[c-nsp] ASA questions
Peter Rathlev
peter at rathlev.dk
Thu Jul 3 06:54:46 EDT 2008
Hi Skeeve,
On Thu, 2008-07-03 at 20:38 +1000, Skeeve Stevens wrote:
> I am looking for an ASA with the primary use being to stop DDoS attacks
> which one of my customers is getting slammed with.
>
> Need at least a couple of hundred meg throughput.. Preferably in transparent
> mode.
>
> Couple of questions:
> - Is an SSM needed to do DoS protection?
The ASA code can protect against things like SYN flood (embryonic and
half-open connection limits) and you can do rate limiting. If you need
more advanced (e.g. signature based) protection, you'd need something
like the AIP-SSM. But the ASA does a good job on it's own.
> - The 5550 can't take an SSM?
No, the 5550 can't take an SSM, since the slot is already taken by a 4
port GigabitEthernet module, which cannot be removed.
> - Is the transparent protection functional in dot1q VLAN's? (If I want
> to run multiple carriers into a switch then into the ASA and back out)
Yes, you can run multiple transparent firewall interface pairs,
filtering each pair seperately, if that is what you mean.
Regards,
Peter
More information about the cisco-nsp
mailing list