On-demand, always-on or hybrid DDoS protection? It depends on the use case>
IT Wire – Eyal Arazi
Traditionally, DDoS protection relied on hardware appliances deployed at the customer’s data centres. Hardware appliances frequently provided advanced protection, low latency, and granular control by network admins.
standalone hardware appliances are most suited today either for large organisations or service providers who are creating their own mitigation scrubbing centres (usually with multiple such devices), or for organisations that are prevented by national or industry regulations from using cloud security services. Due to the capacity constraints of hardware appliances, many organisations began looking to cloud-based scrubbing services for a solution. Compared to standalone hardware appliances, these services offer massive capacity, usually measured in terabits, as well as lower management overhead and more flexible pay-as-you go, subscription-based (opex) costs.
However, cloud services are more limited in the types of attacks they can protect against, since they usually have visibility only to ingress traffic.
The drawbacks of an on-demand cloud service, is that attack detection is usually based only on volumetric detection (based on netflow traffic rates), and traffic diversion, once it takes place, requires a certain window of time (usually a few minutes) until diversion is complete. The customer will remain vulnerable during this ‘diversion gap’.
An alternative to on-demand protection is an always-on cloud service. Under this model, traffic is routed on a constant basis through a cloud scrubbing centre, where it is inspected for DDoS traffic.
However, it is usually more expensive than an on-demand service, and may add some minor latency to customer communications.
Hybrid protection offers the best of both worlds, since it combines an on-premise appliance together with a cloud service. This allows protected organisations to enjoy both the advanced capabilities of hardware appliances, along with the massive capacity of a cloud service.
As a result, hybrid protection is usually best for large organisations with mission-critical applications which cannot afford any downtime, particularly in verticals such as banking, ecommerce, or SaaS.
Link: https://www.itwire.com/guest-articles/guest-opinion/on-demand,-always-on-or-hybrid-ddos-protection-it-depends-on-the-use-case.html