Forum Discussion

RecontuerSG_258's avatar
RecontuerSG_258
Historic F5 Account
Aug 08, 2017

If F5 LTM/AFM is tier-1 DDoS Protection, what about upstream non-F5 Firewalls?

I understand F5 can do network-related DDoS protection at Layer 3 and 4. What I am curious is what about the edge router or firewall upstream?

 

Example: Internet->Edge Router->Firewall(Inter-VLAN Routing)->Layer2 Switch->F5

 

If F5 is capable of anti-DDoS, firewall needs anti-DDoS too? If Firewall is doing anti-DDoS, then do we still need F5 for network-related DDoS protection?

 

For Edge Router, I believe ISP clean pipe or Silverline can help to mitigate.

 

1 Reply

  • nathe's avatar
    nathe
    Icon for Cirrocumulus rankCirrocumulus

    ReconteurSG,

     

    You make a good point on where to have your security mitigations. F5 would give you two options here. First option is to replace your existing perimeter firewall and replace it with a BIG-IP device with AFM and, optionally ASM for L7 protections. See the following datasheet: f5-ddos-protection-reference-architecture. The BIG-IP hardware is, most likely, going to be better at handling DDoS attack vectors, when compared to commodity hardware/NGFWs. So this gets around a situation where the NGFW falls over before the next layer BIG-IP has a chance to assist.

     

    The 2nd scenario is to deploy the latest Herculon Hybrid DDoS defender external to your existing firewall, see herculon-ddos-hybrid-defender-datasheet and ddos-hybrid-defender. This will be the first line in defence from DDoS attacks and take the pressure off your existing NGFW. It can also signal back to Silverline, when under attack, to perform Cloud Scrubbing too. Herculon DDoS can protect against L3/4 and L7 DDoS attacks. It can also monitor bandwidth and mitigate attacks based on a percentage of bandwidth in use - this will help ease pressure on your Edge Router.

     

    Hope this helps,

     

    N