Wednesday, October 23, 2019

Routers, ACLs, DDoS, & Resource Utilization

Hi All,

I’m posting this from a throwaway account out of precaution.

I've been a subscriber and lurking on this subreddit for many years. At one time, I thought about becoming a network engineer and took night classes for my CCNA and CCNP (both of which I became certified). My career took a different turn and now I'm in a systems engineer / devops role. In previous roles, I’ve managed WAFs, but never enterprise firewalls.

Without getting into too much detail, I was in a meeting today about two of our internal networks being able to access each other. For reasons I won’t go into, a high level networking colleague claimed that by putting in explicit denies, it could cause undue stress on the firewall if a DDoS attack was launched from one of the networks to the other (however unlikely).

Is this concern legitimate? I was under the impression that firewalls will drop the packets before being processed for routing. To me, traffic is traffic. If a DDoS attack occurs and the router can’t handle the denies, then how is routing the traffic any less strenuous on its’ resources? The only way I can make sense of this claim is for a concern of the configuration size getting too large for the resources available to process it. I understand being protective of your equipment and desire for high performance and high availability. But the argument doesn’t seem accurate to me.

Your input is greatly appreciated!



No comments:

Post a Comment