Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results forĀ 
Search instead forĀ 
Did you mean:Ā 
cancel
Start a conversation
555
Views
0
Helpful
1
Replies

help firewall capacity expansion for DDOS protection

castleju1
Level 1
Level 1

ā€Ž04-22-2011 11:47 AM - edited ā€Ž03-11-2019 01:24 PM

I have to expand firewall capacity (max session) for  ddos protection

In my opinion, firewall is vulnerable to a session based attack ( like HTTP GET Flooding)

For DDOS protection.. I consider three items
1. remove the L4 in front of firewall (like firewall load balancer)
2. firewall active/active ( multiple context is not used - Cisco engineer is not recommendation)
3. Distributed traffic

Four kinds of technology
- L3 based load balancing ( traffic desctibution using L3)
- source ip  based routing ( PBR )
- switch stack
- dns load balancing

i attached file ( current firewall & nework architecture and new architecture )

I have a few guestions
1.  is  new network architecture possible..?
2.  is it one of best practises or normal architectures..?
3.  is it references..?
4.  additional issues..?

thanks

Labels:
Preview file
252 KB
0 Helpful
1 Reply 1

Parminder Sian
Level 1
Level 1

ā€Ž05-16-2011 02:37 AM

Hi KS,


Please have a look at the floowing doc :-


ASA/PIX 7.x and Later: Mitigating the Network Attacks

http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a00809763ea.shtml


You dont need to change your setup to mitigate attacks like DDOS. In this doc you will find configuration related to tweeking maximum connection or embryonic connection for port 80 (http). 


Hope this helps.


Regards,

Parminder Sian

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card