DDoS Mitigation at Source
CAR - Committed Access Rate.
Limits (a class of traffic) traffic to a specific rate.
Token bucket model.
Avoids that a single source may generate/transmit traffic above a pre-defined threshold.
Firewalls
Remote-Access VPN
Firewalls need to work with VPN gateways.
To filter all traffic.
To filter and decrypt VPN traffic.
Most firewalls integrate both Security and VPN gateway services.
Performance Evaluation
Basic Firewall
IP Throughput.
The raw capability of the firewall to pass traffic from interface to interface.
Latency.
Time traffic delay in the firewall.
Should be measured and reported when the firewall is at its operating load.
Traditional Enterprise Firewall
Connection Establishment Rate.
The speed at which firewalls can set up connections.
Concurrent Connection Capability.
Total number of open connections through the firewall at any given moment.
Connection Teardown Rate.
The speed at which firewalls can teardown connections and free resources.
Next-Generation Firewall
Application Transaction Rate.
The capability of the firewall to secure discrete application-layer transactions contained in an open connection.
May include application-layer gateways, intrusion prevention, or deep-inspection technology.
Application transaction rates are highly data-dependent.
Last updated