While firewalls and stateful devices such as VPN gateways, IDPS, and load balancers are pivotal in defending our networks, they are, unfortunately, not immune to DDoS attacks.The vulnerability lies in the fact that these devices were never engineered to thwart DDoS attacks, notably those inducing TCP state exhaustion attacks. Consequently, industry guidelines strongly advocate for the deployment of stateless DDoS protection ahead of the firewall. This strategic placement not only shields the firewall but also safeguards other stateful devices and the services they protect from debilitating downtime.

TCP State Exhaustion Attack Firewall Diagram
Click to enlarge image

Netscout Arbor Edge Defense (AED), a component of Arbor DDoS Security solution, is deployed on-premises, inside the internet-facing router, and outside the firewall. There, using stateless packet processing technology and armed with NETSCOUT ATLAS or 3rd party threat intelligence (via STIX/TAXXII), AED can:

  • Automatically block and protect against inbound DDoS attacks – more specifically, TCP state exhaustion attacks that threaten the availability of stateful devices such as firewalls, VPN concentrators, or load balancers.
  • Automatically block outbound Indicators of Compromise communications from compromised internal devices that are interacting with outside known bad actor command and control infrastructure that have been missed by the firewall or existing cybersecurity stack

Essentially NETSCOUT Arbor Edge Defense acts as a first and last line of smart network edge defense that can protect your network availability and improve the performance of your firewall and other stateful devices. Improve your firewall DDoS protection with NETSCOUT.

Watch the demo of AED protecting a firewall.

Green shield with globe

Arbor Edge Defense: A First and Last Line of Smart Edge Defense