If you have a firewall, do you still need to have a plan for DDOS protection?
The short answer is yes. For the longer answer I will use a strange analogy that popped into my head.
A DDOS Analogy
In this sci-fi analogy let’s assume that your house is your enterprise network that you are attempting to protect and your house’s futurist alarm system is your company’s firewall. The people who show up to your house are analogous to packets. This futuristic alarm system has the ability to recognize the people showing up to your house. It can determine if these people are bad people attempting to do you harm or if they represent the normal traffic that shows up at your house, some combination of friends and family.
This alarm system has the ability to lock the house down securely if it scans a person and determines they are a threat to you. If they scan the person and see that they are friends and family, the system will welcome them into your house.
The Challenge Firewalls Have With DDOS
I’ll use this example to show what a DDOS attack could look like and how your firewall would fall short. Instead of a normal day where you might have very few friends and family visiting your home, suddenly you would have a large influx of people showing up at your doorstep. Everyone you’ve ever known from your childhood, high school, college and professional career is now at your door step looking to get in. The alarm system would function as it was designed to and scan each person saying:
- Hey, Grandma’s here! Let her in.
- That’s the neighbor Tom, let him in.
- That’s Chris’ coworker Jim, we recognize him, come on in.
This starts happening with hundreds or thousands of people, all at the same time. Suddenly the house is full, the fridge is empty, the toilets are clogged and chaos has taken over. There is now a line of people outside of your house.
Seemingly Benign Traffic
Having an up to date firewall will protect you from many of the traditional threats, viruses and such which are a risk to your network. The challenge with DDOS attacks is that they use seemingly benign traffic (Like the grandmas) to overwhelm resources and bandwidth on your network. At the individual packet level, the packets themselves are not the issue, it is generally the volume of traffic that presents the issue.
Enter the need for the DDOS protection. A DDOS protection system would recognize that while the individuals showing up to your house are seemingly OK, the unannounced arrival of everyone at once is out of the ordinary. The system would kick in and screen each one of people to determine whether or not they are really supposed to be there. It would then let the people that were invited and are supposed to be there stay, while turning away the rest of the people.
This system would stay engaged until the mass volume of people subsided and traffic returned to normal.
Stepping out of the analogy, the summary is that it is best to have a DDOS protection service or an in-house protection plan in place in addition to your firewall and threat protection systems.