS) throughthe CDN. Thus, migrating website and application content to Incapsula is a simple matter ofsetting the sites up in Incapsula, then making the necessary DNS change.It should be kept in mind that customers using Akamai’s Managed DNS service in conjunctionwith its CDN will most likely prefer to add a new DNS provider. Incapsula, for its part, canwork with any DNS provider (many are free). Once you’ve chosen your new DNS provider, therelevant entries need to be set to point your traffic to Incapsula.LegitimateTrafficYour WebsitesTransitioning Static and Dynamic DomainsDynamic ContentDynamic.example.com3
Akamai to Imperva IncapsulaMigration GuideGU I D ELegitimateTrafficTransitioning Static and Dynamic DomainsYour WebsitesTo support Akamai’s caching capabilities, many Akamai customers have split their applicationsin such a way that static content is sent to one subdomain and dynamic content is sent toanother. The static content is then sent through Akamai’s CDN, while the dynamic content isneither accelerated nor secured by Akamai. This type of conguration allows the dynamic site tocall the static content directly from Akamai’s network (see diagram below).Transitioning Static and Dynamic DomainsDynamic ContentDynamic.example.comLegitimateTrafficYour WebsitesWebsiteVisitorStatic Contentstatic.example.comTransitioning Static and Dynamic DomainsCustomerWeb ServerAkamai NetworkDynamic ContentDynamic.example.comIn contrast to Akamai, the Incapsula CDN is built to analyze and cache both static and dynamiccontent, so there is no need to break out content by type (static/dynamic). Content is fetched asTransitioningStatic andDomainsneededand storedonDynamicIncapsulaServers. The content is refreshed periodically based on userdefined cache settings.Incapsula further simplifies website optimization through the use of a proprietary algorithmWebsiteCustomerwhich dynamicallyresourcesStaticare cacheable,algorithmContentand for how long. ThisVisitor learns whatwww.example.comWebServercontinuously probes website swhich arestatic.example.comin essence static as they do not change over time and for different users. These resources areAkamaiNetworkthen cached to significantlyreduceload timesand reduce server loads.Your ContentsContentis en migrating your content to Incapsula, you have the choice of keeping your existingCustomer ServerVisitorAkamai setup and simply putting both domains on the Incapsula cloud. Alternatively, you canmerge them into a single domainfor easiermaintenance over the long run. Incapsula supportsIncapsulaNetworkboth scenarios.Transitioning Static and Dynamic Domainswww.example.comWebsiteVisitorContent is automatically fetchedand cached as neededYour ContentsCustomer ServerIncapsula Network4
Akamai to Imperva IncapsulaMigration GuideGU I D ESecurityThe Kona Web Application Firewall is an integral part of Akamai’s CDN offering, providingapplication level defense against SQL injection, cross-site scripting and other types of web attacksthat can result in data theft. When migrating your websites or applications from Akamai’s CDN,it is important to make sure that the new CDN also provides the highest level of web applicationsecurity.Web Application FirewallIncapsula includes a PCI-compliant, enterprise-grade web application firewall with similarfunctionality to Kona. For a high-level feature comparison, see the table below:F E ATUREAKAMAIIN CAPSU LAG a rt n e r M a gi c Q u a dra n t lea d i ngP C I- c om pl i a n t WAFA c c e s s c on t rol (w h i t e /bla c k li st i ng (IP re pu t at i on - ba s e d m on i t o r i ng sy st emA P I i n t e grat i onC l i e n t c l a s s i c at i on a l gor i t h ms t o mi t i g at ea dv a n c e d botsTra n s pa re n t progre s s i v e c h a l l e ng es f o r mi ni ma lu s e r i m pa c t a n d re du c e d fa lse p o si t i v esBa c kdoor prot e c t i on t o gu a rd a g a i nst ma lwa rei n fe c t i onTw o- fa c t or a u t h e n t i c at i on t o p rev ent b rea c h b ys t ol e n pa s s w ord sS e l f- s e r v i c e c u s t om i z at i on o f sec ur i t y r ules6 0 - s e c on d s e c u r i t y r u l e p ro p a g at i o nProdu c t i z e d S IE M i n t e grat i on wi t h p re- ma d eda s h boa rdsA more detailed feature-to-feature comparison of the CDNs can be found .htmlSome of the key Differences between the Kona and Incapsula WAFs are described in moredetails in the following pages.5
Akamai to Imperva IncapsulaMigration GuideGU I D ECustom Security RulesMany Akamai users have implemented custom security rules to allow for faster response andmore flexible enforcement of their organization’s security policies.As custom rule creation is typically performed by Akamai’s Professional Services team, theturnaround time for rule creation and propagation across Akamai’s network can take days or weeks.Our answer to this is IncapRules, a proprietary scripting language that allows users toimplement their own security and access control rules – on demand – on top of the existingIncapsula security logic. These rules are created via a dedicated GUI that is designed to simplifythe rule generation process. Mirroring the Incapsula security-oriented approach, custom rulescan be propagated system-wide within 60 seconds.When migrating from Akamai, there is no programmatic way to transition existing customsecurity rules to Incapsula. We recommend that you download an XML file from Kona with allthe custom rules. Then, re-create these rules in Incapsula using the intuitive and user-friendlyIncapRules editor. Alternatively, the Incapsula Professional Services team can be hired toperform the initial bulk custom rule creation.IP Reputation and Client ClassificationKona’s Client Reputation feature crowdsources feeds of IP addresses and assigns scoresbased on their propensity to perform malicious activities such as web application attacks,DDoS attacks and vulnerability scanning. The scores reflect prior behavior as observed overthe Akamai network and analysis by Akamai’s security intelligence platform. Based on thereputation score of the IP address, Kona automatically allows, alerts or blocks the incomingtraffic.If you’ve been using Kona’s Client Reputation feature to improve your security decisions, youcan achieve similar results using the Incapsula enhanced IP Reputation and Client Classicationfeatures (which are available free of charge as part of the WAF).Incapsula combines crowdsourced data from its own network (comprising hundreds ofthousands of websites) with a big data analytics platform that monitors attack vectors andsignatures, attacker IPs, malicious bots (e.g., PushDo or Cyclone) and botnet signatures.These capabilities are complemented by the Incapsula client classication engine that analyzestraffic in real time. This is critical when it comes to distinguishing legitimate website visitors(humans, search engines, etc.) from automated or malicious bots. The client classication engineidentifies bots based on header data, IP addresses and ASN numbers, behavior monitoring,client technology fingerprinting and more.Once a bad bot is identified, a signature is created for it. This means the next time this botcomes to visit any site protected by Incapsula, it will be immediately blocked. Moreover, thereputation of the attacking IP is also recorded and added to the IP reputation database.6
Akamai to Imperva IncapsulaMigration GuideGU I D EIntegration and API AccessAkamai customers are typically provided API access to facilitate integration with their ownbackend systems. Similarly, the Incapsula service comes with an API that enables enterprises tostreamline customer provisioning and account management.In addition, to enrich your existing security event management workows, Incapsula hasdeveloped a connector for integration with several leading SIEM platforms, including HPArcSight, Splunk, and McAfee. This connector is designed to provide SIEM integration withoutthe need for professional services, consultants, or specialized IT expertise.This connector resides on the customer’s network, and serves as a link between the SIEM andthe Incapsula API. In addition to near real-time event reporting and strong data encryption, thisoffering includes pre-made custom dashboards and reports for easy viewing of incoming datafrom within the SIEM.PerformanceIn terms of their approach to content caching, there are differences in functionality betweenAkamai and Incapsula. While both CDNs support most major use cases, their approaches tocontent caching differ as described in the sections below.Akamai Content Caching Use Cases1. “Push CDN” for Very Large Static FilesThe “Push CDN” model is typically used by developers to distribute applications and newsoftware versions to users. These very large files are “pushed” (i.e., uploaded) by developersto the CDN, where they are available for download by users from the closest available POP.Akamai’s CDN is used by numerous companies to support this use case. Incapsula, on the otherhand, was built to work with websites and applications and hence does not support the “PushCDN” model.2. Static Content Relevant to Website or ApplicationAkamai’s caching options are optimized for delivery of large static files, such as graphicimages. Akamai supports static content caching by creating a new domain (e.g., static.example.com) containing all static content. Client websites link to the static domain and retrieve thecached content as needed. For websites containing both static and dynamic content, this usecase requires maintaining separate domains for the static and dynamic content. Incapsulacan support this use case, and enables Akamai users to migrate both domains “as is” to theIncapsula cloud.7
Akamai to Imperva IncapsulaMigration GuideGU I D E3. Dynamic Content CachingDynamically-generated content—the type often found on modern script-generated websites,SaaS (software as a service) and other highly-personalized web applications – requires moresophisticated capabilities than static content. Due to the sensitive data used by today’s dynamicapplications, this type of content requires both acceleration and security.Akamai’s Dynamic Site Accelerator (DSA) feature is used by some clients to support dynamiccontent caching. DSA pulls and caches fresh content continuously onto servers that are close to theend user, relying heavily on network optimization and compression techniques to reduce latency.Incapsula was built from the ground up to support dynamic content delivery, and usesintelligent caching methods to provide a comprehensive acceleration solution. For instance,Incapsula utilizes advanced traffic profiling algorithms to auto-identify and cache dynamicallygenerated content and to serve that content directly from memory.4. Video StreamingAkamai specializes in video streaming and offers unique capabilities, such as live videostreaming, not supported by Incapsula. Akamai supports complete video file caching, as well ascaching file ranges to enable users to “jump” within a video file.Incapsula is able to cache complete video files, but does not support caching of file rangeslike Akamai does. Customers migrating from Akamai with video streaming needs should use adedicated streaming service alongside Incapsula.Incapsula provides an equivalent solution for most major use cases:AK AMAI USE CASEIN CAPSU LA EQU IVALEN TPu s h C DNNo t Av a i la b leSt at i c Con t e n t Ca c h i n gI nc a p sula C D NDy n a m i c Con t e n t Ca c h i ngI nc a p sula C D NVi de o St rea m i n gNo t Av a i la b leA feature-to-feature comparison of the CDNs can be found .html8
Akamai to Imperva IncapsulaMigration GuideGU I D ELoad BalancerAkamai provides local server load balancing capabilities using cloud-based application-levelload distribution. These capabilities include control and real-time monitoring options, severalchoices of load balancing algorithms, and local server failover. Akamai also offers a DNS-basedglobal traffic management solution for global server load balancing and site failover.The Incapsula application-level local server load balancing is very similar to that of Akamai,enabling an easy transition for Akamai customers. It supports a variety of session-persistentload balancing methods that intelligently distribute the load among servers based on the actualflow of traffic.If you maintain multiple data centers, Incapsula also offers a highly effective Global Server LoadBalancer (GSLB) solution to meet your needs. Routing decisions are based on real-time analysisof HTTP requests, allowing for a range of distribution algorithms, including “best connectiontime” and geo-targeting. Rather than relying on DNS, Incapsula leverages its reverse proxynetwork to enable immediate re-routing as conditions change.With respect to disaster recovery, the Incapsula Site Failover solution uses application-levelload balancing to eliminate the TTL-related delays and uneven performance characteristics ofDNS-based solutions.Migration Planning ChecklistThe following checklist can be used as a guide to make sure you cover all the bases in planningand executing your transition from Akamai to Incapsula.1. ScopingPerform basic scoping by answering the following questions about your environment.How many sites do you wish to secure and accelerate?How much aggregate bandwidth will they have?Do you need additional DDoS Protection?Do you want to enable two-factor authentication to protect your websites’ admin areas?If yes, how many users will need access?Will you be using a load balancer?If yes, how many data centers?2. TransitionCreate Incapsula accountCongure sites to be transitioned in the Incapsula UISet up SSL certicates for sitesMake DNS changes to redirect site traffic through Incapsula9
Akamai to Imperva IncapsulaMigration GuideGU I D E3. Advanced SetupConfigure caching and optimization rules to maximize website performanceCreate custom security rules using the IncapRules engineSet up load balancer (to support complex deployments)If you need further assistance with your transition to Akamai, please visit us athttp://support.incapsula.com or contact our Support team 24/7 at support@incapsula.com.About Imperva IncapsulaImperva Incapsula is a cloud-based application delivery service that protects websitesand increases their performance, improving end user experiences and safeguarding webapplications and their data from attacks. Incapsula includes a web application firewall to thwarthacking attempts, DDoS mitigation to ensure DDoS attacks don’t impact online businessassets, a content delivery network to optimize web traffic, and a load balancer to maximize thepotential of web ionDeliveryLOADBALANCERCONTENTDELIVERYNETWORKOnly Incapsula provides enterprise-grade website security and performance without the needfor hardware, software, or specialized expertise. Unlike competitive solutions, Incapsula usesproprietary technologies such as client classification to identify bad bots, and big data analysisof security events to increase accuracy without creating false positives. 2016, Imperva, Inc. All rights reserved. Imperva, the Imperva logo, SecureSphere, Incapsula, Skyfence, CounterBreachand ThreatRadar are trademarks of Imperva, Inc. and its subsidiaries. All other brand or product names are trademarksor registered trademarks of their respective holders.10imperva.com
Akamai to Impera Incapsula Migration uide Transitioning Static and Dynamic Domains To support Akamai's caching capabilities, many Akamai customers have split their applications in such a way that static content is sent to one subdomain and dynamic content is sent to another. The static content is then sent through Akamai's CDN, while the .
new configuration, Akamai Luna Control Center runs a series of tests against your FTP It can be server. used in conjunction wi th Akamai's Net Storage product . 15. Once FTP has conjunction with Akamai's Net Storage product, collect the Akamai integrator from the support team. 16. Extract the Akamai integrator.zip in any folder. 17. Run
Imperva Hardware Appliances - Datasheet imperva.com IMPERVA HARDWARE APPLIANCE SPECIFICATIONS - 1U FORM FACTOR SPECIFICATIONS X2020 X1020 FAULT TOLERANCE Not available Not available THROUGHPUT1 500 Mbps 100 Mbps RSA/SEC (2048 BIT)2 6000 1200 LATENCY Sub-millisecond Sub-millisecond INTERFACES 4 x 1G Copper, 2 x 1G Copper (for management) 4 x 1G Copper, 2 x 1G Copper (for management)
Q3 2010 State of the Internet David Belson Director, Market Intelligence. January 26, 2011. Akamai Confidential Powering a Better Internet 2011 Akamai Agenda . Powering a Better Internet 2011 Akamai Average Connection Speeds - City Views Global perspective Taegu, South Korea takes first place spot with 18.3 Mbps
Akamai removes the complexities of connecting the increasingly mobile world, supporting 24/7 consumer demand, and enabling enterprises to securely leverage the cloud. To learn more about how Akamai is accelerating the. pace of innovation in a hyperconnected world, please visit www.akamai.com and follow @Akamai on Twitter.
Data Migration Planning Analysis, Solution Design and Development Mock Migration Pilot Migration Released Data Migration Active Data and User Migration Inactive Data Migration Post Migration Activities Small Bang The details for each step include: Data Migration Planing - Develop the migration strategy and approach, and define the scope,
Migration overview In the context of Migration Manager, migration is the process of promoting . A migration group can be either internal or user-defined. Internal migration groups are included with the product and are linked to other logically related migration groups called dependencies. You cannot modify internal migration
A New Migration Testing Strategy Pre-Migration Testing The concept of pre-migration testing is not often covered during migration planning. The professionals involved in migration planning are not much aware of comprehensive pre-migration testing and the value it can add to a migration and particularly those migrations that are considered complex.
be the first trading day in May based on the following: Daily settlement prices are collected for the nearest July contract over 45 consecutive trading days before and on the business day prior to April 16th. The average price is calculated based on the collected settlement prices and then multiplied by seven percent. The resulting number, rounded to the nearest 0.5 cents per pound, or 2 cents .
