Earlier this month, Juniper Networks purchased Webscreen Systems from Accumuli a UK-based IT security specialist. With this acquisition, Juniper is furthering a strategy to try to deal with distributed denial of service (DDoS) attacks from within a data centre by adding more hardware. While one can understand why a company that produces and sells hardware would see hardware as the best fix, there are several reasons why this is the wrong solution for most consumers, and could actually unnecessarily cost you time, money and brand integrity.
Given the varied range in DDoS hardware protection options out there, it seems that many feel this is the strongest solution to protect their online presence from a DDoS attack. However, after more than 15 years in the industry, I can think of five good reasons why using DDoS hardware protection in a data centre hosting environment is a flawed strategy.
Increased costs passed on to customers.
With DDoS hardware protection, the expense of purchasing, updating and maintaining the hardware, plus the necessary staff to manage it in a data centre hosting environment, will be high. These costs will be passed on to you, the hosting customer.
More points of failure.
By adding another piece of hardware, you are adding yet another point of failure. In all things networking, keeping your number of points of potential failure low is a key to success. Studies show that firewalls, IDS and other similar hardware protection platforms have over a 42 percent chance of failing. [Arbor Worldwide Infrastructure Security Report 2011 ] Do you want to be on that platform when it fails?
Someone else’s problem becomes your problem.
In a data centre environment, multiple customers often share resources (whether they know it or not). Platforms like servers, switches, routers and firewalls are often provisioned with more than one client. If you are sharing DDoS hardware protection, you become vulnerable to the problems of other clients sharing that device.
One size never really fits all.
A solution for a data centre will try to be generic enough to fit all clients’ needs, which means it probably won’t be specific enough for your exact requirements, or robust enough to handle more sophisticated attacks.
How focused are the people watching your gear?
Even with the best DDoS hardware protection out there, you might as well try to protect your websites with a toaster if there isn’t a proficient team dedicated to administering and managing the hardware. In a hosting environment, the operations team has many responsibilities, of which managing DDoS hardware is a low priority one. Even if someone is paying attention and able to divert their focus to your servers for a short while during a DDoS attack, it won’t be for long, and repeated DDoS attacks would likely go unmitigated, or your IP would be null-routed to save resources and minimize collateral damage.
With so many vendors offering DDoS hardware protection, it might be tempting to conclude that it’s a safer option that will serve your business well. However, cloud-based DDoS protection offers many benefits that are not possible with DDoS hardware solutions, with few of the risks.
Jag Bains, CTO, DOSarrest Internet Security
(Formerly Director of Network Engineering and Operations for Peer1 Hosting)