Firewall Placement for DoS Protection
Firewalls aren’t meant to be a network’s primary DoS
protection device, but do provide another layer of protection positioned
closer to your resources.
The firewall is a session-based device
that isn’t designed to scale to millions of connections-per-second
(CPS) to defend against large volumetric DoS attacks. The firewall
treats each unique flow (based on ingress and egress zone, source
and destination IP, protocol, and application) as a session, spends
CPU cycles on packet inspection at the port and the IP level to
provide visibility into application traffic, and must count each
session for the flood threshold counters, so firewall placement
is critical to avoid flooding the firewall.
For the best DoS protection, place firewalls as close to the
resources you’re protecting as possible. This reduces the number
of sessions the firewall needs to handle and therefore the amount
of firewall resources required to provide DoS protection.
At the internet-facing perimeter, do not place firewalls
you use for DoS protection or zone protection in front of dedicated
DDoS devices and perimeter routers and switches. Make those high-volume
devices your first line of DoS defense to mitigate volumetric flood
attacks. For zone and DoS protection at the perimeter, use high-capacity
firewalls and place them behind the high-volume devices.
As a rule, the closer a firewall is to the perimeter, the higher
capacity it must be to handle the volume of traffic.
The way you segment your network into zones can help mitigate
internal DoS attacks. Smaller zones provide greater visibility into
traffic and prevent lateral movement of malware better because more
traffic must cross zones, and to allow interzonal traffic requires
you to create a specific Security policy rule (all intrazonal traffic
is allowed by default). Consider revisiting your segmentation approach
if your network is relatively unsegmented.