01-19-2011 12:11 PM
We need to protect our network from DDoS attack( especially web-service in DMZ).
We have some different servers (WEB) so balancing we will not use.
Now we use Cisco ASA5540 with module SSM-20 to protect our network.
But the last time during syn flood attack cisco was overload.
So we want to use Brocade before Cisco.
Is that a good idea?
Brocade ADX 1000 works with switch code!
There is outside interface on the Cisco has Internet address
Here I can't understand, how to use virtual/real servers in that case.
In my opinion Brocade in switch mode must not have any ip address for virtual/real servers.
Maybe I don't understand working Brocade in switch mode (with switch code)
Can someone explain this to me in brief? or give me a brief instruction
For example, I use eth1 for external network, eth2 for internal network (on Brocade)
Best regards, Vladimir.
01-20-2011 03:41 AM
I would not propose to use a ADX in front of a firewall. ADX is for loadbalancing and ASA is for security. Only if you want to balance lots of ASAs with ADX and build a Firewall Sandwich.
The ASA has many feature to mitigate attacks. Search for >Preventing Network Attacks with ASA<.
There is also a special feature in ASA specialized for DDOS attacks called Botnet Traffic Filter. There's a good white paper about that called 'Combating Botnets Using the Cisco ASA Botnet Traffic Filter' at http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6032/ps6094/ps6120/white_paper_c11-532091.pdf