Akamai Site Shield
Learn the step-by-step procedure for implementing Akamai Site Shield to enhance your website's security and performance.
Written by I. Solomon
Updated at February 19th, 2025
Table of Contents
DDoS mitigation often involves placing a CDN or significant reverse proxies as a protection layer before web services. However, sophisticated attackers may attempt to reveal the origin network or IP address and attack directly, rendering the mitigation layer ineffective. This is known as a ‘Direct-to-Origin’ (D2O) attack.
Site Shield, provided by Akamai's Web Application Firewall (WAF), adds an extra layer of defense by removing websites and web applications from the Internet-accessible IP address surface. This thwarts direct attacks on the application origin. Site Shield is crucial for safeguarding against various application-layer attacks, including DDoS and the OWASP Top-10 threats.
Site Shield effectively shields web applications from direct attacks by serving as a barrier between the internet and the origin infrastructure. It achieves this by intercepting incoming traffic, routing it through Akamai's distributed network, and ensuring that all traffic is diverted to the origin through Akamai CDN Points of Presence (PoPs). This prevents attackers from accessing the origin directly. Additionally, Site Shield continuously monitors and filters incoming requests, identifying and blocking malicious payloads, and enforcing security policies to mitigate common vulnerabilities such as SQL injection and cross-site scripting.
Direct-to-Origin (D2O) DDoS attack
Implementation Procedure
Create a Site Shield Map
Creating a Site Shield Map is a crucial initial step in implementing Site Shield within Akamai's WAF. This process involves defining the parameters and configurations that govern how websites and web applications will be protected. By accurately specifying details such as traffic levels, origin and end-user locations, and security options, organizations can tailor Site Shield to effectively protect hostnames from various forms of cyber threats, including DDoS attacks.
Technical Steps:
Navigate to ☰ > WEB & DATA CENTER SECURITY > Security Configurations > Site Shield.
Click "Request new map".
Provide the necessary details in the Map details:
Enter a name for the map.
Select User-generated content, if applicable.
Specify Notification emails and frequency.
Set expected traffic levels.
Specify Origin and End-user country/areas.
Choose TLS and HTTP security options.
Select the hostnames to protect and click Submit map request.
Add the Site Shield Behavior to Your Properties
Adding the Site Shield Behavior to your properties is essential for operationalizing the protection provided by Site Shield. By integrating this behavior into properties within Akamai's Property Manager, organizations enable the enforcement of Site Shield's security measures across their web assets. This step ensures that all incoming traffic is routed through the Akamai Platform, where potential threats can be detected and mitigated effectively.
Technical Steps:
Navigate to ☰ > CDN > Properties.
Select the property and version.
Scroll to Behaviors and click "Add Behavior".
Select "Site Shield" and choose the appropriate SiteShield Map.
Click Save and activate your property.
Allow Site Shield IP Addresses Through Your Firewall
By updating firewall settings to permit access from the listed IP addresses provided by Akamai, organizations ensure that legitimate traffic can reach their origin servers without disruption. This step establishes a secure communication channel between the Akamai Intelligent Platform and the origin infrastructure, enabling Site Shield to intercept and mitigate malicious traffic while allowing legitimate requests to pass through unhindered.
Technical Steps:
Navigate to ☰ > WEB & DATA CENTER SECURITY > Security Configurations > Site Shield.
Click the map name.
Copy the listed addresses or export them.
Update your firewall to allow these addresses.
Confirm the firewall update by typing YES in the provided field.
Click "Yes, I updated my firewall."
Task Description |
Owner |
Notes |
Create a Site Shield Map |
TBD |
|
1. Requesting a new map |
TBD |
Data to set expected traffic levels is usually received from the network team |
2. Select hostnames to protect |
TBD |
Choose from the Hostname Coverage document the hostnames to be protected |
Add the Site Shield Behavior to Your Properties |
TBD |
Ensure the correct property version is selected (Akamai saves all versions) |
Allow Site Shield IP Addresses Through Your Firewall |
TBD |
Update firewall settings promptly after obtaining IP addresses |
1. Copy or export listed IP addresses |
TBD |
. |
2. Update firewall settings |
TBD |
|
3. Confirm and monitor firewall updates (weekly basis) |
TBD |
Monitor FW weekly is recommended and update the IP addresses sent by Akamai |
Notes:
1. Create a Site Shield Map:
Owner/Stakeholders: Typically handled by the Security team.
2. Add the Site Shield Behavior to Your Properties:
Owner/Stakeholders: Usually managed by the DevOps team or Web Owners.
3. Allow Site Shield IP Addresses Through Your Firewall:
Owner/Stakeholders: Generally falls under the responsibility of the Network Operations team or Security team.
Roles & Responsibilities
[1] Manager - Manages the entire process
[2] Akamai manager - Responsible for configuring the Site Shield
[3] Firewall manager - Responsible for configuring the Site Shield output (initial and routine updates)