Edge vs. Network vs. Cloud, which DDoS solution is best for your business?
By James Miller, Cyber Security Product Lead - Bell
A solution that can detect and stop distributed denial of service (DDoS) attacks is essential for any business. Without one, you’re left open to service disruptions that can affect your customers’ experience, your reputation and, ultimately, your bottom line. But with all the many different kinds of DDoS solutions available on the market, which one makes the most sense for your organization?
What model of deployment you chose ultimately depends on your business needs, compliance framework and more importantly your risk tolerance. The three main paths are: edge, network and cloud. Below, I give more detail on each one to help you make an informed decision regarding your DDoS solution investment.
Edge DDoS security: protection at the network edge
Edge DDoS solutions work at the network edge — the point at which incoming traffic from the broader Internet meets the backbone of your telecommunications service provider. At this point, an edge DDoS solution samples incoming traffic in search of signs that traffic is malicious, and temporarily redirects traffic through a scrubbing centre while an attack is underway. At the scrubbing centre, bad traffic is removed and legitimate traffic is sent back on its original course to your business network.
This type of DDoS solution is suited to detecting and mitigating volumetric DDoS attacks, which attempt to use up all your available bandwidth by sending huge amounts of illegitimate traffic to a target server. An automated, edge-based DDoS solution can detect and mitigate this type of attack in just a few minutes. However, it can only defend against volumetric attacks coming from outside the network and not attacks originating from inside the Internet backbone.
Network DDoS security: comprehensive in-line protection
Network DDoS solutions augment the capabilities of edge DDoS security by launching additional detection and mitigation within the network itself. Rather than sampling incoming traffic at the network edge, network DDoS solutions analyze every single packet, scrubbing when necessary to keep bad traffic away from your infrastructure. The result is even faster detection and response than an edge-based solution – within 30 seconds – as well as protection, regardless as to whether the attack source is outside or inside the network.
Unlike edge-based DDoS security, network-based solutions can detect and respond to more than just volumetric attacks. They also cover low-and-slow attacks, which use smaller volumes of data over an extended period to overwhelm IT infrastructure like load balancers, servers and firewalls, slowing that infrastructure to a crawl or bringing it down completely. Some network-based solutions even use AI and machine-learning algorithms to detect attacks based on network behaviour that differs from normal traffic.
Keep in mind that because network DDoS solutions are an in-line protection deployment, the detection and mitigation happen only within the system or network on which you deploy the solution.
Cloud DDoS security: mitigation in the cloud
Cloud DDoS solutions work by routing traffic destined for your network to a cloud-based scrubbing centre for analysis, detection and mitigation. Malicious traffic is stopped in its tracks while legitimate traffic is sent on to your network.
Cloud-based DDoS security offers similar protection as a network DDoS solution. Response times will generally be slower than edge-based and network-based DDoS solutions because the traffic must first flow through the cloud.
A unique benefit of a cloud-based solution is that it can cover multiple connectivity types and multiple service providers, offering consistent protection across them all. This enables a single-pane-of-glass experience for DDoS detection and mitigation, which may make a cloud-based option preferable over a network-based one.
What kind of DDoS solution is best for your business?
For many businesses, the decision of what DDoS solution to invest in will come down to cost. In that respect, edge-based DDoS solutions are less expensive than network DDoS solutions because they have a smaller scope and detection, and mitigation doesn’t happen in real time. Pricing for cloud DDoS services will differ between providers. Some charge based on the amount of traffic redirected, others based on malicious traffic mitigated and still others use a flat rate.
While network DDoS solutions tend to be more expensive, they do offer the most robust DDoS protection. Therefore, they might be your best option depending on the nature of your business and the threats it faces. For example, if your business is centered on transaction-based services or relies on network traffic for revenue, you want to do everything you can to minimize the downtime to your IT infrastructure and online applications that DDoS attacks can cause. On the other hand, if your Internet is mainly used for email and employee access, you might be able to handle downtime without significant harm to your bottom line, so the robust in-line protection of a network DDoS solution might not be needed.
In addition, consider any compliance requirements around data sovereignty and privacy that might prevent you from choosing a cloud-based DDoS solution. This solution may require you to give up control of the encryption process and might not be able to guarantee traffic originating in Canada stays in Canada, which can lead to a vulnerability of the data you are protecting.
Your DDoS protection partner
DDoS attacks are a fact of modern business – and they’re here to stay. Whether it’s with an edge, network or cloud-based solution, you need to protect your business from malicious traffic and the downtime and reputational harm that can result.
Let Bell connect your business with DDoS security solutions that meet your needs. Our portfolio includes network DDoS, edge DDoS and cloud-based security services from industry-leading technology partners, offering 24/7 protection that acts fast to keep your business online.
To learn more about our DDoS security solution, reach out to a Bell representative.