Cisco Cisco Firepower 4120 Security Appliance
Security Protections
You can use APSolute Vision or the CLI to configure Radware DefensePro DDoS Mitigation security policies.
Note:
The Radware DefensePro DDoS Mitigation version and platform may affect the types of the security
policies that the DefensePro device supports.
A security policy in an organization is a set of rules and regulations that defines what constitutes a secure network
A security policy in an organization is a set of rules and regulations that defines what constitutes a secure network
and how it reacts to security violations. You implement a security policy for your organization by using the global
security settings and Network Protection policy. You can adjust a security policy to suit the security needs of
different network segments down to a single server, providing comprehensive protection for your organization.
Each policy consists of multiple rules. Each rule in a policy defines a network segment or server, one or more
Each policy consists of multiple rules. Each rule in a policy defines a network segment or server, one or more
protection profiles to be applied, and the action to be taken when the device detects an attack.
Each protection profile defines the security defenses that provide protection against a specific network threat. For
Each protection profile defines the security defenses that provide protection against a specific network threat. For
example, the Signature Protection profile prevents intrusion attempts, and the Behavioral DoS profile prevents
flood attacks aimed at creating denial of service.
Notes
•
Unless specifically noted, the procedures to configure security policies in this book relate to using
APSolute Vision.
•
Some protections are not supported on management interfaces.
DefensePro’s
multi-layer security approach combines features for detecting and mitigating a wide range of
network and server attacks.
Radware DefensePro DDoS Mitigation supports network-wide protections. Network-
wide protections include the following:
Radware DefensePro DDoS Mitigation supports network-wide protections. Network-
wide protections include the following:
•
Behavioral DoS (BDoS) Protection
—
Protects against zero-day flood attacks, including SYN Floods, TCP
Floods, UDP floods, ICMP and IGMP floods.
•
SYN-flood Protection
—
Protects against any type of SYN flood attack using SYN cookies. A SYN flood
attack is usually aimed at specific servers with the intention of consuming the server’s resources. However,
you configure SYN Protection as a Network Protection to allow easier protection of multiple network
elements.
•
DNS Flood Protection
—
Protects against zero-day DNS-flood attacks. These attacks fill available DNS
bandwidth with irrelevant traffic, denying legitimate users DNS lookups. The attacks originate in the
public network and threaten Internet-connected organizations.
•
Signature-based Protection
—
Protects using DoS Shield protection, which protects against known flood
attacks and flood attack tools that cause a denial-of-service effect.
•
Packet-Anomaly Protection
.
•
Out-of-State Protection
—
Ensures that TCP connections are established based on the protocol RFCs.
© 2016 Cisco | Radware. All rights reserved. This document is Cisco Public.
Page 38 of 281