Protecting Firewall Capacity from DDoS and Other Threats

Firewalls are important network devices for security and other applications. They help filter traffic based on specific criteria to prevent illegitimate users from accessing the network. They are not, however, designed specifically for distributed denial-of-service (DDoS) protection.

Many networks suffer from overexposure to nuisance or malicious traffic, whether or not they are the intended target. This can harm the performance of key devices in the security stack, rendering them less effective. This is especially true with stateful devices, such as web application firewalls (WAFs), intrusion detection and prevention systems (IDS/IPS), and other types of firewalls. In fact, the most common cause of network outages is DDoS attacks on firewalls. This can lead to costly capacity upgrades for these stateful solutions to handle the overexposure to traffic while maintaining favorable performance.

The Solution to DDoS Protection on Firewalls

NETSCOUT offers Arbor Edge Defense (AED), a stateless DDoS protection solution that sits inline outside the firewall, shielding it from attack traffic. This stateless solution has a much higher capacity than stateful devices, allowing it to handle DDoS attack traffic. It can also be enhanced with NETSCOUT’s ATLAS Intelligence Feed (AIF) to leverage the latest industry-leading threat intelligence to automatically block many common DDoS threats and attack traffic sources.

Due to its location inline, AED sees all traffic coming into the network and can capture the traffic characteristics to determine if it is legitimate, and allow it through, or malicious, and block it. This traffic filtering can also block the majority of nuisance or malicious traffic before it ever reaches the firewall, allowing each device to perform more effectively.

AED's Capabilities Go Beyond DDoS Protection

What else can AED do besides DDoS? Plenty! AED offers a host of benefits in addition to DDoS defense. For inbound traffic only, AED has several key capabilities:

• Determines if traffic exhibits behaviors tied to scanning for reconnaissance, open ports, or known vulnerabilities to exploit
• Blocks brute-force attempts
• Halts bulk attempts to exploit known vulnerabilities
• Discovers malformed packets intended to take up network resources, especially those on stateful devices
• Detects traffic from untrustworthy networks, such as hosting providers that host DDoS or malware attack infrastructure, ignore requests to stop malicious activity originating from their networks, or allow generally high volumes of nuisance traffic to and from their networks

AED can also analyze both inbound and outbound traffic for the following characteristics:

• Botnet command and control affiliation by determining if the IP or domain of the traffic source matches a known malware or DDoS botnet
• Traffic sourced from malware download sites, determined by known IP addresses or domains, to stop infection attempts should a user click a phishing link or other malware download and installation attempts
• Traffic sourced from known data exfiltration IP addresses or domains
• Exhibiting behaviors or sources that align with many other indicators of compromise (IoCs)

The benefit of this additional functionality is taking the burden off the firewall to filter this attack traffic, allowing the firewall to do what it was designed to do. Firewalls are intended to perform stateful, behavioral, and signature-based traffic blocking, so having an additional layer in front of them to handle surges in attack, nuisance, and malicious traffic is paramount to the firewall running efficiently. Reducing the load on security stack devices in general helps improve security stance because each component can do its own job to the fullest. It also saves in overall investment, since teams do not need to upgrade security stack capacities because there is a stateless solution handling the bulk of traffic, allowing stateful devices to breathe, perform better, and do their jobs.

Learn more about protecting firewall capacity with Arbor Edge Defense.