Plan DoS and Zone Protection Best Practice Deployment
Before deploying DoS protection, consider the types of DoS attacks you may face, take a layered approach, and understand normal and peak CPS rates of devices you want to protect.
Take different types of DoS attacks into account. Plan to layer your defenses with multiple prevention mechanisms and position firewalls close to the devices they protect. Understand the average normal and peak baseline connections-per-second (CPS) of the critical devices you want to protect, the capacity of your firewalls, and the effect of other features that affect firewall capacity, such as how much traffic you decrypt.
- Plan your defense against each type of DoS attack.
- Volumetric Attacks—High-volume attacks that attempt to overwhelm the available network resources, especially bandwidth, and bring down the target to prevent legitimate users from accessing its resources. An example is a UDP flood attack.
- Use a layered approach to preventing DoS attacks.
- Use a dedicated, high-volume DDoS protection device and a perimeter router, switch, or other hardware-based packet drop device with appropriate access control lists (ACLs) as the first layer of defense at the internet-facing network perimeter, in front of perimeter firewalls. Perimeter protection defends against volumetric attacks that the session-based firewall isn’t designed to handle.
- Use the firewall as an extra layer of defense against DoS attacks to protect individual zones (Zone Protection profile and Packet Buffer Protection) and individual or small groups of high-value targets such as web servers (DoS Protection profiles and policy rules). The firewall provides visibility into application traffic that dedicated DoS protection devices don’t provide. Firewall use cases include:
- Applying Zone Protection profiles as a second layer of broad protection.
- Applying Aggregate DoS Protection profiles as a third layer of broad protection for groups of critical servers.
- Applying Classified DoS Protection profiles to protect critical internet-facing servers by limiting the CPS to each server.
- Applying Classified DoS Protection profiles to prevent misconfigured or compromised internal hosts from carrying out a DoS attack by limiting the CPS either from the suspect source (internally-facing zones only, not internet-facing zones) or to the affected destination.
- Applying Classified DoS Protection profiles to monitor a particular source (internally-facing zones only) and alert you if the CPS from that source reaches a certain threshold, which may indicate a compromised or misconfigured host.
- Applying Packet Buffer Protection to prevent DoS attacks from consuming firewall resources.
- Position firewalls as close as possible to the resources they protect.The firewall treats packets as sessions and inspects each packet at the port, protocol, IP, and application level. Firewalls don’t scale to millions of CPS because they are session-based, so the closer you place the firewall to the resources you’re protecting, the fewer sessions and firewall resources consumed.
- Donotplace firewalls in front of perimeter DDoS devices or perimeter routers or switches. Use high-capacity devices at the edge (both local and cloud edge) to mitigate volumetric attacks from the internet and prevent the firewall from being exposed to those attacks.
- Position perimeter firewallsbehinddedicated DDoS devices and routers or switches that drop DoS traffic using ACLs so the firewalls segment the internal network into zones and protect sensitive devices in those zones. The closer a firewall is to the perimeter, the greater its capacity should be because of higher traffic volumes.
- Consider examining network zone segmentation. If it isn’t granular enough, consider creating smaller zones. Smaller zones increase security in many ways, including better prevention of lateral movement of malware, increased visibility into traffic, and reducing the potential scope of internal DoS attacks.
- Take baseline measurements of the average and peak CPS of the devices and zones you want to protect, and understand the capacity of your firewalls so flood thresholds don’t inadvertently throttle traffic or allow DoS attacks.
- Take baseline measurements of average and peak CPS for critical devices (potential targets).
- Take baseline CPS measurements for critical internet-facing devices over at least one business week, during business hours. The longer the data collection time span, the more accurate the measurements.
- Work with application teams to understand the normal and peak CPS to their servers and the maximum CPS those servers can support.
- Filter firewall Traffic and Threat logs for the destination IP addresses of critical devices to baseline normal and peak session activity.
- Take into account special events, quarterly events, and annual events that may increase traffic, change traffic patterns, or use applications that aren’t usually on the network.
- Understand the capacity of your firewalls and the resources (CPU and memory) other features consume so you know the capacity available for DoS Protection.
- Take baseline CPS measurements for each firewall zone over at least one business week, during business hours. The longer the data collection time span, the more accurate the measurements. Measure normal and peak CPS for each individual zone so you can set Zone Protection flood thresholds tailored to each zone’s CPS load.
- If you use Panorama to manage your firewalls, use Device Monitoring to measure CPS values. Device monitoring can also show you a 90-day trend line of CPU average and peak usage to help you understand the typical available capacity of each firewall.If you can’t use Panorama’s Device Monitoring, you can use your management tools to poll the following three MIBs to gather historical CPS data: PanZoneActiveTcpCps, PanZoneActiveUdpCps, and PanZoneOtherIpCps.
- Use third-party tools such as Wireshark or NetFlow to collect and analyze network traffic.
- Consider using scripts to automate CPS information collection and continuous monitoring, and to mine information from the logs.