Security Stack Efficiency Depends on Focused Feature Usage

Network edge visibility and informed mitigation capabilities can increase firewall efficiency and reduce overload on security stack capacity.

Security Stack Efficiency Depends on Focused Feature Usage

Many networks in today’s interconnected world suffer from overexposure to excessive nuisance and sometimes malicious traffic, even if they are not the target of that traffic. This increase in unnecessary traffic traversing the network edge can hurt the performance and capacity of devices designed to accomplish other critical security and network tasks.

There are several types of traffic, both inbound and outbound, that can easily be identified and eliminated to in turn reduce overall traffic volume traversing your network edge and causing the excessive load on all devices on the network.


Scanning Behaviors: Internet sources currently engaged in scanning the Internet looking for reconnaissance, open ports, and known vulnerabilities to exploit

Brute Force Attempts: Internet sources (botnets, etc.) that attempt to gain access to systems by logging in with well-known default usernames/passwords or stolen credentials

Exploit Attempts: Sources of bulk attempts to exploit software vulnerabilities to gain access to or otherwise compromise vulnerable systems (e.g. Log4j which we did 1 Billion blocks on in the first week we added that policy to AIF)

Malformed Packets: malformed IP packets are sent to a target device, causing overhead to other security devices such as firewalls, and potentially causing applications to generate errors or even crash

Untrustworthy Networks: Hosting providers that host DDoS and malware attack infrastructure, ignore requests to curb malicious activity coming from their networks, or generally allow high volume nuisance traffic to/from their networks.

Inbound & Outbound (Note that much of this communication may be initiated outbound by hosts in the network, but most communication is bi-directional and AED will look for and block it in either direction, not just outbound)

Botnet Command and Control: IP Addresses or domain names of DDoS and Malware Botnet command and control infrastructure - block infected hosts from communicating with botnet command and control — stops botnet activity from infected hosts in the network

Malware Download Sites: IP Addresses or domain names of malware download sites. Stops infection attempts when users click on phishing links in email and other malware attempts to download malware to install

Data Exfiltration: IP Addresses or domain names of known data exfiltration sites

Other IoCs: IP Addresses, domain names, or URLs of other malware communication

Stateful Devices are Especially Vulnerable

These consequences are particularly true of stateful devices in the security stack, including intrusion detection systems/intrusion protection systems (IDSs/IPSs), web application firewalls (WAFs), and most importantly next-generation firewalls (NGFWs). Distributed denial-of-service (DDoS) attacks on firewalls are the No. 1 cause of network outages today.

Firewalls and other security devices do have a role in fighting threats, but it is typically reserved for threats that require a more stateful inspection. These types of threats are tracked through a session and analyzed for behaviors over multiple sessions to gain an understanding of what is happening and whether it should be happening. This is what firewalls and other security devices do well, so you should embrace that functionality.

The main vulnerability in these devices, however, is how they manage threat traffic. When a threat is detected they typically block traffic first until they understand if the traffic is legitimate and then pass it on. This results in the blocking of legitimate traffic at an unwanted rate.

Cleaning up this type of traffic and reducing the load on these critical devices so they can operate efficiently can save your organization in capacity upgrades and increase the effectiveness of the devices benefitting from the increased capacity.

Image of Stateless Packet Processing

The Solution: Stateless Packet Processing

As many customers know, NETSCOUT Arbor Edge Defense (AED) is a stateless packet-processing solution and uses its position at the edge of the network to block inbound DDoS attacks. However, when combined with the unmatched NETSCOUT DDoS threat intelligence that is the result of our visibility into most of all internet traffic it also performs many additional functions that provide valuable side effects that essentially protect firewalls and other devices in the network security stack. Some of the value-added activities that AED provides are identifying and blocking threat signatures from known bad IPs, URLs, and domains. AED with AIF can block up to 9 million IoCs at the edge of your network; a typical firewall can block only 300,000.

These actions greatly reduce the load on firewalls, IDSs and IPSs, and WAFs by as much as 80 percent. This reduction can save the expensive costs of upgrading security stack capacity.

The added value from AED and AIF is not based solely on our understanding but is also something many firewall vendors recognize. In fact, according to cybersecurity company  Fortinet, “Enabling anti-DDoS mechanisms on the firewall or IPS devices should be done with care and deployment of dedicated anti-DDoS protections in addition to the firewall or IPS is recommended.”

AED’s stateless, packet-based inspection and analysis process produces specific countermeasures and surgical mitigations to help minimize nuisance traffic in the following categories:

  • Malformed packets
  • Threat signatures from known bulk scanners
  • Threat signatures from known bulk brute force exploiters (e.g., Log4j)
  • Other known malware sources

By preventing this unnecessary traffic from overwhelming your firewalls, you can save the potential expenditure of additional firewall capacity needed to manage the load.

Learn more about NETSCOUT Arbor Edge Defense.