DDos Attack and ACE

Reuven Elkabetz · ‎03-29-2011

Hello All,

I have some questions regarding ACE and DDos attacks:

- Can I use ACE as a secondary defence line (after our FW and DDos protection in our ISP)?

- Do you guys can point me to some documents and descriptions aboute signatures that I can configure while implementing HTTP deep inspection?

Thanks in advance,

Reuven

Surya ARBY · ‎04-03-2011

Hi.

1 - yes, ACE offers SYN cookies and other security features (hardened TCP/IP stack with advanced checks / RPF / normalization performed by default), refer to the documentation for details.

2 - ACE is not based on signatures, as all web applications are different, you have to audit the applications to see if there are specific URLs that should never be accessed by external users, to set a maximum length for request URLs...

There are no generic rules, and most Web firewalls (former ACE WAF for example, or other products on the market) work with "dynamic learning" instead of signatures.

Reuven Elkabetz · ‎04-04-2011

Hey Surya,

How are you? Thanks again !!!!

Can you tell me if it is better to implement it with parameter-map or by policy-map (layer 7) directly?

I am not sure that I can configure any commen signature or Max parse length because they are things that are changed all the time.

I also tried to limit connections and it does not help that much. Any other options?

Thanks a lot,

Reuven

Surya ARBY · ‎04-04-2011

Hi.

It's done with a class-map type http inspect

http://www.cisco.com/en/US/partner/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA4_1_0/configuration/security/guide/appinsp.html#wp1357262

For advanced configurations, L7 inspections are very difficult to tune. You'll have to talk with the development to understand their detailed needs and requirements for securing the application.