This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

DDOS / DOS Protection

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

DDOS / DOS Protection

Go to solution
ThamiDlaminiITN
L0 Member

‎10-13-2023 12:12 AM

Is there any benefit of placing an additional firewall on the OUTSIDE of the customer's internet/external router? There is already a perimeter firewall on the inside of this router.

(Proposed additional firewall running virtual wire) <---> External Router (BGP and internet links) <----> Perimeter Firewall <----> Internal Router

 

This external router is serving as the internet gateway for the FW as well as a BGP termination point for various of their external links. The firewall does not take part in the BGP. ALL traffic from that internet router then passes through a perimeter gateway firewall and then gets sent to wherever it needs to go to in the inside of the customer network (they have an internal router also).

The network team wants us to put an additional PA firewall on the OUTSIDE of the internet router to provide protection for that router against DOS and other attacks. Note that inspection and security policies are already done on the firewall on the inside of the router to protect the internal resources.

Will the PA be able to provide enough protection to make this worth while? I assume this will only for network layer attacks so only really what is available in a DOS protection profile or will vulnerability protection also help here? Or should they get a dedicated DDOS appliance for this?

I've never had to firewall/protect the actual network infrastructure before so no idea what to tell them here.

0 Likes Likes
1 accepted solution

Accepted Solutions

Go to solution
SCantwell_IM
Cyber Elite
Cyber Elite

‎10-24-2023 03:19 PM

Good Day

It is possible to put a FW in front of the Internet Router, but the appliance would need to be scoped bigger to handle massive potential payloads that are unwarranted (DoS).

SCantwell_IM_0-1698185710098.png


If given the choice, I would work with the ISP to help limit DoS attacks coming to the router, as more ISP hardware  typically has better hardware buffer capacities to ward on a DDoS, built into their hardware.   

You may want to do some SNMP queries to determine that number of connection per sec (cps) that the router is handling at different times/peak times, to determine what PANW FW (if you choose to utilize it) for your customer.

What other questions can we answer for you?

Help the community: Like helpful comments and mark solutions

View solution in original post

0 Likes Likes
3 REPLIES 3

Go to solution
SCantwell_IM
Cyber Elite
Cyber Elite

‎10-24-2023 03:19 PM

Good Day

It is possible to put a FW in front of the Internet Router, but the appliance would need to be scoped bigger to handle massive potential payloads that are unwarranted (DoS).

SCantwell_IM_0-1698185710098.png


If given the choice, I would work with the ISP to help limit DoS attacks coming to the router, as more ISP hardware  typically has better hardware buffer capacities to ward on a DDoS, built into their hardware.   

You may want to do some SNMP queries to determine that number of connection per sec (cps) that the router is handling at different times/peak times, to determine what PANW FW (if you choose to utilize it) for your customer.

What other questions can we answer for you?

Help the community: Like helpful comments and mark solutions
0 Likes Likes

Go to solution
TomYoung
Cyber Elite
Cyber Elite

‎10-24-2023 06:24 PM

Hi @ThamiDlaminiITN ,

 

I have seen some sales people promote protecting the external routers, but I agree with @SCantwell_IM .  Most routers are built to be connected to the Internet and can be patched, hardened, and configured with some features to limit DoS.  Most ISPs offer some DDoS protection, and some offer extra DDoS protection as an additional service.  I would work with the ISP 1st.

 

Thanks,

 

Tom

Help the community: Like helpful comments and mark solutions.
0 Likes Likes

Go to solution
ThamiDlaminiITN
L0 Member

‎10-31-2023 01:59 AM

Thank you for the responses guys, really appreciate it. They helped.

0 Likes Likes
  • 1 accepted solution
  • 861 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks