[c-nsp] ASA questions

Mike Butash der.mikus at gmail.com
Thu Jul 3 13:03:20 EDT 2008 

   If it's a major DoS or DDoS, look at the Cisco Anomaly 
Detection/Mitigation appliances they borg'd from Riverhead a few years 
ago.  When we began undergoing nightly DDoS's from millions of sources 
of several hundred meg and up to several gigs, they were a godsend to 
actually allow us to combat attacks effectively.  They have their 
quirks, but they also work wonders for removing illegitimate traffic off 
the network.  Maybe also recommend Prolexic.com services...  Might be 
cheaper in the long run, and they are quite effective in doing about the 
same service the anomaly mitigation appliances provide.

   ASA's will allow for some basic protection as Peter stated, but they 
won't do much for intelligent attacks, which most botnets allow for 
push-button nuking of any network with somewhat decently emulated floods 
of traffic.  Once you can dump out the flood of crap thrown at you, an 
average 5520 or whatever your "normal" traffic requires will suffice.

-mb


Peter Rathlev wrote:
> Hi Skeeve,
> 
> On Thu, 2008-07-03 at 20:38 +1000, Skeeve Stevens wrote:
>> I am looking for an ASA with the primary use being to stop DDoS attacks
>> which one of my customers is getting slammed with.
>>
>> Need at least a couple of hundred meg throughput.. Preferably in transparent
>> mode.
>>
>> Couple of questions:
>> - Is an SSM needed to do DoS protection?
> 
> The ASA code can protect against things like SYN flood (embryonic and
> half-open connection limits) and you can do rate limiting. If you need
> more advanced (e.g. signature based) protection, you'd need something
> like the AIP-SSM. But the ASA does a good job on it's own.
> 
>> - The 5550 can't take an SSM?
> 
> No, the 5550 can't take an SSM, since the slot is already taken by a 4
> port GigabitEthernet module, which cannot be removed.
> 
>> - Is the transparent protection functional in dot1q VLAN's? (If I want
>> to run multiple carriers into a switch then into the ASA and back out)
> 
> Yes, you can run multiple transparent firewall interface pairs,
> filtering each pair seperately, if that is what you mean.
> 
> Regards,
> Peter
> 
> 
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>

More information about the cisco-nsp mailing list