How Do the Zone Defense Tools Work?
Zone defense tools work together to form layers of DoS
protection for your network.
When a packet arrives at the firewall, the firewall
attempts to match the packet to an existing session, based on the ingress
zone, egress zone, source IP address, destination IP address, protocol,
and application derived from the packet header. If the firewall
finds a match, then the packet uses the Security policy rules that
already control the session. If the packet doesn’t match an existing
session, the firewall uses Zone Protection profiles, DoS Protection
profiles and policy rules, and Security policy rules to determine
whether to establish a session or discard the packet, and the level
of access the packet receives.
After traffic passes through your dedicated DDoS device at the
internet-facing network edge, the first protection the firewall applies
is the broad defense of the Zone Protection profile, if one is attached
to the zone. The firewall determines the zone from the interface
on which the packet arrives (each interface is assigned to only
one zone and all interfaces that carry traffic must belong to a
zone). If the Zone Protection profile denies the packet, the firewall
discards the packet and saves resources by not needing to look up
the DoS Protection policy or Security policy. The firewall applies
Zone Protection profiles only to new sessions (packets that do not match
an existing session). After the firewall establishes a session,
the firewall bypasses the Zone Protection profile lookup for succeeding
packets in that session.
If the Zone Protection profile doesn’t drop the packet, the second
protection the firewall applies is a DoS Protection policy rule. If
a Zone Protection profile allows a packet based on the total aggregate
amount of traffic going to the zone, a DoS Protection policy rule
may deny the packet if it is going to a particular destination or
coming from a particular source that has exceeded the flood protection
or resource protection settings in the rule’s DoS Protection profile.
If the packet matches a DoS Protection policy rule, the firewall
applies the rule to the packet. If the rule denies access, the firewall
discards the packet and doesn’t perform a Security policy lookup.
If the rule allows access, the firewall performs a Security policy
lookup. Like the Zone Protection profile, the firewall enforces DoS
Protection policy only on new sessions.
The third protection the firewall applies is a
Security policy lookup,
which happens only if the Zone Protection profile and DoS Protection
policy rules allow the packet. If the firewall finds no Security
policy rule match for the packet, the firewall discards the packet.
If the firewall finds a matching Security policy rule, the firewall
applies the rule to the packet. The firewall enforces the Security
policy rule on traffic in both directions (c2s and s2c) for the
life of the session. Apply the
best practice Vulnerability Protection
profile to all Security policy rules to help defend against
DoS attacks.
The fourth protection the firewall applies is packet buffer protection,
which you apply globally to protect the device and can also apply
individually to zones to prevent single-session DoS attacks that
attempt to overwhelm the firewall’s packet buffer. For global protection,
the firewall used Random Early Drop (RED) to drop packets (not sessions)
when the level of traffic crosses protection thresholds. For per-zone
protection, the firewall blocks the source IP address if it violates
the packet buffer thresholds. Unlike zone and DoS protection, packet
buffer protection applies to existing sessions.