Firewalls and other stateful devices such as VPN gateways, IDPS and load balancers are susceptible to DDoS attacks. According to NETSCOUT's Threat Intelligence Report, 83% of survey respondents indicated that network and service outages and/or crashes were attributed to their firewalls to during a DDoS attack. Why? Because they were never designed to stop DDoS attacks – in particular, TCP state exhaustion DDoS attacks. Industry best practices recommend that you deploy stateless DDoS protection in front of the firewall to protect it, other stateful devices, and services behind them from going down.

TCP State Exhaustion Attack Firewall Diagram
Click to enlarge image

Netscout Arbor Edge Defense (AED), a component of Arbor DDoS Security solution, is deployed on-premises, inside the internet-facing router, and outside the firewall. There, using stateless packet processing technology and armed with NETSCOUT ATLAS or 3rd party threat intelligence (via STIX/TAXXII), AED can:

  • Automatically block inbound DDoS attacks – more specifically, TCP state exhaustion attacks that threaten the availability of stateful devices such as firewalls, VPN concentrators, or load balancers.
  • Automatically block outbound Indocators of Comprimise communications from compromised internal devices that are interacting with outside known bad actor command and control infrastructure that have been missed by the firewall or existing cybersecurity stack

Essentially NETSCOUT Arbor Edge Defense acts as a first and last line of smart network edge defense, that can protect your network availability and improve performance of your firewall and other stateful devices. Protect your firewall from DDoS attacks with NETSCOUT.

Watch the demo of AED protecting a firewall.

Green shield with globe

Arbor Edge Defense: A First and Last Line of Smart Edge Defense