However, DDoS protection is not a one-size-fits-all fixed menu; rather, it is an a-la-carte buffet of multiple choices. Each option has its unique advantages and drawbacks, and it is up to the customer to select the optimal solution that best fits their needs, threats, and budget.
This blog series explores the various options for DDoS protection deployments and discusses the considerations, advantages and drawbacks of each approach, and who it is usually best suited for.
The first installment in the series focuses on the original form of DDoS mitigation – the premise-based appliance. Subsequent installments will focus on cloud and hybrid deployments.
The Original DDoS Protection
Premise-based appliances were the first form of DDoS protection, starting in the early 2000’s in response to the first generation of DDoS attacks. These devices were deployed on-site at customer data centers alongside other networking equipment such as firewalls, switches and routers.
Although many organizations are now migrating to cloud-based DDoS protection, the usage of DDoS mitigation appliances is still very prevalent, and can be found in a multitude of organizations and use-cases.
Advantages & Drawbacks:
- Low latency: One of the key advantages of the premise-based appliance is the low latency that it permits. The device is located directly in the data center, close to the application servers, with minimal or no latency. Moreover, some on-prem appliances can also be deployed in out-of-path deployments and activated during times of attack, meaning there is no added latency at all during peacetime.
- Control: Another key reason for selecting a premise-based DDoS protection device is control. Many organizations (and network managers) put a high premium on control, and having your own device directly in the data center allows for maximum control.
- Regulation: Finally, some organizations are in regulated industries such as healthcare or finance, and are constrained by industry regulations to migrate their IT workloads to the cloud.
However, there are also certain drawbacks to deploying a premise-based appliance:
- Cost: A key consideration for many organization is their available budget for a DDoS mitigation solution. A cost of a DDoS mitigation appliance can range from several tens of thousands of dollars for an entry-level device to hundreds of thousands of dollars for carrier-grade devices. Moreover, there are frequently associated costs for support and maintenance, as well as dedicated staff needed to manage the equipment, which may impact the overall TCO.
- Management overhead: With great responsibility also comes additional overhead. Premise-based equipment frequently requires dedicated staff to manage the devices, in addition to utilities overhead such as power, networking, and cooling.
- Capacity: While DDoS attacks continue to increase in size, premise-based DDoS appliances are constrained by their size and available bandwidth that they can handle.
Considerations: Questions to Ask Yourself
If you are considering deploying – or removing – a premise-based appliance, here are a few questions to ask yourself if it is the right choice for you.
- What are my data center plans? Many organizations are migrating their data center workloads to cloud-based deployments. The decision of whether to invest in new equipment heavily depends on this consideration. However, if you know for sure that you are planning to maintain your physical data center for the foreseeable future, then perhaps a DDoS mitigation appliance could be worthwhile.
- How important is control for me? Some organizations place a big emphasis on control, while others prefer that others handle the burden. A physical device will provide you with more control, but will also require additional overhead.
- How sensitive am I to latency? Another key consideration is the sensitivity of the organization and its applications to latency. Cloud-based services tend to add latency to application traffic, so if latency is a big issue, then an on-prem solution – either deployed inline or out-of-path – might be relevant.
- Am I in a regulated industry? Some organizations are within regulated industries that handle sensitive user data, and are prevented from – or prefer not to – migrate services to the cloud. In such cases, there may not be an alternative to having an on-prem appliance.
- What is my threat profile? The choice of whether or not a DDoS appliance is right for you depends heavily on the company’s threat profile. If a company is constantly attacked with a stream of low-level DDoS attacks, then an on-prem appliance might be an effective solution. However, if they face large-scale volumetric attacks, then perhaps a cloud-based or a hybrid solution would be better.
- What is the TCO? Finally, when selecting a premise-based solution, it is important to be cognizant of the full cost of ownership (TCO), including added overhead, infrastructure, support, staff and training.
Who Is It Best For?
Looking at the relative merits and drawbacks of standalone, on-prem DDoS appliances, there are a several categories of customers for whom it makes sense to explore such solutions:
- Service providers who have a large install base and provide services to end-customers using their data centers
- Organizations who own existing data centers and are planning on maintaining them in the foreseeable future
- Organizations in regulated industries who are unable to migrate workloads to the cloud
- Latency-sensitive critical applications which require low latency and high degree of control
However, standalone on-prem solutions are probably less suited for:
- Applications hosted in the cloud which cannot be protected by premise-based equipment
- Organizations migrating to the cloud that are planning to scale down their data center footprint
- Price-sensitive customers who don’t have large budgets
- Organizations frequently attacked with large volumetric attacks which can saturate the connection pipe or overwhelm the device
What Are My Alternatives?
Whether or not you think that an on-prem DDoS appliance is the right solution for you, it is worthwhile to understand your alternatives. The next installments of this series will look at cloud-based solutions (both on-demand and always-on) and hybrid solutions, which combine both on-prem and cloud components for maximal coverage.
Read “Top 9 DDoS Threats Your Organization Must Be Prepared For” to learn more.
Eyal is a Product Marketing Manager in Radware’s security group, responsible for the company’s line of cloud security products, including Cloud WAF, Cloud DDoS, and Cloud Malware Protection. Eyal has extensive background in security, having served in the Israel Defense Force (IDF) at an elite technological unit. Prior to joining Radware, Eyal worked in Product Management and Product Marketing roles at a number of companies in the enterprise computing and security space, both on the small scale startup side, as well as large-scale corporate end, affording him a wide view of the industry. Eyal holds a BA in Management from the Interdisciplinary Center (IDC) Herzliya and a MBA from the UCLA Anderson School of Management.