Why do I need SiteShield in addition to WAF?
While WAF can protect against traffics against the web server that are travel through Akamai, attackers may learn the origin’s direct address and send requests directly to it. With SiteShield enabled and firewall rules established to only allow Akamai’s predefined region of addresses to access the origin, attacks will not be able to perform direct to origin attacks.
As already well explained by Jesleen SiteShield fixes the biggest challenge a cloud security provider has: Attacks that directly address the origin (your web server).
These Attacks could be application layer attacks that directly attack the server with http(s) requests or similar - something the Akamai Web Application Firewall could mitigate. However the Akamai Platform is also a barrier against layer 3 and 4 DDoS attacks like DNS or NTP reflection/amplification attacks. These attacks would just overflow the web server and make it unavailable when being used directly.
When activating SiteShield the web server would no longer receive any requests on any ports not being defined secure.
This will not only save him from direct attacks against his PI, but also save him during a direct DDoS attack, given the SiteShield setup is done correctly either on a firewall with high bandwidth or even better at a core router.
Hope this adds some information.
Some more inside see the product brief: http://www.akamai.com/dl/product_briefs/product-brief-site-shield.pdf
A very nice video about Akamai's 7 layers of protection here:
Retrieving data ...