Cybersecurity best practices and DDoS defence strategies
Since the on-premise only deployment lost the argument to the cloud service due to the simple question of internet uplink, appliance providers have naturally gravitated towards the hybrid model as an offering. The value of a hybrid offering is strong, and for a while over the past few years has been the favoured deployment. Having said that, current hybrid deployments do still have drawbacks in the same way a pure-cloud solution has its pros and cons.
With current market’s hybrid solutions, attack detection and mitigation takes effect immediately via on-premise devices that thwart attacks locally. Once an attack surpasses the capacity of the Internet uplink or the appliance itself, cloud mitigation is activated and the traffic is then offloaded to the cloud. Such traditional hybrid models however, are inflexible in that on-premise devices stop attacks locally first, and only when attacks exceed the Internet uplink threshold is cloud mitigation activated. This activation is typically a manual process and with certain customizations can be automated. Regardless of manual or auto, the gap between the two phases will bring about inevitable service disruptions for the users.
Regardless of the whether the solution is on-premise, cloud-based or hybrid, the typical DDoS Protection requirements of CSPs are as follows:
• Provide multi-tenant service to customers
• Customized solutions according to specific customer needs
• Reduce collateral damage to customers not under attack
• Maintain service quality and network performance plus high availability
• Share risk with cloud service providers when an attack increases in size
Below are some typical scenarios and pain points of CSPs in handling different situations at the same time, while maintaining customers’ specific needs.
1. Customers that have their own infrastructure connected to a CSP
• Occasionally under DDoS attack
• Has a website to protect and needs geolocation optimization
• Requires always-on clean pipe access to Internet
• Even though an attack may be occasional to an individual customer, CSP’s may still face DDoS attacks regularly. Sharing the risk with a cloud provider would lessen the burden on its resources required for normal day-to-day operations.
• An on-premise solution does not cater for websites requiring geolocation optimization.
• On-premise deployments are not designed with inbuilt multi-tenant support nor customer portals resulting in lack of visibility and control to both the provider and downstream customers.
2. Customers that suffer from large attacks and have distributed end-users
• Not all customers are transit customers of a CSP
• Needs to protect several websites and DNS domains, as well as the whole network infrastructure hosted in one or multiple Class C (/24) networks
• Some websites require in-country mitigation
• Some applications are sensitive to network latency, and geolocation optimization is needed
• On-premise solution requires the end customer to be a transit customer of a CSP.
• Traditional hybrid models are rather rigid as on-premise devices stop an attack locally first, and only when the attack exceeds the capacity of the Internet uplink will cloud mitigation be triggered.
• This may serve the needs of websites requiring in-country mitigation but does not add value to those requiring geolocation optimization after protection is delivered by the on-premise solution. Conversely, in the event that cloud mitigation has been activated, on-premise protection of websites is not provided.
• Availability of DNS domain is not enhanced.
In the choice between On-premise vs Pure-Cloud vs Hybrid, Nexusguard’s approach is unique, and different from any other solution in today’s market. The Nexusguard Managed DDoS Mitigation Platform offering is true-hybrid, offering both on-premise, always-on first, and cloud-first at the same time. This is possible because in our deployment, the on-premise aspect operates in conjunction with the Nexusguard Global Scrubbing Network to deliver on-premise value at the customer’s network, while also enjoying Nexusguard’s cloud protection for traffic coming from the rest of the world, while maintaining the choice and flexibility of fully swinging between either full on-premise or full cloud.
Through our platform with inbuilt multi-tenant support, these transitions are transparent to the end users, while at the same time fully manageable and visible by our CSP customers.
Nexusguard’s True-Hybrid solution solves the above mentioned CSP pain points by providing the following:
• More flexibility in that it can accommodate and address the needs of customers with a variation of different requirements, and offer a combination of services all at the same time.
• Multi-tenant support as a built-in feature, and full visibility and control to both providers and customers via Administration and Customer portals.
• Ability to operate both on-premise, always-on first, and cloud first at the same time, while offering the flexibility of delivering either full on-premise or full cloud protection.
• Seamless compliance with a mix of data sovereignty policies for on-premise, within the country and in the cloud.
For more information, please read about Nexusguard’s True-Hybrid DDoS Solutions.
With cyberattacks now being launched in various sizes and with differing intentions, deploying Nexusguard’s True-Hybrid offering could well be what saves your organization from falling victim to a major DDoS attack.