DDoS bandwidth stuffing can impact either technology as it can be directed at the cloud or on on-premises side and requires support from the Internet providers to mitigate.
DoS/DDoS that focuses on resource exhaustion can impact any listening port that doesn’t do rate limiting on inbound traffic (even Wireguard). All traditional firewalls are vulnerable here.
What isn’t in people’s control to secure are the protocols themselves. Vulnerabilities in the code can open up people to breaches (FortiGate’s SSL VPN for example). You rely on manufacturers and the Internet community to be open with the world on any vulnerabilities discovered and speedy and prompt resolution of these vulnerabilities. As the technology is available to “own” everyone can test and view the results.
With SaaS based services you are merely moving the risk from something you can manage yourself to a provider you trust is managing them properly. The technology framework is a black box, so you can’t test or audit for vulnerabilities. Will they be transparent and forthcoming on vulnerabilities in their platforms? Are they publicly traded where their short term stock price holds greater value than their customers safety?
Let me ask and come back to you. I know a good one in Europe but the time zones might get in the way.
DoS/DDoS is almost useless against a well architected system. Of the examples I gave, outbound-only connections is best in my opinion as source/destination cannot be subject to DoS/DDoS when using it.
You may retort, the overlay network that bridges those outbound connection can be subject to DoS/DDoS. Yes, but, is my response. Taking the example of OpenZiti (https://github.com/openziti), it has a smart routing, mesh network dataplane so that any the lowest latency paths are chosen at any given time for each specific application while providing high availability/failover of router nodes with no impact on network capabilities, even if under attack (e.g., from DoS/DDoS). This is ephemeral by nature of allows the deployment/redeployment of routers and subsequent network reconfiguration dynamically and automatically. The controllers have been implemented with HA so that they are not a SPOF either. Further, we have developed an eBPF firewall to provide further DoS/DDoS protection mechanism for controllers and routers - GitHub - netfoundry/zfw: An EBPF based IPv4/IPv6 firewall with integrations for OpenZiti Zero-Trust Framework edge-routers and tunnellers.
While we can deliver OpenZiti as a SaaS service (NetFoundry Cloud), as its open source anyone can check and confirm the validity and security of the code/protocols (we use well known and tested ones anyway). Therefore, it is not a black box.