About IBM Cloud Internet Services
IBM Cloud® Internet Services, powered by Cloudflare, provides a fast, highly performant, reliable, and secure internet service for customers running their business on IBM Cloud.
IBM CIS gets you started quickly by establishing defaults for you, which you can change easily by using the UI or API.
Clock synchronization
ISO 27001 requires that clocks of all relevant information processing systems within an organization or security domain must be synchronized with a single reference time source. CIS synchronizes the systems with a Network Time Protocol (NTP) server to ensure that all time-based activities occur synchronously everywhere on the network.
IBM CIS uses the following internal NTP servers:
time.adn.networklayer.com/
time.service.networklayer.com
Security features
Proxy your DNS records or a global load balancer to use the security features. The proxy allows traffic to flow through our servers and you can monitor the data.
TLS
Protect your site and control your Transport Layer Security (TLS) settings. Manage the certificates used to secure traffic to your site.
Origin
Manage the TLS certificates that encrypt traffic between your origin server and your users.
Rate limiting
Use rate limiting rules to protect your site or API from malicious traffic by blocking client IP addresses that match a URL pattern or exceed a defined threshold.
Traffic scrubbing
CIS offers 248 Tbps of global network edge capacity and can mitigate DDoS attacks that have extremely high packet and HTTP request rates.
When a DDoS attack occurs, CIS doesn't use scrubbing centers; the activity is analyzed on the edge, which helps to mitigate DDoS attacks closest to the source.
Traffic that is identified as being "dirty" or part of an attack is not included in the billing. Customers are being billed for protected traffic, which consists of clean traffic that is forwarded to the origin and responses that are returned from the edge to the client.
Web Application Firewall (WAF)
WAF is implemented through multiple rule sets: OWASP, CIS, and Exposed Credentials Check.
IP firewall
IBM Cloud Internet Services offers several tools for controlling your traffic so that you protect your domains, URLs, and directories against volumes of traffic, certain groups of requesters, and particular requesting IPs.
IP rules
With IP rules you can control access for specific IP addresses, IP ranges, specific countries, specific ASNs, and certain CIDR blocks. Available actions on incoming requests are:
- Allowlist
- Block
- Challenge (Captcha)
- JavaScript challenge (Defense mode)
For example, if you notice that a particular IP is causing malicious requests, you can block that user by IP address.
IP rules apply to TCP, HTTP, and HTTPS Range apps, because IP rules are applied to Open System Interconnection (OSI) Layer 3 and Layer 4.
User-agent blocking rules
With User-agent blocking rules, you can act on any user-agent string you select. This capability works like domain lockdown, except that the block examines the incoming user-agent string instead of the IP. You can choose how to handle a matching request with the same list of actions that you established in the IP rules (block, challenge, and JS challenge). User-agent blocking applies to your entire zone. You cannot specify subdomains in the same manner as you can with a domain lockdown.
This tool is useful for blocking any user-agent strings that you deem suspicious.
Domain lockdown
By using Domain lockdown, you can allowlist specific IP addresses and IP ranges, such that all other IPs are blocklisted. Domain lockdown supports the following items.
- Specific subdomains - For example, you can allow IP
1.2.3.4
access to the domainfoo.example.com
and allow IP5.6.7.8
access to domainbar.example.com
, without allowing the reverse. - Specific URLs - For example, you can allow IP
1.2.3.4
access to directoryexample.com/foo/*
and allow IP5.6.7.8
access to directoryexample.com/bar/*
, but not allow the reverse.
This capability is useful when you need more granularity in your access rules because, with IP rules, you can either apply the block to all subdomains of the current domain, or all domains on your account. You cannot specify URIs.
Firewall rules
Create rules that examine incoming HTTP traffic against a set of filters to block, challenge, log, or allow matching requests.
In general, firewall rules are designed for properties that are exposed in OSI Layer-7 (HTTP), such as request headers and body content characteristics. Therefore, firewall rules apply to HTTP/HTTPS Range apps.
Events
View events that are triggered by an active web application firewall rule. For each event, you can change the triggered action based on the requesting IP address, or the requesting region as a whole.
Range
Extend the power of CIS DDoS, TLS, and IP firewall to your web servers and your TCP-based services by using Range applications, keeping them online and secure.
Advanced security
Advanced security settings include the following features, which you can change, enable, or disable.
- Browser integrity check - The browser integrity check looks for HTTP headers that are commonly abused by spammers. It denies traffic with those headers access to your page. It also blocks or challenges visitors that do not have a user agent, or who add a nonstandard user agent. This tactic is commonly used by abuse bots, crawlers, or APIs.
- Challenge passage - Controls how long a visitor that passed a challenge (or JavaScript challenge) gains access to your site before they are challenged again. This challenge is based on the visitor's IP, and therefore does not apply to challenges presented by WAF rules because they are based on an action that the user performs on your site.
- Security level - Sets the security level of your website to determine which visitors receive a challenge page.
- Always use HTTPS - Redirects all visitors to the HTTPS version.
- Email obfuscation - Prevents spam from harvesters and bots that try to access email addresses on your pages.
- Automatic HTTPS rewrites - Helps fix mixed content by changing
http
tohttps
for all resources (or links) on your website that can be served with HTTPS. - Opportunistic encryption - Allows browsers to benefit from the improved performance of HTTP/2 by informing them that your site is available over an encrypted connection.
- Universal SSL - Activates universal SSL certificates from your zone to the edge.
- True client IP header - Sends the user's IP address in the True-Client-IP header.
Security standards and platform
- TLS (SHA2 and SHA1)
- IPv4 and IPv6
- HTTP/2
Network attacks and mitigation
Generally, attacks fall into two categories:
Layer-3 or Layer-4 attacks | Layer-7 attacks |
---|---|
These attacks consist of a flood of traffic at ISO Layer 3 (the network layer), such as ICMP floods, or at Layer 4 (the transport layer), such as TCP SYN floods or reflected UDP floods. | These attacks send malicious ISO Layer-7 requests (the application layer), such as GET floods. |
Automatically blocked at CIS edge | CIS handles these attacks with Defense mode, WAF, and security-level settings. |
On-demand anti-DDoS
IBM Cloud Internet Services ingests traffic by returning a CIS IP address on the DNS lookup for a domain, instead of the actual record for the origin server’s IP address. This allows CIS to ingest, single-pass inspect, and re-encrypt data before sending it to the origin server destination. CIS can also act in DNS-only mode, returning the actual DNS record without obfuscating the IP, which disables DDoS and the other functions of CIS. To enable CIS protections, switch the "proxy" slider next to each DNS record to on; to disable protections, switch to off.
Unlimited DDoS mitigation
DDoS mitigation is typically an expensive service that can grow in cost when under attack. Unlimited DDoS mitigation is included with CIS at no additional cost.
Mitigate Layer 7 attacks (configuration)
Though DDoS is enabled by default in CIS, you can further configure Layer 7 security by:
- Configuring WAF rule set sensitivity and response behavior
- Adding rate limiting
- Adding firewall rules
Use these features to customize Layer 7 mitigation of both volumetric and non-volumetric attacks.
Mitigate non volumetric attacks
CIS WAF contains rule sets to mitigate non-volumetric attacks, including cross-site forgery, cross-site-scripting (XSS), file inclusion, and SQL injection. For additional information about WAF, see Web Application Firewall concepts.
Cost protection
CIS does not meter or bill for traffic that is blocked as part of DDoS mitigation, firewall, or rate limiting. Only requests that are passed through the CIS network to the origin destination incur charges or usage.
CIS also helps keep egress bandwidth charges from your origin under control by only passing along good requests that the origin needs to respond to. All CIS plans offer unlimited and unmetered mitigation of DDoS attacks. You are never charged for attack traffic. There’s no penalty for spikes due to attack traffic, so there's no chargeback by the customer.
Reliability features
Global load balancing features
The global load balancing service distributes your traffic across multiple servers with a combination of origin pools, health checks, and a load balancer. Global load balancing has the following features:
- Proxy and non-proxy options for load balancing
- Origin pools and health checks
Global anycast network
The available health check regions are based on the Cloudflare Global Anycast Network.
DNS features
DNS within CIS has the following features:
- DNS management - Manage your DNS records, control proxying, and enable DNS security.
- DNSSEC - DNS security cryptographically signs a zone to ensure that the DNS records provided to the user are the same as the DNS records published on the DNS server.
gRPC protocol support
The gRPC protocol builds efficient APIs with smaller payloads, which reduces bandwidth requirements, decreases latency, and increases the implementation time. CIS supports gRPC protocol for any proxied gRPC endpoints. To enable or disable gRPC support, navigate to the Reliability section, select the Advanced tab, and toggle the gRPC switch.
The following requirements must be met before you use gRPC:
- The gRPC endpoint must listen on port 443
- The gRPC endpoint must support TLS and HTTP/2
- HTTP/2 must be advertised over Application-Layer Protocol Negotiation (ALPN)
- The content-type header of gRPC requests must use
application/grpc
orapplication/grpc+<message type>
Performance features
Caching
Control how CIS manages your cached assets.
Page rules
Fine-tune your cache behavior and create content optimization.
Routing
Eliminate excess latency by analyzing and optimizing routing decisions across the global internet using real-time network connections.
Advanced performance
Apply Brotli compression and restrict upload sizes in the advanced performance section.