cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

411
Views
0
Helpful
1
Replies
castleju1
Beginner

help firewall capacity expansion for DDOS protection

I have to expand firewall capacity (max session) for  ddos protection

In my opinion, firewall is vulnerable to a session based attack ( like HTTP GET Flooding)

For DDOS protection.. I consider three items
1. remove the L4 in front of firewall (like firewall load balancer)
2. firewall active/active ( multiple context is not used - Cisco engineer is not recommendation)
3. Distributed traffic

Four kinds of technology
- L3 based load balancing ( traffic desctibution using L3)
- source ip  based routing ( PBR )
- switch stack
- dns load balancing

i attached file ( current firewall & nework architecture and new architecture )

I have a few guestions
1.  is  new network architecture possible..?
2.  is it one of best practises or normal architectures..?
3.  is it references..?
4.  additional issues..?

thanks

1 REPLY 1
Parminder Sian
Beginner

Hi KS,


Please have a look at the floowing doc :-


ASA/PIX 7.x and Later: Mitigating the Network Attacks

http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a00809763ea.shtml


You dont need to change your setup to mitigate attacks like DDOS. In this doc you will find configuration related to tweeking maximum connection or embryonic connection for port 80 (http). 


Hope this helps.


Regards,

Parminder Sian

Content for Community-Ad