Zone Defense
Firewalls provide a layer of defense against application-based,
protocol-based, and volumetric flood attacks, and reconnaissance,
packet-based, and non-IP-protocol-based attacks.
Zone Protection profiles defend zones against flood,
reconnaissance, packet-based, and non-IP-protocol-based attacks.
DoS Protection profiles used in DoS Protection policy rules defend
specific, critical devices against targeted flood and resource-based
attacks. A DoS attack overloads the network or targeted critical
systems with large amounts of unwanted traffic an attempt to disrupt
network services.
Plan to defend your network against different types of DoS attacks:
Application-Based Attacks—Target weaknesses in
a particular application and try to exhaust its resources so legitimate
users can’t use it. An example of this is the
Slowloris attack.
Protocol-Based Attacks—Also known as state-exhaustion
attacks, these attacks target protocol weaknesses. A common example
is a
SYN flood attack.
Volumetric Attacks—High-volume attacks that attempt
to overwhelm the available network resources, especially bandwidth,
and bring down the target to prevent legitimate users from accessing
those resources. An example of this is a
UDP flood attack.
There are no default Zone Protection profiles or DoS Protection
profiles and DoS Protection policy rules. Configure and apply zone
protection based on each zone’s traffic characteristics and configure
DoS protection based on the individual critical systems you want
to protect in each zone.