Pre-migration testing
Ahead of migrating customer application traffic paths across to our new AWS dataplane, RedShield has performed extensive testing of the new platform in several key areas outlined below. This testing has given our engineering team confidence in the architecture and migration process, such that the process runs smoothly without service interruption, and the new platform is well suited to the needs of our customer's applications now and into the future.
The RedShield AWS platform itself has been tested for performance and DDoS resilience, as well as general functional and security testing.
Tests have been completed individually across each and every customer application, including:
- DNS checks
- Network path check
- Certificate check
- TLS settings check
- Web server response code and size
- Object load times and performance
100% of tests must pass, confirming that the new AWS traffic path is functionally identical to other RedShield traffic paths already in use, before any customer migration dates are released.
Elastic scalability and performance
DNS performance result: 68% faster
In recent weeks, ahead of migrating customer applications to the AWS dataplane, we have completed replacement of our global DNS platform with DNS2, a RedShield designed system. Using continuous global application path quality monitoring, which then feeds routing instructions into Route53 to deliver DNS responses; ensures that traffic is routed optimally as conditions change on the internet, or in case of any issues within the AWS cloud or RedShield's clusters.
This new system significantly improves availability and resilience to attack, with improved ability to detect issues, as well as 68% faster DNS query responses than our previous platform.
Testing DNS query responses between our old and new systems was completed using in-house developed testing tools, which confirmed perfect compatibility across all hostnames and DNS query types, and increased performance for all customer applications before we migrated across.
Web server responses: 38% faster
Leveraging AWS' Global Accelerator network for all customer application traffic has delivered a significant boost to performance, especially to applications with widely distributed global user bases.
A series of performance test probes have been run for each customer application, from a single test client geolocation, via both the new AWS dataplane, and RedShield's other datacenters in the same geography; ensuring a very similar physical network path length. Comparisons are taken between the time to load a single object from the customer server, via each path.
A significant performance improvement of 38% on average across all customer applications, has been observed. The acceleration effect is driven by a combination of factors, including network performance - AWS Global Accelerator is up to 60% faster than the internet globally; and even with short paths within a single geographic region, it makes a big difference. When traffic paths are longer, the benefits become even greater.
Default use of HTTP2, with optional HTTP3 architecture
Sites which have previously not had HTTP2 enabled, will have HTTP2 activated by default for compatible client connections with no action required by customers to enable this.
Support for HTTP3 is currently provided through integration with AWS Cloudfront, which also provides CDN features. Please contact your RedShield Solution Architect to request further information on how to deploy Cloudfront with RedShield.
Functional compatibility
Basis for comparison
All currently shielded applications run through multiple RedShield clusters in diverse geographic locations. Testing is performed using purpose built test tooling which runs DNS requests, connection tests, TLS encryption handshakes, web requests; and compares the results from each of RedShield's available traffic paths, to ensure that all existing and new traffic paths behave in an identical way.
Network path availability confirmed
Web objects are requested from the customer application server by our test client, for each customer application, passing through the RedShield network via each available shielded traffic paths. Responses are analysed to ensure that the origin web server and firewall are not blocking requests from the new location.
TLS stack settings - no change
TLS settings are optimised for performance and are highly secure, whilst maintaining compatibility with older clients where required. Applications which currently support TLS versions 1.0 and 1.1 on current RedShield datacenters, will still support those protocols after migration to the AWS dataplane. Applications which are restricted to TLS1.2 will remain restricted in the same way.
More advanced configurations such as those with client certificate authentication, will continue to function in an identical way.
TLS1.3 is now available by integration with AWS Cloudfront. Please contact your RedShield Solution Architect to request further information on how to deploy Cloudfront with RedShield.
Application security controls - no change
Application security controls such as header modifications, specific vulnerability mitigations, and baseline security controls including Application DoS, bot mitigation and WAF policies, will remain unchanged, and are tested to ensure that paths through the AWS dataplane are identical in this respect.
Application delivery functional configuration - no change
Applications which have functional configuration such as folder-based traffic path routing, will continue to operate in an identical way; and have been tested to ensure that there is no change to such behaviour.
Further specific testing
If you have specific need to test an application through the new traffic path, beyond the testing which has already been completed by RedShield, please open a ticket at https://support.redshield.co or by emailing support@redshield.co, to obtain specific IP addresses for your testing. Testing may be performed in an identical way to a new RedShield deployment, such as by the methods outlined in the following support article: https://support.redshield.co/hc/en-gb/articles/207294266-Testing-RedShield-using-static-hostnames.
DDoS resilience
Ultra large scale DDoS attack mitigation at all layers
RedShield has validated the AWS dataplane for DDoS resilience through an extensive variety of bench tests, and real world defensive situations under large scale attack; using our purpose-built DDoS simulation and testing system and process.
DDoS techniques tested by our research team during simulation exercises, and observed during real world attacks, range from reflected amplified UDP and TCP, middlebox reflection, DNS, targeted layer 7 techniques and HTTPS request floods, large scale slow attack variants, and TLS crypto resource attacks. Attacks mitigated by RedShield in the past year have been observed at 25 million packets per second and 400Gbps; however the system is designed to handle much larger attacks. We anticipate that attacks will continue to grow significantly in volume in coming years, and will also continue to evolve towards the application layer.
Comments