Why Your Firewall Needs a Multilayer Inline Solution for DDoS Protection
Deploying a multilayered inline solution stops your firewall from becoming the weakest link in your network security during massive DDoS attacks, and keeps critical network services running.
Firewalls and intrusion prevention systems (IPS) have become a standard in network protection, installed in every network. Although they have greatly advanced over the years in safeguarding against a wide variety of cyber threats, they remain vulnerable to today’s massive DDoS attacks because of the way they are designed. Many organizations, including financial institutions, gaming companies, telecom networks and other enterprises, experience DDoS attacks even though they are equipped with a firewall and IPS. Ironically, during a DDoS attack these security functions are likely to become the weakest link in the security of the entire network.
The goal of a DDoS attack is to consume network resources (including any service provider/IT infrastructure such as firewalls, core network routers, DNS servers, or back-end systems) to the point that they have no capacity left for legitimate traffic.
A firewall is a stateful device that is designed and configured to block undesired ports. Volumetric flood attacks on ports which remain open on the firewall to allow service delivery traffic, exploit the stateful nature of the firewall by filling up the state tables with volumes of unwanted traffic, so that it has little time to pass legitimate traffic. This creates a bottleneck that may result in an entirely dysfunctional firewall. Cyber-attackers take advantage of the firewall vulnerability, utilizing DDoS as a technique to disable it and enabling a successful breach. The firewall is just one example, of course. The same may occur with an IPS, or even a router.
Passive, out-of-band DDoS mitigation solutions may require several minutes to identify attacks, and initiate the Border Gateway Protocol (BGP) routing required to perform mitigation in a dedicated cloud scrubbing center. Attackers have learned to recognize and exploit this window of opportunity with bursts of short duration attacks. During the time to detect (TTD) and the time to mitigate (TTM) such solutions, the firewall of these operators will probably go down, impacting the security level and the quality of experience (QoE) of critical traffic. In comparison, an inline solution is able to detect and mitigate attacks in seconds “on the spot.” This method provides more accurate and rapid mitigation of DDoS attacks, including short duration attacks. When inline DDoS protection is complemented by inline deep packet inspection DPI that performs traffic shaping and application prioritization, communications service providers (CSPs) also gain the ability to control and maintain QoE for essential traffic, even during an attack.
Furthermore, inline DPI-based solutions enable CSPs to identify “normal” traffic behavior, and automatically trigger corrective measures when behavior approaches or exceeds thresholds. This capability goes a long way towards preventing outbound Internet of Things (IoT)-based DDoS attacks, or even IoT malfunctions. Inline DDoS protection and inline DPI, working in unison, is a powerful combination to keep networks up and running and performing.
Security professionals are typically aware of this issue, and are deploying separate DDoS mitigation solutions, like the Allot ServiceProtector, at the edge of their network. The combination of Allot ServiceProtector DDoS mitigation and the Allot Traffic Shaping engine, makes sure that at all times, the firewall and any other sensitive network elements are protected, even during a massive attack. Allot ServiceProtector does not only mitigate the attacks but also minimizes the effects of DDoS attacks on service, and keeps the customers QoE intact.
Click here to learn more about multilayer inline DDoS solutions