NGINX.com Improves Security and the Customer Experience

Banking, retail, healthcare, and other websites that manage personal information represent obvious temptations for fraudsters, but they’re hardly the only targets of cybercrime. The NGINX.com website is a high-traffic informational site that, like most others today, is subjected to constant attack, with request volumes that can spike as much as 200 times to more than 10 million requests per hour. Such attacks threaten site availability and performance for customers. When F5 acquired NGINX in 2019, NGINX.com and the resources it offers were being protected by a SaaS security solution from an F5 competitor.

An F5 team began exploring how to best protect the website and ensure a smooth transition away from the competing product. The difficulties with the previous solution went beyond not wanting to fund a competitor. It disrupted the user experience with a lengthy “please wait” message that replaced the user’s view of the site whenever its bot mitigation was activated. In addition, product support was, in the words of the NGINX.com site manager, “just terrible.” 

“Any time we needed to contact them, it just went into a black hole and we never heard anything back,” says Product Manager Danielle Jones.

Of course, the new solution had to work well, too. “NGINX.com gets attacked a lot, so we needed something that would provide robust, reliable protection that could scale dynamically when needed,” says Melinda Hansell, Senior Director of Digital Marketing. Their team began laying the groundwork for a change, including site analysis and better understanding of the many components involved. 

“We have a complex configuration and toolset,” says Jones. “The main challenge was just identifying where everything was so we could easily transition services.”

They realized F5 Distributed Cloud Services was a perfect fit. The company’s own SaaS-based security, networking, and application management services, which can be deployed across multi-cloud, on-premises, and edge locations, delivers easy-to-implement security as a managed service.

Once Distributed Cloud Services launched to the public in early 2022, the effort to upgrade accelerated. That fall, a side-by-side comparison trial showed that Distributed Cloud Services could not only protect the site and manage its high-volume traffic while mitigating the constant denial of service attacks just as well as the previous solution, but it also actually performed better—at a lower overall cost.

“Saving money was not the primary motivation, because we were not fond of the previous solution’s impact on the user experience,” says Melinda Hansell, senior director of marketing and a key member of the upgrade team. “But I certainly could deploy those funds for other mission-critical initiatives.”

Shortly thereafter, the NGINX.com site went live with a Distributed Cloud solution that bundled nearly all the service options, including Distributed Cloud Web Application and API Protection (WAAP), Distributed Cloud Bot Defense, Distributed Cloud App Infrastructure Protection (AIP), and Distributed Cloud Client-Side Defense, among others.

“It’s not just a web application firewall (WAF) or WAAP but a whole suite of security solutions and technologies,” explains Hansell.

The change was completely transparent for customers.

While the change had no impact from the customer’s perspective, the Distributed Cloud Services platform and its machine learning component enable prescriptive controls that mitigate attacks faster than with the previous solution.

“It’s been very smooth,” says Jones. “We can roll out new security policies quickly, and any time we’ve had attacks on the site, Distributed Cloud Services handled it without any problems. It’s been very easy. I can’t stress that enough.”

She notes that site performance is better, too. “We’ve already seen some speed increases in page load times, especially in global regions that were underserved by the previous solution. And as we continue to roll out more features, we expect more benefits.”

Even the vendor that manages the site’s hosting is impressed. “They’re huge fans,” Jones says. “They said immediately that a lot of their other customers would benefit by moving to Distributed Cloud Services.”

Finally, the experience of legitimate users remains intact when bot defenses are activated., so customers can continue using the site without interruption.

The app security experts behind Distributed Cloud Services have already helped Jones’ team quickly identify mitigation needed when under attack, and they’re always available when questions arise.

“The Distributed Cloud Services team is very responsive,” says Jones. As someone with application expertise rather than edge security know-how, she says she appreciates being able work with those security experts to develop the ideal security posture for the site.

Meanwhile, telemetry from the NGINX.com deployment helps improve the solution for all F5 customers.

Distributed Cloud Services costs less than the previous solution while being easier to manage and providing better visibility.

“The UI is easier, very intuitive,” says Jones. “The amount of data I can drill into is fantastic, and it’s an overall better experience.”

She’s eager to expand the configurations in place since the launch with additional auto-mitigation policies, request scaling, and the recently released Distributed Cloud CDN services to further increase site security and speed. 

She says, “We plan on turning on quite a few of those the second they are out of preview mode to be able to increase our site speed even more.” 

Rob Whiteley, Vice President and General Manager for NGINX, says, “We’re excited to see F5 Distributed Cloud Services powering, securing, and delivering a better customer experience on NGINX.com. Distributed Cloud Services integrates a powerful collection of the top F5 technologies to deliver SaaS-based security that protects our business, and we quickly saw the value of the service capabilities when it protected the site from large attacks. We can now continue to focus on compelling educational content for NGINX and trust that Distributed Cloud Services will keep the site up and running reliably.”