Internet-to-Data-Center Traffic Policies
- Create application allow list Security policy rules for internet-to-data center traffic to control and secure partner, contractor, and customer access.Protect against downloading malware from an infected external client or placing malware on an external server from an infected data center server. Create allow rules for applications required for business purposes and create an External Dynamic List (EDL) to block bad IP addresses. For each rule, configureLog at Session Endon theActionstab and set up Log Forwarding to track and analyze rule violations.This example restricts the applications and destinations for internet-to-data-center traffic, and uses theNegateoption to prevent communication with theBad IPs ListEDL.Create similar rules for traffic from the internet to other server groups (if allowed) and other applications. Make each rule specific to limit access to only the required applications and servers.
- Create Decryption policy rules for internet-to-data-centertraffic to decrypt allowed traffic.Configure SSL Inbound Inspection (and import the destination server certificates into the firewall) to decrypt partner, contractor, and customer traffic that Security policy rules allow for internet-to-data-center traffic. This example shows the Decryption policy for the preceding Security policy rule.Create Decryption rules to match traffic that internet-to-data-center Security policy rules allow.
- Attackers target the web server tier because if they take it down, they prevent most legitimate access to the data center. Apply a classified DoS Protection policy rule with a DoS Protection profile that limits the incoming CPS to prevent traffic spikes that can affect server performance and availability.
- Create a classified DoS Protection profile to protect the web server tier and prevent SYN flood attacks. The CPS thresholds you set depend on the baseline peak CPS rate.
- Create a DoS Protection policy rule to specify the web servers you’re protecting and apply the classified DoS Protection profile to it.To protect against SYN flood attacks from internal sources, create a separate DoS Protection policy rule that specifies your internal zones as the source zone instead ofL3-External. Separate rules for external and internal attack sources provides separate reporting that makes investigating attack attempts easier.
Recommended For You
Recommended videos not found.