Protecting your website with Cloudbric

This post is supported by Penta Security.

Despite the focus on mobile apps in recent years, websites are now an indisputable part of our hyper-connected era. This is helped by the ease of installing ready-made CMS platforms and e-commerce engines, which allows businesses to set up an online presence at a fraction of the cost and time of a physical store.

Protecting your own site

But as many small businesses are quickly finding out, the downside of this would be how infinitely more hostile the cyber landscape is today as compared to in the past. The sheer importance of the digital arena means that hackers now have more incentive than ever to dabble in cybercrime, while the easy availability of ready-made hacking tools mean that even a novice with the time to spare may eventually find weak chinks to exploit.

Of course, managed solutions such as WordPress.com and Instapage can eliminate a lot of the hassle of setting things up, while addressing considerations such as security and denial of service (DoS) attacks at the same time. However, they also offer substantially less flexibility in terms of being able to configure additional plugins or make custom tweaks to the code.

For organizations that cannot live with these limitations, the only option is to roll out their own website, and to find ways to secure and lockdown their site against hacking attempts. Importantly, businesses must also deploy adequate defenses against increasingly common distributed denial-of-service (DDoS) attacks – often through brute force reloading of a website from hundreds or even thousands of infected client devices.

This is where Penta Security’s Cloudbric service comes into the picture.

Cloudbric for security

To be honest, I have not heard about Penta Security before they dropped me an email last month. A quick search revealed that they are an information technology security firm headquartered in Seoul, South Korea, and is the largest in town with a track record of two decades. The company offers a variety of security products, including appliance-based web application firewalls (WAF) and various security solutions aimed at enterprises.

On its part, Cloudbric is a cloud-hosted solution based on the company’s intelligent WAF appliances and security technology. The idea is that small or even mid-sized businesses can leverage the service to protect their websites against a variety of web attacks, including brute force DDoS attacks that attempt to exhaust the resources of a targeted website.

It is worth pointing out that DDoS protection is typically offered a standalone service, and is not priced cheaply. Moreover, only minimal security features are typically included by default, with an often complex blend of fees charged for optional features. With Cloudbric, Penta Security have decided on a simple model where they offer a full stack of filtering and security capabilities, and coupled with DDoS protection on Layer 3, 4 and 7 – read about the OSI layers here.

Cloudbric does charge by the volume of website traffic however, which ranges from US$29/month for 10GB to $69/month for 40GB. Assuming a lightweight 1MB page per view, this should offer around 10,000 and 40,000 page views per month, respectively. The good news is that Penta Security offer a simple way for businesses to test out Cloudbric, with up to 4GB of monthly traffic for free.

So how does Cloudbric fare? To find out, I decided to set it up on TechBlogger.io itself.

Setting up Cloudbric

In a nutshell, Cloudbric works by putting itself in front of your website. All requests are first routed through the cloud-based security service to identify and filter out malicious traffic. Its processing engine will block suspicious or redundant requests, and only legitimate requests are allowed through.

Setting up Cloudbric is simple, and entails creating a free account and configuring the DNS mapping from your domain point to its cloud. This can happen two ways: Cloudbric can serve as your DNS server, or you can modify your existing DNS records to point (A, CNAME) to the DNS settings generated by Cloudbric.

In my case, the three-step process started with me specifying TechBlogger.io as a site to protect. The wizard automatically searched out my current DNS information before presenting me with a list of Cloudbric data centers with the nearest already selected. The wizard completed with Cloudbric displaying the requisite DNS information that I will need to redirect traffic to Cloudbric.

The Cloudbric dashboard

While setting up Cloudbric takes just a few minutes, you will need to wait for the usual DNS propagation to complete before it will work. The good news is the lack of downtime, as your website continues to handle queries until the moment Cloudbric takes over post-DNS propagation. As I’ve set the TTL field for TechBlogger.io to a relatively low value, it took less than 30 minutes before everything worked.

That’s it. Setup was that simple.

Though Cloudbric works continuously in the background from the moment you set it up, it is my understanding that updates to the dashboard takes place daily. This meant that the chart was initially blank, and data only came in a day later. So just be patient.

Here is how my Cloudbric dashboard looks like.

Cloudbric Dashboard

I’ve only set it up and got it running for a few days at this stage, but you can see that it has snagged a surprisingly high volume of bad traffic. What is scary is how the bulk (or all) of the malicious traffic is unlikely to show up on your usual analytics tracker. However, they are certainly there, chipping away at your server resources as hackers probe your site and search for ways of break in.

Setting up HTTPS

Cloudbric offers the ability to deploy a HTTP front-end complete with a free digital certificate from Let’s Encrypt on your behalf. This is automatically enabled (and configured) with a single click during the setup, and gives small businesses without HTTPS immediate access without any of the usual hassle. For the uninitiated, HTTPS is important for a good SEO ranking with Google ever since the inclusion of HTTPS as a ranking signal in 2014.

Setting up Cloudbric for HTTPS

However, do note that the “Basic” mode does have certain limitations. For one, communication between your website and Cloudbric servers will not be encrypted, which may matter to the security conscious. Full encrypted communication only happens with the “Full” setting, which requires you setting up your own SSL certificate.

Depending on your web engine of choice and the themes and plugins loaded, the site may end up displaying mixed content with the “Basic” option. As the major browsers no longer load mixed content by default, your site may turn out ugly when viewed from HTTPS. I encountered the second issue, and am currently trying to see if I can find a workaround that doesn’t involve setting up HTTPS on the web server. I’ll highlight my findings and thoughts in a future blog after using Cloudbric for a long period of time.

For now, Penta Security is serious about expanding outside South Korea, and has opened five new data centers in this month alone. Three of them are located in the region too, specifically Hong Kong, and Binh Duong and Ho Chi Minh City in Vietnam.