I'm wondering if anyone could provide suggestions on best practice design or offer some practical advice on how to proceed with an issue I'm having.
We have a Cisco 5515 ASA as WAN Firewalls, entire enterprise consisting of 20 or so satellite offices connect to INET over MetroE throug our DC, we have a few IPSec tunnels and DMZ link as well.
The problem is we are constantly being DDOS attacked which brings the performance of the 5515 to a crawl impacting services to our internal networks. Our solution is to block those IP's on our Edge Routers by adding an ACL, which only then normalizes the FW's.
My question, is this our only resort to block the attackers via ACL on the edge router, is this the best design for our enterprise? It just doesn't seem very efficient that we operate this way!
Any recommendation greatly appreciated!
ISP1 ISP2
| |
| |
| |
PublicIP/30 PublicIP/29
R1----------HSRP--------R2
| |
| |
PublicIP/30 |
FW1---------HA----------FW2
No comments:
Post a Comment