Varnish Layered Security Suite
Stoppez le trafic malveillant. Accélérez vos vrais utilisateurs.
Varnish Layered Security est une couche de sécurité unifiée qui intègre WAF, gestion des bots et protection des API directement au sein des couches de mise en cache et de diffusion. Éliminez la latence liée aux sauts externes grâce à une logique de sécurité intégrée au processus, garantissant ainsi confidentialité et résilience, du edge jusqu’à l’origine.
Découvrir les offres et tarifs
Une couche de sécurité unifiée
Qu’est-ce que Varnish Layered Security ?
Varnish Layered Security est un moteur de politiques programmable qui transforme votre couche de diffusion en un environnement d’exécution de sécurité unifié.
Il fournit une protection de couche 7, une gouvernance du trafic distribuée et une protection de l’origine sur l’ensemble de votre infrastructure, pour un contrôle programmatique total sur la manière dont le trafic est filtré et sécurisé.
Remplacer des défenses rigides et opaques par une couche logicielle qui filtre le trafic et synchronise les réponses aux menaces à l’échelle mondiale. Protégez vos opérations grâce à des défenses autonomes en temps réel, tout en maintenant des coûts prévisibles, même à grande échelle.
Basé sur Varnish Enterprise : Une extension de Varnish Enterprise qui agit comme un environnement de sécurité unifié pour votre réseau de diffusion, exécutant la logique directement au sein du processus, partout où circule votre trafic
Fonctionnalités
Défense et application intégrées
| Protection de couche 7 contre les menaces | |
 |
WAF et défense contre les vulnérabilités Bloquer le TOP 10 des menaces OWASP en cours d'exécution. Arrêter les exploitations directement dans le chemin de la requête sans sauts d’inspection à forte latence. |
 |
Atténuation des bots et des abus Identifier et neutraliser les scrapers et la fraude automatisée au niveau du Edge avant qu’ils n’atteignent vos ressources. |
 |
Protection de l’origine et DDoS Absorber les attaques volumétriques et protéger la stabilité du backend avec un tampon haute performance qui bloque les requêtes avant l’origine. |
| Contrôle d'identité et d’accès | |
 |
Sécurité API haute peformance Valider des tokens JWT et HMAC au point d’entrée. Libérerer le «handshake tax » de votre logique applicative. |
 |
TLS in-core Sécuriser la communication avec un chiffrement accéléré matériellement et une validation des certificats. |
| Distributed Intelligence | |
 |
Global Rate Limiting Synchronize traffic quotas across regions in real-time. Stop "low and slow" attacks that bypass local counters. |
 |
Real-Time State (KV Store) Instantly propagate security flags and dynamic blocklists across your entire global cluster in milliseconds. |
| Operations & Governance | |
 |
Data & Logic Sovereignty Keep your code, logs, and certificates within your own perimeter. No third-party data-processing "black boxes." |
 |
Deep Observability Export 100+ log fields via OpenTelemetry or SIEM integrations for real-time forensics and audit compliance. |
Why use Varnish Layered Security?
Architectural Advantages
Varnish Layered Security replaces rigid hardware and black-box cloud services with a private, programmable security suite that operates directly in the request path. This software-defined approach provides the following advantages:
| In-Process Execution
Execute WAF, token validation, and rate limits in the HTTP flow at cache speeds. |
Policy-as-Code
Use sophisticated logic to challenge suspicious bots while serving content to verified users. |
| Total Data Residency
Maintain total ownership of SSL keys, security logic, and telemetry to ensure global compliance. |
Architectural Agility
The same engine for the edge, the origin shield, inside Kubernetes clusters and CI/CD workflows. |
Security Tiers & Plans
From the first packet to the global state
Varnish Defense in Depth
|
01. At the Edge
Conserve Compute Resources
Essential Security acts as your first line of defense. Neutralize automated port scans, known malicious bots, and noise at the entry point so your core infrastructure remains available for meaningful traffic. |
02. In the Path
Harden Application Logic
Application Security offloads identity verification and input validation to the Varnish runtime. Enforce JWT authentication and WAF policies in-process before requests ever reach your backend application servers. |
03. Global State
Universal State Synchronization
Platform Security ensures a unified perimeter. Use the distributed KV store to propagate security flags and rate limits across your entire footprint, so threats detected at one node are mitigated everywhere instantly. |
Strategic outcomes
Sovereign Protection and Predictable Operations
| Performance-First Security
Execute security logic in-process and sync global blocklists in milliseconds, for protection at speed. |
Operational Agility
Deploy custom rules and mitigations that adapt to emerging threats in real-time. |
| Infrastructure Hardening
Offload security to the edge to neutralize volumetric attacks and preserve uptime for real users. |
Predictable Financials
License-based model replaces unpredictable per-request costs, ensuring budget stability at scale. |
The autonomous security cycle
Programmable Defense Across Every Layer
Varnish is a versatile security runtime that closes the loop between visibility and enforcement. The packet is the trigger. Your defense reacts in milliseconds, autonomous from human intervention.
- Sense (Real-Time Observability): Capture 100+ request fields in real-time. Stream rich telemetry via OpenTelemetry for an instant audit trail and deep forensic analysis.
- Policy (Distributed Governance): Govern the perimeter using a distributed Key-Value Store. Synchronize security flags, rate-limit counters, and dynamic blocklists globally in milliseconds.
- Act (Programmable Enforcement): Execute policy directly in the request path. Operating at the speed of the network ensures your infrastructure is protected without adding latency.
Use cases
Practical Applications
| Pre-Origin Mitigation | |
|---|---|
| Automated Pattern Blocking
Drop requests based on malicious paths, query parameters, or illegal headers at the first point of contact. |
In-Path Request Sanitization
Strip malformed URLs and non-standard headers to prevent cache poisoning and unintended origin execution. |
| Global Orchestration & Response | |
|---|---|
| Global Context Sharing
Neutralize a threat in one region and propagate the mitigation across your global footprint in milliseconds. |
Active Adversary Frustration
Serve mock responses or tar-pit suspicious connections to exhaust attacker resources without impacting origin capacity. |
| Resource Offloading | |
|---|---|
| Edge Token Validation
Reject malformed tokens at the edge to protect identity providers and keep app logic focused on validated users. |
Compute Origin Shielding
Offload CPU-intensive WAF inspections to Varnish. Prevent backend exhaustion and maintain uptime during traffic spikes. |
| Sovereignty & Compliance | |
|---|---|
| Geofencing & Residency
Enforce strict access and residency requirements at the edge to keep traffic logic within your sovereign perimeter. |
Real-Time Audit Visibility
Stream high-fidelity telemetry via OpenTelemetry to your SIEM for instant forensics without origin involvement. |
Next steps
Scale Security. Simplify Your Stack.
Varnish Layered Security replaces unpredictable volumetric billing with a transparent, license-based model designed for unlimited global scale.
|
Standard
Essential Security
Foundational tier. Stabilize origins and reduce backend CPU cycles with native security defaults. |
API & App Protection
Application Security
Fixed-fee add-on. Harden APIs and application logic with advanced in-path protection. |
Global Coordination
Platform Security
Fixed-fee add-on. Orchestrate global defense with real-time state synchronization. |
Join the world’s largest CDNs, technology enterprises and streaming services using Varnish to accelerate and protect their data. For detailed pricing or to start a technical proof-of-concept, connect with our engineering team.
