Networks Training

  • About
  • My Books
  • SUGGESTED TRAINING
  • HOME
  • Cisco Networking
    • Cisco General
    • Cisco IOS
    • Cisco VPN
    • Cisco Wireless
  • Cisco ASA
    • Cisco ASA General
    • Cisco ASA Firewall Configuration
  • Certifications Training
    • CCNA Training
    • Cisco Certifications
    • I.T Training
  • General
    • General Networking
    • IP Telephony
    • Network Security
    • Product Reviews
    • Software
  • Cisco Routers
  • Cisco Switches
You are here: Home / General Networking / Intelligent DDoS Mitigation System – IDMS Compared to Firewall & IPS

Intelligent DDoS Mitigation System – IDMS Compared to Firewall & IPS

Written By Harris Andrea

As e-commerce continues to proliferate and deliver profitable results, more business is being done online. The growing adoption of online retailing, Internet banking, cloud-based data storage and other commercial services represents a natural evolution of Internet use.

ddos protection

For online businesses, however, any downtime can dramatically impact the bottom line. As a result, the growing scale and frequency of Distributed Denial of Service (DDoS) attacks are taking a toll on these businesses.

While DDoS attacks may have been driven by non-economic reasons in the past, they now have monetary drivers including extortion, competitive advantage and corporate revenge.

When it comes to DDoS protection, many enterprises and Internet data center (IDC) operators have a false sense of security.

They think they have secured their key services against DDoS attacks simply by deploying intrusion prevention system (IPS) devices or firewalls in front of their servers.

Unfortunately, such deployments can actually expose these organizations to service outages and irate customers.

When business-critical services are not available, enterprises and IDC operators lose money and damage important customer relationships.

What’s more, when services are unavailable due to external attacks, it can be sensational and unwelcome front-page news—especially when the damages could have been easily prevented.

This article examines why IPS devices and firewalls fail to stop DDoS threats. It also describes how an intelligent DDoS mitigation system (IDMS) offers an ideal solution by enabling a layered defense strategy to combat both volumetric and application-layer DDoS attacks.

MORE READING:  Comparison of Static vs Dynamic Routing in TCP/IP Networks

Why IPS Devices and Firewalls Can’t Stop DDoS Attacks

IPS devices, firewalls and other security products are essential elements of a layered-defense strategy, but they are designed to solve security problems that are fundamentally different from dedicated DDoS detection and mitigation products.

IPS devices, for example, block break-in attempts that cause data theft. Meanwhile, a firewall acts as policy enforcer to prevent unauthorized access to data.

While such security products effectively address “network integrity and confidentiality”, they fail to address a fundamental concern regarding DDoS attacks—“network availability”.

What’s more, IPS devices and firewalls are stateful, inline solutions, which means they are vulnerable to DDoS attacks and often become the targets themselves.

How to fight DDoS Attacks

The ideal solution is an Intelligent DDoS Mitigation System (IDMS) that can stop both volumetric and application-layer DDoS attacks. It must also be deployable in the ISP network (in cloud) and at the enterprise or data-center edge.

Key Features of an IDMS

The limitations in IPS devices and firewalls reveal the key attributes required in an IDMS solution. An IDMS must be “stateless,” in other words, it must not track state for all connections.

As mentioned earlier, a stateful device is vulnerable to DDoS and will only add to the problem. The IDMS solution must also support various deployment configurations; most importantly, it must allow for out-of-band deployments when needed.

MORE READING:  Network Failover Redundancy Scenario – Two sites with two ASA Firewalls

This deployment flexibility can increase the scalability of the solution, which is a requirement as the size of DDoS attacks continues to increase.

To truly address “distributed” DoS attacks, an IDMS must be a fully integrated solution that supports a distributed detection method.

IPS devices leveraging single segment-based detection will miss major attacks. Moreover, an IDMS solution must not depend on signatures created after the attack has been unleashed on the targets; rather, it must support multiple attack countermeasures.

Finally, the IDMS must provide comprehensive reporting and be backed by a company that is a known industry expert in Internet-based DDoS threats. The key features of IDMS are:

– Stateless
– Inline and Out-of-Band Deployment Options
– Scalable DDoS Mitigation
– Ability to Stop “Distributed” DoS Attacks
– Multiple Attack Countermeasures
– Comprehensive Reporting
– Industry Track Record and Enterprise

Summary

To summarize, the security of a network depends on different elements which have their own purpose and scope.

Network Firewalls and Intrusion Prevention Systems (IPS) are the cornerstone of the security of any network. They are excellent in enforcing the security policy and mitigating threats against unauthorized access, network integrity and confidentiality.

However, they can not stop a Distributed Denial of Service attack. For this threat a more suitable defense mechanism is to use an Intelligent DDoS Mitigation System (IDMS) which detects those distributed attacks and takes proper action to stop them.

Related Posts

  • Comparison of EIGRP vs OSPF Routing Protocols
  • 12 Best Computer Networking Books for Beginners & Experts
  • 10 Networking Companies Like Cisco (Competitors)
  • Comparison of VLAN vs Subnet in TCP/IP Computer Networks
  • All About Syslog Protocol (What is Syslog, Default Port, Purpose etc)

Filed Under: General Networking

Download Free Cisco Commands Cheat Sheets

Enter your Email below to Download our Free Cisco Commands Cheat Sheets for Routers, Switches and ASA Firewalls.

We use Elastic Email as our marketing automation service. By submitting this form, you agree that the information you provide will be transferred to Elastic Email for processing in accordance with their Terms of Use and Privacy Policy. Also, you allow me to send you informational and marketing emails from time-to-time.

About Harris Andrea

Harris Andrea is an Engineer with more than two decades of professional experience in the fields of TCP/IP Networks, Information Security and I.T. Over the years he has acquired several professional certifications such as CCNA, CCNP, CEH, ECSA etc.

He is a self-published author of two books ("Cisco ASA Firewall Fundamentals" and "Cisco VPN Configuration Guide") which are available at Amazon and on this website as well.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Search this site

About Networks Training

We Provide Technical Tutorials and Configuration Examples about TCP/IP Networks with focus on Cisco Products and Technologies. This blog entails my own thoughts and ideas, which may not represent the thoughts of Cisco Systems Inc. This blog is NOT affiliated or endorsed by Cisco Systems Inc. All product names, logos and artwork are copyrights/trademarks of their respective owners.

Amazon Disclosure

As an Amazon Associate I earn from qualifying purchases.
Amazon and the Amazon logo are trademarks of Amazon.com, Inc. or its affiliates.

Search

Suggested Cisco Training

CISCO CERTIFICATION TRAINING
CISCO CCNA 200-120 TRAINING
CCNA SECURITY 640-554 TRAINING
CCENT ICND1 TRAINING
CISCO ICND2 TRAINING
CISCO CCNP TRAINING

BLOGROLL

Tech21Century
Firewall.cx

Copyright © 2022 | Privacy Policy | Terms and Conditions | Hire Me | Contact | Amazon Disclaimer | Delivery Policy

0 shares