| Denial of Service is a condition when a resource is not available for legitimate users. When this occurs, the organization either cannot accomplish its mission or must operate at degraded capacity. DoS attacks can take multiple forms but have the common objective of overloading or blocking a network or host to deny or seriously degrade performance, thus rendering it useless. These attacks can be simple “floods” of traffic to saturate circuits or devices, malware that consumes CPU and memory on a device or causes it to crash, or misconfigurations that disable or impair the proper function of a device.
It is important to protect the management plane and the control plane of the firewall implementation itself. When a DoS attack is directed against the firewall implementation (or any other network element), the device will operate at a degraded capacity and will not be able to process legitimate traffic and may not respond to management commands.
A firewall or other device implementing an Access Control List must be configured to protect itself from DoS attacks (e.g. embryonic connection or half-open attacks, etc.). Various techniques exist such as rate-limiting or filtering excessive traffic. Each protective measure depends on the specific attack. Traffic to the loopback or management IP address or management zone of the device must be filtered, policed, and/or otherwise limited.
Whenever possible, access to the device through the console port through an Out-of-Band (OOB) network should be implemented. This provides a “last resort” remote access to the device. |
