DoS and Zone Protection Best Practices
Protect against Denial-of-Service (DoS) attacks using
layered defenses at the network perimeter, zone borders, and critical
devices.
This checklist of pre-deployment, deployment, and post-deployment steps
helps you implement Denial-of-Service (DoS) and Zone Protection
best practices. Links to the
PAN-OS Adminstrator’s Guide provide
configuration details.
A DoS attack is a single source flooding a target server.
A Distributed Denial-of-Service (DDoS) attack is multiple
sources flooding a single target server. DDoS attacks attempt to
initiate more sessions than DoS attacks and require more resources
to defend against. Because firewalls are session-based, they are
one part of a layered DoS/DDoS defense strategy, not the sole defense.
DoS attacks make a device or resource unavailable
to legitimate users and come from the internet or misconfigured
or compromised internal devices. The typical method is to flood
the target with requests that consume its resources—memory, CPU
cycles, and bandwidth—to make the target unavailable to legitimate
users. Typical targets are internet-facing devices accessed from
outside the corporate network, such as web and database servers.
Palo Alto Networks firewalls provide three mitigation tools as part
of a layered approach to DoS protection.
Zone Protection Profiles protect
individual ingress zones based on the number of new sessions entering
a zone. They limit the connections-per-second (CPS) to the firewall
for broad protection against flood attacks and protect against reconnaissance
(port scans and host sweeps), packet-based attacks, and layer 2 protocol-based
attacks.
A major benefit of classified DoS Protection is automatically
placing source IP addresses that exceed the maximum CPS rate into
the hardware
block list (saves software
resources on platforms that support it) or the software block list,
based on the DoS Protection profile’s
Max Rate.
If the hardware block table fills up, the firewall uses the software
block table.
DoS Protection handles most attacks that target individual servers
and Zone Protection broadly protects the entire zone if DoS Protection
isn’t enough. DoS Protection leverages the block tables, so it consumes
fewer resources than Zone Protection.
Packet Buffer Protection—Protects
against single-session DoS attacks from existing sessions that try
to overwhelm the firewall packet buffer. Packet Buffer Protection
quarantines attacking IP addresses in the hardware table if the
platform supports it.
The Palo Alto Networks series of
best practices books offers
best practices advice on subjects such as decryption, securing administrative
access, and much more.